|
It seems that upper management views the incident as the fault of the IT security team; whether that is actually so, it would seem the bosses feel that it is perfectly appropriate to penalize your team by taking the funds from your budget.
Without really knowing the situation, it's hard to say whether that is appropriate. I have seen many organizations work far more efficiently and effectively with tighter budgets.
But let's assume for the sake of argument that losing the funding will significantly affect the security team's ability to protect the company from future breaches. It is now your job as security manager to communicate effectively to the executives that information security is more important than ever before.
In the case of large breaches, organizations such as the FTC can and do impose more then just fines: they mandate that certain actions be taken to prevent future breaches. This usually translates into making serious IT investments to improve security. If your company is in this situation, gather together these new requirements into a slide or two as justification for why the IT security department needs continued funding.
Even, if you don't have an outside mandate, gather together examples of the above data, because it shows you are actively interested in the health of the company and preventing a future breach. Still, without an outside mandate, this is a more challenging presentation, so it's important that you have good business justifications for your projects and that the projects are focused on addressing issues discovered as a result of the recent breach.
For more information:
|
