how to align security with your strategic business objectives.pdf

7/29/2019 How to Align Security with your Strategic Business Objectives.pdf

1/71

PwC AdvisoryPerformance Improvement

SecurityATLAS

Guidebook

How to align securitywith your strategic

business objectives*


2/71

Introduction Pg. 04

As chief information security officer (CISO), you occupy the new seatat the executive table. In order to provide leadership in this position,you will need a clear vision for security, the ability to communicate itsrelevance and the managerial discipline to deliver its full value. Thisguidebook, based on our PricewaterhouseCoopers SecurityATLAS

framework, explains how to achieve these goals.

Our Approach Pg. 08

We believe that in order to position yourself and your organization forsuccess, you must be able to think, execute and deliver results alongfive strategic disciplines. This guidebook explains the five disciplinesneeded to help transform securitys role in the organization andprovides action steps for using them.

Assess: Understand where you are and where you want to be

Analyze: Conduct analyses that will give you actionable insight

Strategize: Build a strategic implementation roadmap

Align: Maintain strategy as a dynamic, continuous process

Communicate: Improve consensus-building, messaging and reporti

Appendix Pg. 61

The PricewaterhouseCoopers SecurityATLAS framework has beenbuilt based on our extensive client work. It is a comprehensive andflexible framework for the development, delivery, communication andmaintenance of an enterprise-wide information security strategy.The components of the SecurityATLAS framework are explained in

this appendix.

Table of Contents


3/71

Get ready for some tough decision-making.

Its impossible to separate the concept of securitytransformation from the pragmatic day-to-daydiscipline necessary to achieve it. In order to

transform your security infrastructure, you mustensure that each security project clearly maps backto the organizations strategic business objectives.You have to be ruthless when it comes to makingtough decisions about the kind of information securityinvestments you are willing to authorize and support

Ensuring that your security investments supportyour business strategy is a critical litmus test forany CISO. Every discrete security project mustalign with corporate strategy in order to make thecut. Otherwise, it is not going to drive your businessforward.

Ken Morris, CISO, Adecco


4/71

Introduction

04


5/71

With the mission of security expanding, the chief information securityofficer (CISO) faces a new test of leadership, one that requires essentiadisciplines in planning and communications.

As CISO, you are responsible for managing the crucial links betweeninformation security and operational performance, brand protection andshareholder value. It is a job that continues to change, and you are the

executive most keenly aware of the extent to which securityincludinghow your organization and others elect to align, harvest and sustain itsvalueis undergoing a transformation.

Introduction05


6/71

The nature of security is evolving.

Security is a crucial partner in helping manage largeorganizations.

As the scope and complexity of technologys contribution increases,so does the role of security. But a change to securitys typicallyfragmented infrastructure is needed, one that promises to yieldstrategic cost savings for companies that address security from

a comprehensive perspective.

Security is now critical for maintaining a competitive posture.

Once seen only as the first step in asset protection, todays securityplays a critical role in enabling the exchange of sensitive informationwith other organizations.

Security is essential for compliance.

Heightened regulatory pressure to maintain better control overinformation means that information security must be incorporatedearly and comprehensively in the compliance planning andremediation process. When addressed as a whole, security canreduce the cost and increase the effectiveness of compliance.

06 Introduction


7/71

New disciplines must lead the evolution.

These and other trends reinforce the importance of having readyaccess to a comprehensive set of managerial tools and disciplinesin security management, along with a customizable means ofcommunicating, to executive colleagues and other constituents, thevalue, status and impact of security.

As the role of security transforms from asset guardian to strategic

business enabler, it will be up to you to determine the vision forsecurity, refine your skills in communication and analysis, andundertake the disciplined approach required for effective executiveleadership during this time of change.

Introduction07


8/71

Our Approach

08


9/71

We believe that in order to position yourself and your organization forsuccess, you must be able to think, execute and deliver results alongfive strategic dimensions. This means the ability to assess, analyze,strategize, align with the business, and communicate the value ofsecurity. As shown in the graphic on the following pages, these are thedisciplines needed to help transform securitys role in the organization

This guide explains the five disciplines and provides action steps forusing them. It is based on thousands of hours of client serviceexperience helping organizations of all sizes assess, develop andsustain an effective security program.

Our Approach09


10/71

10

This guide is organized according to five disciplines.

The five CISO disciplinesassess, analyze, strategize, align andcommunicatego to the heart of what it means to transform securityand, through security, aspects of business performance, complianceand risk management.

