You will have to rely on expert opinion to estimate the cost or risk and the level of reduction. However, this does not mean you need to just guess. There is a two-way approach to avoiding guesses:
Learn from inside. Learn from your business risk management process, and try to be consistent with it. You’ll need to establish a connection with the C-suite in order to do this, and you’ll need their input on the estimated losses.
Learn from the outside. See if there is a relevant CISO group or forum you can join to learn from the experience of other companies. Another good source is industry research, such as the “Cost of Data Breach Report” by the Ponemon Institute, sponsored by IBM.
Don’t overcomplicate this — agree on an approach and use it consistently. After a few quarters, you will be able to see (and prove) trends and be able to adjust if needed.
As with other aspects of ROI, communication is crucial here. You have to build connections and stay in touch with the executive team and business unit leaders. That way, you will have a chance to make security a part of each new project discussion — and an inseparable part of the implementation plan — from the very beginning.
Since you’re not the owner of a new business project, you cannot estimate the size of the returns on the opportunity overall. However, you don’t have to. I recommend referring to these new initiatives in your ROI conversations, but without trying to provide specific numbers.
More INfo: jobs you can get with a comptia a+ certification
No comments:
Post a Comment