One way to look at it is to calculate the actual cost of the people, platforms and services engaged full time or specifically security related projects; and compare it against Legal, Financial, Operational and Reputations costs. But that is a myopic exercise done from a perspective of weakness and insecurity. And there is never going to be a sure fire way of accurately computing legal and reputations costs.
A quasi-quantitative way is to take the following approach:
1. Identify in consultation with Management/business what all need protection/security and document items under groups - services, operations, systems, facilities, people and any other.
2. For each of the above items, document the business function/user who concurs that the protection/security is necessary
3. Assess the security risks to the above items and arrive at the ideal/best/cost effective means to provide protection/security
4. Discern what protection/security out of the above means has already been deployed as part of the initial architecture/design
5. Prepare a phased road map for deploying rest of the means and quantify their cost
6. Take a sign off from the user function(s) on whether they would like to bear the above documented costs or accept the documented security risks
7. If they would rather bear the cost, the benefit they derive out of the said security deployment can be then taken as the return on the security investment cost calculated above (point 5)
Another approach when CISO has strong management buy-in:
1. The very fact that a CISO has been hired is to meet an existing business need to provide security/protection
2. What we do with what we have - Just having security systems and processes does not ensure security. They have to be designed, configured, operated and reviewed efficiently and intelligently as per the organisations operating environment and business needs. Common examples are gaps in Access Control systems, Vulnerability Assessment platforms, SIEMs, Patching and AV infra etc
3. How we do, what we do - The approach should be business oriented, as business wants it and because it will facilitate/enable business not because the CISO wants it or because it's a security best practice. CISO's advisory and Security best practices are important but they have to be aligned to the business requirement and not vice-versa.
No comments:
Post a Comment