I am yet to meet a CISO who has been given unlimited resources to secure the organization, and in almost all cases, there is more work that can be done to improve security. So given infinite time and resources, how to prioritize the next strategic initiative or project?
The increasing maturity of security control frameworks such as those developed by NIST and CIS provide a good structure for maturing a cyber security programme, mapped to preventing common tactics, techniques and procedures [Mitre]. They both provide a self-assessment framework for working out where you are in terms of maturity compared to industry expectations, and provide a list of next actions to increase maturity.
The next step is often to start work to improve the overall maturity of the security controls, but the challenge is to decide quickly about prioritization, budget and cost.
How do you allocate a security budget to reduce the probability of a cyber event causing material loss to the business?
Risk quantification is a key piece of the risk management toolkit. By combining the following:
– A map of the digital structure of your company
– Your own assessment of the current…
