Tips to Generating Initial Security Program Project Portfolio

Written by Mike Gentile

May 10, 2017

Creating Your Initial Security Program Project Portfolio

Understand the development of your initial security project portfolio. This portfolio should be used to fuel your remediation plan and efforts.

Security Program Project Portfolio Tips: 

Tip #1: The most important aspect of this step is to ensure that you can tell the exact set of reasons or findings that are driving why you would do a remediation activity.

Tip 2: You have the ability to scope the portfolio through which findings you include. If you have a low security program decision and execution capability score, you may want to just include the findings from your security program assessment. Once that is in place you can take on the other stuff much more effectively.

Tip 3: Use simple means to prioritize your initiatives. We provide some models in the CISO Handbook that can work. The simpler the prioritization method, the better it turns out. Using a complex risk methodology doesn’t provide the benefits to be worth the time and effort of increased accuracy.

Tip #4: It’s very common for existing security program budgets did not use a process like this for determining to fund. As a result, the identified total remediation scope, schedule, and budget may be far larger than what your organization expects or is ready for. As a result, be sure to inform management on the approach you used before giving a number that might really scare them. Once they understand the process, have them identify which projects they want to fund.

Tip #5: When calculating project costs, be sure to include both implementation costs as well as ongoing operational costs for headcount to maintain whatever was built moving forward.

Tip #6: Remember that it’s your job to identify and then tell the true story to stakeholders in the business. This does not mean that management will always make the decision to fix everything. Don’t take that personally.

Remember, we understand that there might be questions and we are here to support you along the way!

If you decide to contact our Information Security Experts, call us at 800-203-3817 or schedule a meeting today!