Using data to enhance your enterprise cyber hygiene
In the good ‘ol days of CISO, things were straightforward and it was pretty easy to do what it took to be successful. I would prepare a budget for the upcoming year from a list of essential and value-added projects, which my security and risk team supported. Then we would sell the budget request through the normal approach: fear, uncertainty and doubt. Quite simply, if anyone questioned our request we would state that if we don’t do the project, we might get hacked and we would fear losing our jobs. With the budget in hand, we would set off and get a lot done over the course of the year. Then, at year end, we would produce a PowerPoint with all the great things we accomplished.
However, something then changed in my simple world. My Board of Directors and the C-suite began asking: “What is the ROI on each security investment,” and “How does each project reduce the risk to our organisation?” They then started asking for monthly updates on our progress to reduce those risks.
This was the beginning of how I, as a CISO and IT Risk Officer, began to think about security in a very different way. I was now being evaluated on how well I could reduce IT risk from security, measure that reduction and sustain it.