Make Sure We Never Get Hacked (How not to measure a CISO's job performance)

An innocent approach to measuring the performance of the security job function would be to measure the number or magnitude of security incidents. But the closer you look at the problem space, the more it becomes clear this does not make sense.

Security risk is business risk, and the decision to accept risk or do something about that risk is a business decision. Business decisions that involve trade-offs of accepting risk or authorizing budgetary spend are decisions for the CEO and Board of Directors.

The SEC codifies this sensible logic in new regulatory guidance for listed companies.

Why does this make sense? And what is a CISO responsible for anyway, if not to “build a wall to keep the hackers out”?

Well, first of all you could spend all the money in the known universe and never get to perfect security. In fact, we aren’t trying to reach perfection. We’re trying to live in the real world and make pragmatic decisions that are good for business.

That means there is always a sliding scale between risk acceptance and security budget.

Your CISO is responsible, and should be held responsible, for identifying risk, for making good recommendations for managing risk, and then executing to meet the risk tolerance of the business within the given budget of time and money.

Let's take a couple of hypothetical case study scenarios to walk through the nuance here.

Read More: https://ninja.cybercybercybercyber.ninja/p/make-sure-we-never-get-hacked