5.1 Generate Initial Security Program Project Portfolio
This element illustrates the development of your initial security project portfolio. This portfolio should be used to fuel your remediation plan and efforts.
Security Program Project Portfolio Tips:
Tip #1: The most important aspect of this step is to ensure that you can tell the exact set of reasons (findings) that are driving why you would do a remediation activity.
Tip 2: You have the ability to scope the portfolio by what findings you include. If you have a low-Security Program decision and execution capability score you may want to just include the findings from your security program assessment. Once that is in place you can take on the other stuff, probably much more effectively.
Tip 3: Use simple means to prioritize your initiatives. We provide some models in the CISO Handbook that can work. over the years I keep finding that it works better and better the simpler I can be. Use a complex risk methodology and good luck to you. It is not that these frameworks are not great and accurate, it is that it is not worth the time or effort for the benefit to be that great or accurate.
Tip #4: It is very common that your existing security program budget did not use a process like this for determining to fund. As a result, the identified total remediation scope, schedule, and budget may be far larger than what your organization may be expecting or ready for. As a result, ensure to educate mgmt. on the approach, you used before giving a number that might really scare them. Once they understand the process, put it on them to identify which projects they want to fund.
Tip #5: When calculating project costs, be sure to include both implementation costs, as well as ongoing operational costs for headcount to maintain whatever was built moving forward.
Tip #6: Remember that it is your job to identify and then tell the true story to stakeholders in the business. This does not mean that mgmt. will always make the decision to fix everything; don’t take that personally.
Remember, we understand that there might be questions and we are here to support you along the way!
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles