WHERE DOES YOUR IT STAND NOW?
Above you see the relationship between risk tolerance, security operations, and the resulting state of an organizational security program.
On the vertical axis, the risk tolerance scale ranges from ambiguous to explicit.
On the horizontal axis, the security operations methodology ranges from reactive to proactive.
When risk tolerance and security policy is ambiguous and security operations operate in a reactive manner, the result is chaos. No one wants to operate this way, as the end results can be devastating. However, when one becomes comfortable in the chaos, it can lead to complacency.
On the inverse end of the spectrum is the “predictive” state – characterized by explicitly defined risk tolerance, security policy, and proactive security operations. The “predictive” state is representative of a high-performing information security program. Organizations within the predictive state should strive for optimization.
Where does your organization belong on this map?
Is your information security program in a predictive or a chaotic state?
Or somewhere in between with room to grow?
How would you rate the maturity level of your information security program?
The real question is whether or not your organization is willing to Venture Beyond Risk.