Your company has a limited budget for information security, resulting in low salaries and a lack of quality security products. As the information security manager, which of the following is the best strategy to earn the management buy-in and increase the budget? (Wentz QOTD)
A. Lay off security staff with poor performance to cut costs
B. Implement the balanced scorecard to measure and present performance
C. Share threat intelligence frequently with executives to increase the sense of risk
D. Prepare incident management reports to demonstrate how much loss is reduced
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Implement the balanced scorecard to measure and present performance.
All the four options in this question are common alternatives or practices. However, this question is written with a business mindset that emphasizes value creation. We can create value either by reducing loss, cutting costs, avoid wastes, improve efficiency, directly or indirectly increasing revenue, and so forth.
The balanced scorecard is a tool of strategy execution, or strategy performance management tool specifically. A strategy can be broken down and managed by a hierarchy of key performance indicators (KPIs). The balanced scorecard organizes the KPIs into hierarchical dimensions/perspectives such as financial, customer, internal processes, and learning and growth perspectives. It provides a more comprehensive view than just incident response, threat intelligence, or labor costs.
The balanced scorecard provides a holistic and comprehensive view of the information security strategy, monitors the strategy execution, and informs decisions. It helps earn management buy-in. Information systems help implement the balanced scorecard. However, they are not mandatory. Given a limited budget, we can still implement the balanced scorecard without the support of an information system.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
貴公司的信息安全預算有限,導致薪水低且缺乏優質的安全產品。 作為信息安全經理,以下哪項是贏得管理層支持並增加預算的最佳策略?(Wentz QOTD)
A. 解僱績效不佳的資安人員以削減成本
B. 實施平衡計分卡來衡量和展示績效
C. 經常與高階主管分享威脅情報,以增加風險意識
D. 準備事件管理報告以證明減少了多少損失