Skip to content
- Taking an economic view requires one to achieve the shortest sustainable lead time with the best quality and value—requires understanding the economics of a mission. Without that, even a technically competent system may cost too much to develop, take too long to deliver, or incur exorbitant manufacturing or operating costs.
- Security initiative and controls need to be phased.
- It is tempting for security professional to cite the entire list of organizational security policies and controls when asked what controls need to be considered for a organisation or products.
- This frustrates the team and usually causes it to overlook security measures because there is just too much to consider.
- Instead, security professional may be required to determine the necessary security controls based on an economic view of the project and products. This decision by security professional is crucial, as they need to balance the lead time to implement controls and with the necessary security controls to mitigate risk.
- Based on the risk assessment and risk exposure, they must determine at which stage the controls should be added incrementally, as the product gains functionality and market exposure. It is very tempting for IT security managers to add all controls within the first release; however, these controls may not directly support the economic benefits of the product.
Food for Thoughts- What criteria will you take to phased in security controls in every iterations?
- How would you tracked the security controls and residual risk for every iterations?
