- an understanding of the top ten infosec related risks in the organisation
- an infosec budget aligned with the risk appetite of management, with the whole C-Suite acutely aware and understanding of the risks they have accepted in order to set that budget.
- security projects directed at addressing multiple high risks in the risk register planned, funded, underway and making progress (with comprehensive product evaluation conducted before significant expenditures)
- a compliance and testing regimen in place focused on key controls in critical business processes, applications, platform and network that allows security operations to be optimised and evaluated against real world threats.
- ALL projects initially risk assessed and if high risk subject to a trust but verify approach of threat modelling, security requirements, source code analysis, test plans and test results.
- a happy and engaged security team with the skills to execute on their roles and security projects and professional development opportunities open to them
- a workforce aware of infosec issues relevant to their job role.
- organisational knowledge and agreed approaches enshrined in endorsed policy, standards and guidelines with repeatable key security processes documented in processes and procedures.
If you have any thoughts please feel free to share them with me below in the comments form.
