Over the last few months, I’ve had a number of conversations about the need to justify security spending. This year has been tough for a lot of organizations, so IT budgets are generally not growing. Plus, the money already allocated often had to be re-prioritized to meet changing business needs. At the same time, executives and board members become painfully aware of today’s cyber risks and the cost of not paying attention. They expect the IT team and IT security leaders to provide solid data points that enable the most effective security investment decisions.
That’s where many companies I talk to run into an unexpected roadblock. For decades, IT (and IT security) has been treated as a purely technical discipline, and top technical professionals were promoted into IT leadership positions. They can walk you through any sophisticated technology question, but not all of them speak the “business” language. This makes it tough for both sides of the conversation to come to productive decisions.
Another challenge for many IT leaders is a lack of factual data to rely on. In technology, you work with facts, and you have precise and defensible measurements. For example, you can report on the number of incidents over a given period of time, or the time needed to patch a vulnerable server. But how do you show the expected return on a security investment without stepping into the realm of assumptions and probabilities? This pushes a lot of IT pros, myself included, out of their comfort zone
More Info: what can you do with an a+ certification
No comments:
Post a Comment