CISOs need to speak Managementish in order to be understood. If we cannot translate Risk into Dollars we’re out.
For every practical reason, when we argue we must assume that Risk = present value of future Damage. This implies a thought model: Max(Information Security) = Min(%+$), where % = Risk and $ = Mitigation (=present value of risk mitigating investments incl. operating costs). That's what our work is all about. What if a little extra Security gives huge payback? Well, that happens, because Security is built through Investment. As I just wrote.
Who decides about the road to Max(Information Security)? Not the CISO. The Information Resource Owner does. So go persuade him/her! But who is it in your organization? Is there such a box in the org-chart? No, not often.
There is a "lowest organizational level" for Information Resource Ownership where Accountability is found, and that is just as far from Management that you still have the Ability to manage both the Risk and the relevant Mitigation connected with specific information resources. On and above that level, too little Risk Awareness hurts your wallet severely. Funny enough, this does not count for the CISO – his/her wallet is too small to really get hurt…
The CISO needs open channels to the real Information Resource Owners. This is required, but not sufficient, to enable achievement of your Information Security Objectives.
Inga kommentarer:
Skicka en kommentar