O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

xvii
Ofce Memorandum
Acme Enterprises, Inc.
From: Chief executive officer
To: Information security manager
Dear John,
I realize we have spoken about this a while ago but I am under renewed pressure
from the board to clarify a few things about your budget proposals for the financial
year ahead. I need your assistance urgently as I am busy preparing for our annual
strategy off site. Please, would you address the following issues in writing before the
next board meeting at the end of this month as succinctly as you can:
a. We have spent a small fortune on information security in the past three years:
naturally, this seemed justified at the time, but is it perfectly reasonable for
the board to ask what we have actually achieved in the way of a return on
our investment to date? Can you put a figure on it? Can you demonstrate the
value?
b. How does our information security stack up against our peers in the indus-
try? How secure are we, and how secure do we need to be? Some of the more
cynical members of the board are starting to express the opinion that we are
xviii ◾  Office Memorandum
going for gold when silver will do, and I must admit I have some sympathy
for that viewpoint. However, if you give me the ammunition for a robust
response, that will help immensely in terms of deflecting some of the pressure
to other cost centers.
c. If budget cuts are necessary (which looks increasingly likely), in which areas
can we safely trim back on security spending without jeopardizing the excel-
lent progress we have already made? I appreciate that you are reluctant even
to entertain the possibility, but I’m sure you will agree that it is better for us
to be prepared for this eventuality and deal with it rationally now than to
have it imposed upon us later in the process. I should point out that informa-
tion security is not being singled out for this. We all share the pain of these
economically challenging times.
Looking forward maybe three to five years, can you give us a clearer picture of
how the information security management system will pan out? e board and the
executive managers are understandably concerned about their personal liabilities if
we should fail in our compliance and governance obligations.
Regards,
Fred B.
CEO

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required