Each discipline initiates a chapter within the guide and forms the basfor a set of actionable tips, suggestions and ideas intended to helpyou develop a security strategy that is repeatable, reportable andultimately transforming.

Since these same insights, along with our knowledge and experience,form the basis of the PricewaterhouseCoopers SecurityATLAS, we wbe drawing examples from this framework to illustrate key principlesand actionable guidance.

SecurityATLAS is a comprehensive and flexible concept-to-execution planning, analysis and decision-support framework forthe development, delivery, communication and maintenance of anenterprise-wide information security strategy. A full description of

SecurityATLAS is included as an appendix.

Our Approach


11/71

11

Critical outputs of a structured security progrThe five disciplines of security transformation

Security capability model

Project analysis tools

Comprehensive roadmap

Security management framework

Customizable communication framework

Assess

Analyze

Strategize

Align

Communicate

Assess, understand and define securitys current andfuture role in your organizationwhere security capabilitiesin people, processes and technologies reside acrossthe enterprise today, and what security needs to achievefor the organization in the future.

Analyze the information collected to identify capability gapsin the context of regulatory considerations and industrybenchmarks, check current project alignment, determinethe appropriate size of a reasonable investment and identifyprecisely where the organization should be committingits scarce resources.

Translate this information and analysis into an actionable,repeatable and reportable strategy that identifies the businesscase supporting project creation, project prioritization andinvestment optimization while also generating a strategicimplementation roadmap.

Align this strategy and plan with the business on a continuousbasis to accommodate continual change in the business,security and IT environments.

Communicate securitys current status, vision, strategicroadmap and progress to-dateat any point in the annualor quarterly business cycle and in a manner best suited tothe different communication needs of a wide range of internaland external security constituents.

Our Approach


12/71

12

Our ApproachAssess


13/71

13

How can you assess, understand and definesecuritys current and future role in your organizationWhere is money being spent on security personnel,processes and technologies across the enterprisetoday, and what does security need to achieve for

your organization in the future?

A transformation for security should begin with a clear starting point,preferably, a base of fact. Gathering important security information fromevery corner of the enterprise, however, isnt always a straightforwardtask. Security capabilities today are often scattered across multiplebusiness units and duplicated in different departments within the sameoperating division.

Overlapping responsibilities are likely to be shared by a host ofpersonnel, including application developers, security staffers, systemadministrators and outside vendors. Understanding what each persondoes can be a task; aligning roles can be even more difficult, since theseindividuals often do not classify how much time they spend on securityor which security tasks they are performing.

Complicating the challenge are the internal politics that are almostalways presentif only because any effort to achieve transformationcan be perceived, at some level, as a risk to jobs, responsibilities orpersonal career objectives. This may happen even when you and other

senior executives are not planning such a level of impact.

Our Approach: Assess


14/71

14

When you begin to gather security requirements, you are not justputting out a request for information, you are also encouragingmanagers from all over the company to begin thinking andcommunicating about what they need or like about securityandwhat they dont. An example might be how security is currentlybeing administered.

Expect conflict. Perhaps most of it will be a healthy exchange ofviews, but try to avoid creating an unstructured forum that doesntresult in meaningful input. Control the process by providing strongleadership. Establish clear starting and ending points for therequirements gathering process. Anticipate issues and take the timeto finesse your approach. Document everything. And above all,work tirelessly to manage stakeholder expectations.

Ensure that those being asked to provide information understandthe scope and purpose of the request and recognize that the effort isimportant to the broader goals of the business. Also, be preparedto enlist other executive leaders, including the CEO if necessary, incommunicating the goals of the initiative.

Gather requirements in a controlled fashion.



15/71

15

Be certain that the people youve tasked with asking questionsunderstand, at a technical, organizational and process level, thecomplex interdependencies that exist among security capabilities.Interviewers must be armed with insight into what they know willbe happening in later stages of the strategy process.

You will want to anticipate this complexity and allocate information-

gathering activities with different levels of sophistication to those mosqualified for the task.

Know your team. Does your inner circle of direct reports understandthe nature of your objective in developing a security strategy? Amongthem, how many have the communication and relationship-buildingskills to develop a rapport with business-unit managers in differentoperating theaters? Who are they? Do these individuals have thepresence and the professional credibility to solicit the insights intobusiness objectives, operating needs and resource constraints thatwill shape your later decisions? What is the cost to deploy them?

Answering these questions will help you field the right fact-findingteam for the job.

Know what youre looking for.



