You are a newly recruited CISO working for a direct bank based in Taiwan that relies entirely on internet banking. Which of the following should you do first?
A. Meet and talk to stakeholders
B. Initiate an information security program
C. Conduct a thorough risk assessment
D. Formulate a cybersecurity strategy
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Meet and talk to stakeholders.
Every effort or initiative has to be linked or aligned with the organization’s mission and goals. To meet and talk to stakeholders helps understand the organization’s mission and goals, internal and external environment, issues and constraints, and needs and requirements. It’s part of the
A cybersecurity strategy has to be aligned with the corporate strategy based on the analysis of the context of the organization. A strategy can be organized and presented as a strategic map using a balanced scorecard (BSC) and supported by a collection of initiatives that are then evaluated and grouped into portfolios, programs, and projects. Policies are developed to direct the initiatives.
Risk assessment is crucial, but it’s part of the risk management program.
To meet and talk to stakeholders determines the needs and requirements, the intended outcome, and the scope; it determines the effectiveness of a strategy.