Skip to content
- When taking an economic view of security, Security professionals must organise security controls and requirements around the value demanded by organisation and customer.
- Value is define as the importance, worth, or usefulness of something. Therefore, security to a project, infrastructure or software must be quantify to its importance.
- Traditional security mindset focus on compliance. A compliance approach does not help an organisation to understand value of security to its initiative. It is an approach that is heavy handed that does not give the organisation an understanding of the value security add to its project, operation or systems.
- Adding value for Security into organisation’s project, operation or systems, requires one to understand the business drivers of the specific project, operations or systems. If we can articulate security requirements based on business drivers, organisation will appreciate security and will under in clearer perspective on how security add value to the organisation.
- Business Drivers that may help drive the way we recommend Security controls with value:
- Users Expectation (e.g. as of 2021, people are more incline to bio-metric authentication as compared to password authentication on mobile phone)
- Organisation Risk (e.g. Confidentiality may not be key driver for all project, operation or systems. Therefore, would you consider dropping controls relating to confidentiality and focus on controls to mitigate key risk areas)
- Resource, Cost and Budget (e.g. does the cost of security controls exceed the value of the project?)
- We tend to list down all the controls to mitigate all possible risk, however, we fail to help the team to prioritised according to the value.
Food for Thoughts- How would you prioritised Security Controls recommended to a team?
- What are the business drivers would you consider to prioritised the security controls to the team?
