My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program. I don't intend for readers to use all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, or to even agree. However, you may find a handful that might have traction in your environment.
- Crisis. Something bad happens. Although this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst way to justify a program, it is often very effective.
- Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.
- Competitiveness. Please see my previous blog post.
- Comparison. If your company security team is 10% cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 size of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.
- Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.
- Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.
- Constituents. I use this term to apply to internal parties. Large companies often provide services to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r business units.
- Controllership. Is your organization well-governed? Can it account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of its systems for auditors and so forth?
- Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world to handle incidents, or handling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m remotely by moving data, not people?
- Consolidation or Centralization. These cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes are likely to enable specialization, more effective internal resource allocation, and improve defenses.
- Confidence. Confidence applies to all parties involved. Can you trust your data?
- Counting. This is a plug for metrics.
- [Securities and Exchange] Commission. This is a play on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10k- forms shareholders receive in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail. Please see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linked post for more details.
4 comments:
wrt customers - focus on customers is bigger than just consumer credit cards (TJX). For one example, I am guessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 small businesses that Krebs has been reporting as losing 5 and 6 figures will be seeking ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r places to store and process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir funds.
Cover [Your Ass]: This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only reason government and very large entities ("Too big to fail/punish")implement security. As a security consultant I've dealt with a few large (for my country) government entities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't care about security - protecting citizens' and corporations' data. They care if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will loose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir jobs or how much screaming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 governing minister will exert at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.
If I can convince that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 brown-matter storm will be big enough, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might spend some on security.
Chance: Understand and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk to your organsation.
It's a lot easier to justify KEEPING security than justifying starting it or expanding it.
These are good points, but I've seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m fail to work ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 KEEPING realm.
I remember one company, where after I cleaned up a breach and recommended a myriad of changes (again), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 executives wiped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir brow and said, "Boy, were we lucky cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y didn't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credit cards."
And nothing changed.
Post a Comment