In this latest edition of An Insider’s Look At Security and Compliance hosted by Evan Schuman, Edgile’s Brian Rizman explains that in order to get board level budget buy-ins, CISOs need to first define the more strategic “whys” behind specific risk mitigation initiatives before focusing on the more technical and product oriented “whats” and “hows.” An accurate and dynamic risk register is critical as it ties back to risk mandates and help guide the “why” when lobbying for security funding.
Key Points
- Keeping an accurate and updated risk register can help justify security budget requests.
- An outdated or inaccurate risk register can give senior management a reason to cut security spending because the true risks aren’t apparent.
- Edgile’s iGRC content library subscription service brings laws, regulations and risk frameworks into a common reporting and measuring mechanism that’s understandable and functional across the enterprise.
- iGRC is a relatively small investment considering it lays the risk register foundations that drive security development and deployment.
- CISOs need to be part of the conversations around how planned organizational changes may affect future risks.
- As CISOs get more board level air time, they need to employ business-focused language that ties back to business value so management can support proper security funding.
- Don’t wait for a big breach before taking strategic actions that identify critical risks.
