2016-019-Creating proper business cases and justifications

Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization.
We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include:
1. Aligning business goals and operational goals
2. How to discuss ROI with management
3. Getting actionable information for business requirements from affected parties
4. Steering yourself away from confirmation bias or optimism bias, and ensuring you're thinking critically when comparing the current status quo vs. a new solution
5. Information you might want to gather from potential vendors to make a more informed decision as to whether their product is the one you want
And finally, we discuss how to handle the dread vendor demos. There may be a number of them, and they are arguably the best method of knowing the software or hardware is going to work for you.
This is a topic that affects everyone, whether you are a manager, or a user of the technology involved.
We also like to remind people that our DerbyCon CTF and raffle are still going on. There is plenty of time to get involved if you want a chance to get a ticket to Derbycon 2016!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-019-business_cases_and_justifications-final.mp3
Itunes:

Links referred to in the show:

http://www.ask.com/business-finance/business-justification-example-cdebe6f929949e8c
http://www.iso20022.org/documents/BJ/BJ044/ISO20022BJ_ATICA_v4_with_comments.pdf
http://klariti.com/business-case-2/business-case-justify-business-need/
https://en.wikipedia.org/wiki/Business_case
https://en.wikipedia.org/wiki/Optimism_bias
http://www.ehow.com/how_6672801_write-business-justification.html

Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Here is a new episode of Brakeing Down Security Podcast!

Episode 5: Interview with Frank Kim

Man, it was a great week. If you ever have the chance to go to a SANS Course, do it, and do it often. It may be expensive, but the networking opportunities are great, and the instructors are just good people.

During the "Capture the Flag", which I will not give out information about (so don't ask), I felt utterly useless. I had done all that I felt I could do, but it's amazing that you can take experiences from your own work and apply it to issues. Once we'd gotten in, I remembered something about a security issue at our office, and in doing so, I found a flag! I went from thinking I was a failure to being a hero of our team. What we didn't know was that another team had found all the flags, but because of a configuration issue on their browser, they missed a flag they'd discovered. If they'd not done that, they would have won.

But because of that mistake, our team capitalized on the the CTF, and won first place!

Mr. Boettcher and I had a blast over the week, networking with various people and instructors, meeting a tons of great people, hearing Robert 'RSnake' Hansen speaking at the SANS Summit, and just getting some really excellent training on tools like Burp, SamuraiWTF, Sqlmap, and others.

We also got several interviews in the can. Episode 5 is with Frank Kim, an Instructor with SANS, who was teaching the Secure Java coding class. We got him to sit down with us and discuss some of the issues dealing with the culture of secure coding

Have a listen: Frank Kim Interview