One of the more difficult questions a CISO has to answer is: “Based on my current maturity and business / technology factors, what do I spend on to get the best balance of capability to predict, prevent, detect and respond to threats?”
Security teams have a lots of controls to chose from that can manage risk and mitigate impacts the business cares about – and there are several useful frameworks that offer menus of controls and capabilities. However, teams rarely have the situational awareness they need to know what control will deliver the best value for money. Specifically, teams struggle to understand what their digital environment looks like and what the operational status of baseline controls is. This makes the decision about ‘where to invest next’ really hard.
