Have you identified any best practices for communicating the value of a heightened security function?

Security Strategy & RoadmapBoard Engagement
1.5k viewscircle icon12 Comments
Sort by:
VP in Software3 years ago

Yes, we train our employees on the well-architected framework of a shared security responsibility model. We focus on IT security governance on all layers of the solution including application, data, integration, network

Senior Director in Travel and Hospitality3 years ago

I'm not sure if this is best practise, but making people aware of the likely impact (both legal and financial) of breaches and their personal responsibility often helps! 

Vice President in Banking3 years ago

My best practices for communicating the value of a heightened security function is highlighting the risk if such security function/control doesn't work/operate as designed. The value can be easily reflected from the risk incurred minus the cost we pay for a preventive measure.

Director of IT in Software3 years ago

From my opinion best practices for communicating the value of a heightened security function consists of many different activities.
1) preparing risk register and quantify risks and response plan. Typically cybersecurity threats will have very high values, so you need to act to reduce probability or impact. With heightened security functions you typically lower and probability and impact of such attack
2) Use metrics when talking about root cause that attacks are successful - for example most of attacks typically start with phishing e-mails or users opening malicious URL links. Use advanced mechanisms for protecting your e-mail or  use URL filtering and other protection mechanisms to assure endpoint security 
3) use metrics for impacts of successful cybersecurity attacks for companies- average loss of company in money value, reduced reputation, maybe even bankruptcy. With heightened security you can minimize probability that this happen to your company
4) increase awareness of the importance of information cybersecurity to end users, educate and teach them. People are one of most important pillar in good and successful cybersecurity protection

Group CIO in Manufacturing3 years ago

This is not an easy task. I suggest a few steps.
First, agree on what is important to your business. Integrity, Compliance, Availablity etc.
Then try to estimate a value/cost in case there is a compromise to these factors.
Demonstrate how ICT security or ICT controls can contribute to minimizing the risk. Do not forget to highlight the role of other functions like compliance, finance, etc in this process.
Highlight what needs urgent attention and why.
Higlight the calculated risk we are taking and some potential shortfalls that currently exist. This is being transparent with business.

Content you might like

Do you have an up to date inventory of your physical systems, services and user accounts?

Yes72%

No21%

Unsure5%

Other (explain in the comments)1%

View Results

Can organizations defend against ransomware with perimeter security alone?

Yes55%

No44%

Other (Share below)

View Results

What requirements have you used to evaluate and select a SAAS SPM tool?

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?

For on premise environment, does your company run Kubernetes worker nodes on VM or BM(bare metal), and why?

Read More Comments