Tag Archives | risk

(c) Dreamstime / Mosich.com

How much should you spend on security?

I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security. That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.

Continue Reading
(C) Depositphotos / @ efks

Business stakeholders need the full story

There’s a lot of talk about aligning security programs and business or functional goals, but in practice, that’s much easier “powerpointed” than done.  Business consequences of security decisions, and security consequences of business decisions in the broader context are all too often missed or ignored, sometimes even deliberately.   As Obi-Wan said to Luke, “What I […]

Continue Reading
(c) Depositphotos / Kuzmafoto

Adopting an industrial mindset: Cyber Safety

We’ve always said that there’s two kinds of organizations, those that have been hacked, and those that don’t know they’ve been hacked.  Yet security teams are still having problems getting resources and attention from our business stakeholders, particularly in industrial companies that consider IT and technology a back office problem. Over my career I’ve worked [...]
Continue Reading