Understanding Business Priorities is Key
- Only after the CISO has established priorities will he or she be able to assess what technologies and processes are in place and if they are doing what needs to be done.
- Executives need to understand the amount of risk they expose the business to by not applying security controls and not implementing a structured security system.
- Regardless of how you spin security expenditures or how you show they enable business activity, risk reduction is how senior management measures the return on their security investment.
“Regardless of how you spin security expenditures or how you show they enable business activity, risk reduction is how senior management measures the return on their security investment.”
Genady Vishnevetsky, chief information security officer for a global real-estate insurance company, says that any CISO stepping into an overwhelmed security operations needs to take immediate steps to identify gaps and establish priorities. Only then will he or she be in a position to sell a security program to senior management.