By Diana-Lynn Contesti (Chief Architect, CISSP-ISSAP, ISSMP, CSSLP, SSCP), and Richard Nealon (Senior Security Consultant, CISSP-ISSMP, SSCP, SABSA SCF)
Ever find yourself in a struggle to defend your security budget or to introduce a change? This guide is a baseline to help you present the risk your organization faces.
We (CISOs) believe in notifying management regularly on the risk health of an organization and know the best time to approach management for funding is directly after a security breach. However, none of us want that to happen, so we find ourselves struggling to defend the current security budget when trying to implement a change. It is worthwhile looking at the other side of the coin here – not only do we focus on risk, but we should also be conscious of enabling opportunities. Metrics can also help us measure our ability to enable/pivot (e.g., some organisations’ ability to already have secure remote working in place ahead of the pandemic; other organisations’ ability to easily divest parts of the business due to having good network segregation in place; etc.)
As a CISO dealing with risk, we typically use metrics to supply information detailing how the company’s revenue and value are protected. This information is important to ensure that management is aware they are covered but also aware of dire impacts they could be facing as an organization. *Author’s note: The latter must be done in a way that does not appear to be scare tactics or they will not be taken seriously.
Using metrics to s ..
Support the originator by clicking the read the rest link below.
