In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
The first question was covered in last weeks blog.
The second question we’ll tackle is: “What percentage of the budget is security? Are we funded and staffed correctly? What’s the budget growth or decrease year over year?”
Asking this question should allow you to understand whether or not your information security spend is commensurate with the risk of your organization. This should allow you to understand how much security is costing your organization. It should also let you know whether or not you are continuing to invest in security.
From your perspective you don’t need to know WHAT technology you are buying to manage risk (i.e. Carbon Black or McAfee), rather are you investing in the RIGHT capabilities and controls to achieve an acceptable risk level.
Remember the risk acceptance level of each organization will vary based on a number of factors. Where program funding misses is when we buy controls for threats that may or may not be real from your organization’s perspective and invest in technologies that don’t actually provide a risk mitigation value.
Remember from your perspective the technology doesn’t matter. What does matter is whether or not you are staffed appropriately and whether or not you are investing in the RIGHT capabilities to achieve the goals of the program.
This conversation will allow you to understand where the people gaps for the program are and give a basis for growing or maintaining the size of the team. It will also allow you to understand whether or not you are investing in the people in your organization to keep them educated and up to date in the changing risk landscape. It is not enough to just have people. They must continue to grow their skills to help you achieve the Commander’s Intent you originally set forth in the begging.
The final part of the equation is to understand how the security program relates to the business. If the business is growing as a general rule so should your investment in security. The larger you are the bigger a target you become. The security program should change and grow over time as the business does. Conversely sometimes business goals are not achieved. Organizations shrink or change missions. Having this conversation on a regular basis will ensure your funding is RIGHT sized for the cycle your organization is in.
Security is not free. It will take an investment. That investment should be managed to ensure you are spending the RIGHT amount on security at the RIGHT time to achieve the goals. Doing this on a regular basis will also help you speak to your board members when the questions come…and they will be coming if they haven’t already.