I have consulted with a company recently. They were
reviewing the ISO27001:2022 certification. This, depending on the
circumstances, could be a heavy lift or not too bad. This is entirely dependent
on the environment. After the initial review and recommendation, the first
comment was the business didn’t have the budget for the tools, staffing or
anything. This left me a bit confused, as the certification process is not
inexpensive.
This reminded me of the budget process. The C-level and
senior management don’t at times understand security’s role. They instead think
like an accountant and try to arrive at an ROI (Return on Investment). This has
the propensity to be very difficult. When you try to commoditize this, there
are problems.
When I hear this, my thoughts run to how much would a
network compromise cost with the additional ransomware thrown in for good
measure, even with cybersecurity insurance? How much would it cost for your
connected medical devices to be breached and malicious code put in the
firmware, with three or four patients feeling the effects?
There are the direct costs, of course, but also the indirect
cost of reputational risk. These are a few things to think through.
Services
Enterprise and Embedded System Cybersecurity Engineering & Architecture
Red Team Pentesting | HW & SW BoMs | CBoM |
Vulnerability Management | Tabletop Exercises (TTX) |
Embedded Systems Architecture | Threat Intelligence |
TARA (Threat Assessment and Remediation Analysis)
charles.parker@mielcybersecurity.net 810-701-5511
No comments:
Post a Comment