Information risk has multiple components. With too many threats to assess individually, too many vulnerabilities to patch all at once, and many choices among controls, where should security leaders start? What's the priority? As I worked on my book, Rational Cybersecurity for Business, I became fascinated with this question: How can we find a way to gain 80% of the benefits for 20% of the work? Named after Italian economist Vilfredo Pareto, the "Pareto Principle" asserts that for many events, roughly 80% of the effects come from 20% of the causes.
Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities:
Principle 1: Develop and Govern a Healthy Security CultureAccording to Mike Gentile — president and CEO at CISOSHARE and someone who has worked as a chief information security officer for many years — a lot has changed in the security space by 2020, but two things remain the same:
Senior executives don't prioritize cybersecurity enough for security programs to be fully effective.
The reason for point No. 1 is not that executives don't care — they do, and they don't want their name in the headlines after a breach — but that they lack a clear definition of security.
Each organization's unique definition of security should be set forth in a security charter document, which prescribes a mission and mandate for the security program as well as governance structures and clarified roles or responsibilities. More specifically, the charter defines how and where the security organization reports and answers questions such as: Should the business have a CISO, and should the position report to IT or to the C ..
Support the originator by clicking the read the rest link below.
