Senin, 22 Maret 2010

Ways to Justify Security Programs: 13 Cs

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.

I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.


  1. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.

  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.

  3. Competitiveness. Please see my previous blog post.

  4. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.

  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

  6. Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.

  7. Constituents. I use this term to apply to internal parties. Large companies often provide services to other business units.

  8. Controllership. Is your organization well-governed? Can it account for the state of its systems for auditors and so forth?

  9. Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or handling them remotely by moving data, not people?

  10. Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses.

  11. Confidence. Confidence applies to all parties involved. Can you trust your data?

  12. Counting. This is a plug for metrics.

  13. [Securities and Exchange] Commission. This is a play on the 10k- forms shareholders receive in the mail. Please see the linked post for more details.

0 komentar:

Posting Komentar