A simple framework for talking to leadership about cybersecurity
A simple framework for talking to leadership about a cybersecurity program, particularly for an inbound security leader looking to level-set:
- Calibrate (ideally visually) to the state of the program today: Existing level of investment, key controls and functions, etc.
- Highlight prevailing risks, and your best estimate of the cost associated with each, if realized.
- Propose changes: Investments you want to make, to address risks in #2, leading to . . .
- Provide a projected future state of the program: What would the state of the program look like if investments from #3 are made? How would prevailing risks change?
It’s oversimplified, and that’s intentional. You can add depth or show work in any area, if it’s attainable. But for a lot of organizations, this is still a lot of work and an acceptable level of rigor.