16/71

16

Your strategy has to stand on a clear and accurate accounting ofhow much the entire organization is spending on security. Gettingthis information may require persistence. A difficulty in quantifyingIT security spending is that almost every application developed orpurchased requires a measure of security in order to operate properlyIn the majority of cases, this component is independent of thestrategic common components provided by the IT infrastructure.

Try to get to the bottom of the so-called shadow spending onsecurity, i.e., dollars that are not budgeted, standardized or reported.Such hidden spending can occur within various business units, whendivisions, departments and individuals decide to deploy securitytechnologies, processes and services that arent centrally tracked orauthorized. At least initially, be sure that your search parametersinclude all key security spending elements within both operational ancapital expenditure categories.

It can be difficult, if not impossible, to identify the operational costsof other departments, in part because these departments do notalways itemize expenditures on security. Under such circumstances,consider security costs embedded in the application portfolios budgas potential opportunities for cost savings that may be realized byexpanding common security services.

In addition, be on the lookout for process or capability redundanciesboth inside and outside the formal boundaries of the securityorganizations technologies, processes and budgets.

Capture the true spending on security.



17/71

How to collect information.

In the process of gathering requirements, youll beconducting interviews and surveys as well as gatheringavailable documentation. Here are some ideas that mayassist you:

1. Interviews: Try to address key personnel at (a) the

leadership levelto determine strategic objectivesand assess senior executive perceptions; (b) thebusiness-unit levelto identify line managementsexpectations and perceptions; and (c) different levelswithin your IT organizationto flush out the concerns,experiences and ideas among your techniciansthat can be invaluable but hard to uncover withouta targeted effort.

2. Workshops: While interviews are effective at surfacingdetail, workshops generate a collaborative environmentthat supports the exchange of ideas and promotes thegrowth of productive working relationships betweenimportant stakeholders.

3. Surveys: Because interviews can be expensive andtime consuming, consider supplementing your findingswith surveys that can be used to gather data quicklyfrom a larger audience while establishing a baselineof management metrics that can be updated inlater surveys.

4. Documentation: Information is likely to be alreadydocumented and retrievable within your organizationassuming you know what to ask for and whom to ask.

Accessing current documentation can be the quickestand most cost-effective means of collecting internallyavailable information related to areas such as: (a)resourcing and head counts, (b) current security projectsand investments, (c) hardware and software assets andtheir costs, and (d) operational statistics.

17


18/71

Think like a CFO.

One of the most fundamental skills supporting aCISOs fiscal and fiduciary responsibilities today isbeing proficient in translating the implications of

security into financial terms with the appropriate levelof transparency and clarity. You should be able topresent your business case in a way that others onthe executive management team will understand.

In effect, you have to be able to think like a CFO,because your ability to deliver results may depend onyour ability to communicate what security costs andwhat it delivers.

Elizabeth King, vp Information Management Services, Starbucks


19/71

19

Collectively, the organizations business objectives form the singlemost important driver of the security strategy. They are the basis ofthe arguments you will be using to communicate the business casefor change and will help you prioritize initiatives based on businessneed. When determining your security strategy planning process, takcare that it is explicitly mapped to the business objectives you haveidentified and carefully defined in terms of the benefits that will be

used to measure project success.

Define business objectives.



20/71

20

Find out exactly what regulatory requirements must be taken intoaccount. For example, your organization may be responding toregulatory requirements as they emerge, and reassessing its IT andsecurity environment over and over on a regulation-specific basis.

If you have separate policies for compliance, privacy and security,you will likely have to address overlapping standards that are neither

centralized, coordinated nor integrated.Say, for instance, that your organization supports 25 different waysmany of them redundantof managing user identities and privilegesIn this case, proper security, compliance and risk managementprocedures would require that you document these 25 differentprocedures, test to ascertain whether they are operating effectively,manage changes to them and report on the status of their efficacy ona regular basis.

Unless you can consolidate these redundant processes, such a poorcoordinated system will result in significant costs to the organization.The good news is that your executive colleagues are now wellapprised of their accountability for regulatory compliancea situation

that can help you attract support and funding for key securityinitiatives. But you must be able to impress upon them that regulatorcompliance management should no longer be addressed as anevent-driven activity. Rather, it has to be an ongoing component ofyour organizations day-to-day approach to overall security and riskmanagement.

Having identified the regulatory requirements your organization hasto comply with, you will need to determinefrom across the spectrumof security activitiesthe precise security capabilities required tomeet each regulation. Use this information to frame any resourcecommunications with management.

