Thursday, January 22, 2009

The Business Justification For Data Security

As many security professionals, I often find it very hard to justify making certain expenditures. Especially when money must be spent before a real incident has taken place (or rather, before a real incident has been identified), fully developed detailed justifications are often hard to capture.

As a result, I am truly looking forward to what Rich and Adrian over at Securosis are working on. Today, they put up--what will hopefully be--the first post of many on business justifications for data security spending.

The approach appears to be based on a thoughtful combination of quantification and qualification and consists of the following four steps:

  1. Data Valuation
  2. Risk Estimation
  3. Potential Loss Assessment
  4. Positive Benefits Evaluation
The choice of words by itself makes me hopeful. Rather than pretending that risk can be calculated completely, Rich and Adrian use the term estimation and Instead of a loss calculation, they use the phrase assessment.

I look forward to reading more of their work!

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.