Make sure you are fully embedded in the corporate governance of the organization to ensure security is treated as a first class business risk. This can be as simple as making sure you are integrated with the various organization risk committees, policy approval processes and so on. In doing this integration it is important to map which part of your risk taxonomy is covered at which process. If there is overlap, as there often is, make sure that it is intentional and explained in the right way. If there are independent issue tracking systems in each of these governance processes then link your issues into those tracking process. Clearly, next, the value you can bring is to drive less duplication, more convergence and a consolidation of approval and issue tracking processes.
I find his argument convincing. Security should be part of the design process; ideally right before the software is given for coding. Unless there is a security first architecture, it won’t succeed. There’s no apparent ROI on the data security if there is no data breach. However, ticking the boxes for slef-styled audit has no meaning if the administrators are not made cogniscant of challenges of securing it at rest, transit and for backups.
Data security isn’t an IT problem. It is a institutional problem. I am sure I’d gladden the hearts for many CIOs who remain unappreciated until a drastic breach happens. Risk mitigation through back-ups and business continuity scenarios is critical to ensure that operational processes are in place, even in the face of a ransomware attack. Hence, the “cybersecurity” processes must be part of the induction classes with mandatory clearing of the exams. It should be a bottom-up approach and institutional reward programs to encourage a “security-first” approach.