Identify regulatory requirements.



21/71

21

If possible, gain a thorough understanding of competitive securitypractices within your industry. This information can help you identifyareas in which the organization needs to bring itself current withstandard industry security practices and may offer insights todeveloping a competitive advantage.

Acquiring knowledge about what competitors are doing in security

also changes the nature of your conversation with business-unitleaders. Armed with this insight, you can more readily discusssecuritys value from the perspective of enablement as well asprevention. This has the potential to trigger and maintain a moreenthusiastic level of commitment and collaboration.

Benchmark against competitors.

SecurityATLAS Regulatory Baseline

The SecurityATLAS Regulatory Baselineprovides organizations with a clear pictureof how and where specific regulationsimpact the security agenda. Please notethat the information presented here ismerely representative. Regulations dependin large measure on application-specificcircumstances, and the data illustrated hereis not applicable to all industries or operatingenvironments. See page 67 of Appendix.



22/71

22

Achieving security transformation depends in part on pointing theorganization in the right direction. You will want to define a vision forsecurity that is reasonably achievable, realistic in the context ofindustry peer activity and directly aligned with business objectives.

A future-state assessment should address the following six area

1. Guiding principles.2. Services and technologies that support how security will function

within your organization.

3. The high-level technological architecture necessary to maintainthese services.

4. Emerging industry standards.

5. Identification of vendor technology trajectories.

6. Organizational roles and responsibilities and associated capabilitie

Addressing these areas will help you determine the extent to whichthe organizations future state is either divergent from, or convergentwith, system components currently being recommended to you forpurchase. Understanding these areas can also help you align commoprocesses with key drivers of the business and identify skill setsrequired in the future that are not represented in the current securityorganization.

Define the future state of security in your organization.

SecurityATLAS Industry Benchmark

The SecurityATLAS Industry Benchmarkpresents a clear picture of how your industryis addressing key capabilities in thepeople, process and technology componentsof a security program.

We maintain this database with informationgained through a global survey of securitypractices. See page 68 of Appendix.



23/71

In security, it pays to look ahead.

There is still a tendency within security organizationsto focus on reactive security rather than taking aproactive approach. Reactive security appears,

at first hand, to be less resource-consuming, withfaster results and more flexibility, but this is amisconception. In the medium to long term, reactivesecurity provides no scope for growth or adaptationand amounts to little more than expensive firefighting

Proactive security requires early identification ofthe business and technical requirements that cangive a security chief the necessary edge to buildan organization flexible and adaptable enough toprovide holistic services, meeting both immediateneed and providing structure for future growth.Taking the time to get it right in the early stages reaps

huge benefits in the long term.

Craig Thomas, Global CISO, PricewaterhouseCoopers LLP


24/71

24

Definition of the future-state vision is an important technicalrequirement in a structured approach to security strategya first stepin developing an actionable blueprint.

In a later step, you will be analyzing the gap between where yourorganizations security capabilities are today and where you would likthem to be in the future. Clearly defining these two points will also he

you develop, deploy and retain your teama critical component ofrealizing the value of your strategy process.

Assess with care.



25/71

How to identify your organizations current stateand define a clear security vision for the future.

Here are suggestions to help develop an accurateassessment:

1. Use a standardized measurement framework forevaluating where you are today and where you want

to be tomorrow. Without one, you may find yourselfcomparing apples to oranges and therefore unableto justify the results of your analysis.

2. Understand the major drivers of profitability andshareholder value for your organization. Becomeproficient at explaining the link between these businessdrivers and IT, and between IT and security. Dont besatisfied with a short list of high-level business driversthat shed no real light on securitys mission. Press for aclear statement of how IT is driving toward the needsof the business. Be explicit in calling out the specificcontributions that security can make in supporting keybusiness initiatives.

3. Find out why and when executives have shied awayfrom a proposed initiative due to technology-relatedrisk factors. Use that information to build a better casefor change.

4. Pick the right scope for the information-gatheringprocess.Sometimes the scope of the strategy shouldbe broader than the scope suggested by the mostimmediate security needs. A strategy can be constrainedby capability interdependencies as well as thecompromises necessary when scarce resources have tobe unexpectedly redirected. There is nothing wrongwith a roadmap that shows you several ways of reachingthe same destination.

5. Initiate ways to cut through internal politics or

bureaucratic obstacles that may crop up in theinformation-gathering process. Be sure that you havevisible support from the CEO or CIO. Proactively counterany negative messages supporting fear, uncertainty anddoubt with respect to IT security. Help your securityconstituents focus instead on securitys enablingrolein the context of business enablement, regulatorycompliance and the protection of assets. Communicateclearly and often.

