4. 4 Formalize mandatory vs. discretionary spend Work we could do Risk-Based Decisions to Achieve Business Goals Work we should do “Legally Defensible” Security Work we must do Manage Compliant- Ready Services
5. 5 Are we as efficient as possible? Are we operating at acceptable risk?
6. Identify & Prioritize Assets Leverage Business Continuity Team Business Process Recovery & Ownership Good GRC platform scenario Add Regulated Data Classification Assessment Frequency 6
7. Prioritize Risks Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 7
8. Prioritize Risks (alt.) Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 8
9. Spend Or Owner Accepts Risk Prioritize by Business Value Risk Priority IT Capability Business Support Political Reality Cost Document Decision for Posterity Efficiency Gain Save $110K Mandatory vs. Discretionary 9
12. Define Services & Align Demand What is 100% of Security Services Foundation to manage Tradeoffs Business As Usual Short Term Efforts Long Term Projects Set Maturity Expectations Actual vs. Target 12 Mandatory vs. Discretionary
13. Service Metrics & SLAs Transparency Will Set You Free Start Small % Role Definitions % Project Performance % Business Risk Assessments 13
14. In vs. Out Source Define Internal Process Flow Before Outsourcing Require Metrics in Contract Accountability Through Visibility 14 Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg
15. Take Action Determine if your Leadership is Ready Start small Quick Wins Enjoy your career like never before! Start, Advance, Share 15