The time has come for IT leaders to shift their focus to next year’s budget. Information security will play a major role in the growth of any company that is looking to stay competitive, but security is a difficult position. Having to juggle limited professionals in the field, tighter timelines, and a broader scope of activities will create complications for the field moving forward. In an article for InformationWeek, Andrew Horne gives some tips for better security investments:
- Stay focused on the right risks.
- Develop a more systematic decision framework, but don’t overthink it.
- Give stakeholders predictable opportunities for input.
Security Tips for Success
Homing in on the right risks is pivotal to making smart security investments. Instead of reducing risks, information security should act strategically to protect vital areas of the company, such as ensuring the right governance models are in place. When planning out investments, make sure they are aligned with the company’s strategic goals by bringing in some senior IT and business leaders to help provide context. Come up with several different objectives for the next year and rank them accordingly into a portfolio. This portfolio can then be used to channel resources into areas that are higher-priority than others.
The second tip is to create a more systematic framework. Some practitioners go overboard when trying to reduce subjectivity and end up reducing investment down to the dollar value alone. This type of approach seldom works out though. Horne offers a two-step alternative solution to this problem, one which allows fast action on gold mine investments but also a more deliberate analysis for other investments:
- Step 1: Use 3-4 business-centric criteria (e.g., Strategic Alignment, Total Cost, Urgency) to triage new investment proposals into High/Medium/Low Value categories. High-value proposals can be included in the portfolio without additional review, while Low-value proposals can be set aside.
- Step 2: Reserve a more comprehensive review for medium-value proposals. Evaluate these projects along 12-15 cost, benefit, and risk criteria, relying on scaled qualitative scoring wherever possible.
In addition to this, there should be multiple, formal points for stakeholder feedback. Working with these stakeholders frequently will not only help define the security portfolio, but it will also increase their investment in the process as a whole.
You can view the original article here: https://www.informationweek.com/strategic-cio/3-tips-for-making-better-investments-in-security/a/d-id/1329880