by Keith McCammon

A simple framework for talking to leadership about a cybersecurity program, particularly for an inbound security leader looking to level-set:

  1. Calibrate (ideally visually) to the state of the program today: Existing level of investment, key controls and functions, etc.
  2. Highlight prevailing risks, and your best estimate of the cost associated with each, if realized.
  3. Propose changes: Investments you want to make, to address risks in #2, leading to . . .
  4. Provide a projected future state of the program: What would the state of the program look like if investments from #3 are made? How would prevailing risks change?

It’s oversimplified, and that’s intentional. You can add depth or show work in any area, if it’s attainable. But for a lot of organizations, this is still a lot of work and an acceptable level of rigor.

Categories:

Updated:

You May Also Enjoy

Where do your incidents come from?

SaaS attack technique matrix Permalink

Inspired by MITRE ATT&CK, the good folks at Push Security have taken a pass at enumerating attack techniques specific to Software-as-a-Service (SaaS) applications.