Premium Content

Access "Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way"

Published: 20 Oct 2012

Risk metrics were virtually non-existent three years ago when I took over as Kodak's global IT security and risk manager. The company's risk management process was cumbersome, time-consuming, inconsistent, and subjective; as a result, we were lacking a comprehensive picture of our security posture to the business. I wanted a security metrics program that not only supported the budgeting and investment process for IT security but also provided an "at-a-glance" view of the overall risk posture. I researched different risk models from the National Infrastructure Advisory Council (NIAC), the National Institute of Standards and Technology (NIST), and Microsoft SFT, and came away with the opinion that their models would not fit our requirements relative to management and overhead. I decided instead to rely on my previous business experience to develop our current metrics program: a tier-based approach to IT security risk management that uses a set of standard probability and business impact frameworks to provide a lean assessment process. One of the keys to our ... Access >>>

Access TechTarget
Premium Content for Free.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

What's Inside

Features

More Premium Content Accessible For Free