25


26/71

26

Our ApproachAnalyze


27/71

27

How can you analyze the information we havecollected to identify capability gaps, check currentproject alignment, determine the appropriate sizeof a reasonable investment and identify whereyour organization should be committing its scarce

resources?

Now that you have gathered everything relevant to your organizationssecurity requirements, it is time to start making sense of the information.Doing this will be easier if your planning and analysis framework iswell organized.

Our Approach: Analyze


28/71

28

As one of the foundational steps in your strategy process, you willneed to establish a comprehensive planning framework for security,one that defines a master set of core security capabilities andorganizes them in a way that facilitates aligning security with thebusiness.

Defining the right framework can be critical because it can determine

(1) whether your strategy is effective, (2) whether it can becommunicated easily to non-technical executives and (3) whetheryou will be able to sustain the strategy on an ongoing basis.

Questions arise: What should the taxonomy be for describing, naminand classifying security operations? How should you go aboutorganizing this structure? What are you going to measure? Whatare the organizational units, key performance indicators (KPIs) andother building blocks that you should be using to structure yoursecurity program?

Some CISOs elect to organize security areas by function. Othersdefine organizational parameters that conform to control frameworkssuch as CobiT1 or standards such as ISO 177992 and COSO.3 These

approaches, however, are not sufficient by themselves. They can helpdescribe what information security must achieve, but they do notexplain how security capabilities contribute value to the organization.

Consider what your selection criteria for a taxonomy might be.At a minimum, it should reflect logical relationships among securityareas and include layers of detail that can be consolidated to createhigh-level reportingfrom the lowest technical layer to the higheststrategic presentation layer. The example on pages 32 and 33 showswhat a taxonomy might look like.

Start with a structured security capability model.

1 CobiT (or Control Objectives for Information and related Technology) is a framework for information securitycreated by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITG

2 ISO 17799 is an internationally recognized generic information security standard published bythe International Standards Organization.

3 This is framework for internal control provided by the Committee of Sponsoring Organizations ofthe Treadway Commission (COSO).



29/71

29

If you cant talk ROI, the boardroom isnt listening.

There are two types of metrics used by the CISO:those based on security criteria and those basedon business goals. Those based on security criteria

are a useful intradepartmental tool for evaluatingperformance, but they do not translate to theboardroom. For example, knowing the numberof attacks detected or thwarted may be useful inevaluating your incident response and detectionprocesses, but they tell the executive nothing

about the dollar return on his security investment.

Lloyd Hession, CISO, Radianz


30/71

30 Our Approach: Analyze

Layer 02

The second layer is comprised

of the security activitiesnecessary to deliver the primaryvalue of the functional area.

Below is an example of thesecurity activities necessary todeliver on Program managementand governance.

Security activities

Knowledge management

Personnel management

Enterprise security steering

Third-party relationship management

Third-party contract management

Risk management

Portfolio management

Layer 03

The specific capabilities

associated with each securityactivity make up the third layer.These represent the mostfundamental building blocksfor anything you are currentlydoing or that you intend to do insecurity. They form the lowestlevel of detail in your strategyand program managementframework.

Below is an example of thesecurity capabilities

necessary to deliver on Portfolimanagement.

Security capabilities

Business objectives

Selection and prioritization

Inventory and monitoring

Portfolio management team

Portfolio management technology

Layer 01

To understand the first layer,

suppose you elect to viewsecurity as comprising sevendifferent functional areas. Thinkof each functional areaas a distinct value chain, one thatprovides an identifiable valuecontribution to the organizationand spans the entire securityvalue chain. These sevenfunctional areas are the basiccategories into which your teamgroups all information securityactivities within your company.

Security functional areas

Regulatory and policy compliance

Architecture, consulting anddevelopment

Awareness, education andcommunication

Controls and identity management

Threat and vulnerability management

Physical securityProgram management and

governance

A sample taxonomy structure


31/71

31

Why is this structure so important?

It allows you to catalog the current state of your security organizationusing these capabilities and a maturity scale (for example, one basedon the Carnegie Mellon Capability Maturity Model).4 It also providesyou with a common framework that allows comparison of yourcurrent-state posture to (1) that of your industry peers, (2) the minimu

regulatory baseline that you have defined and (3) the security servicesrequired by your most important business priorities. At the sametime, it permits customizable multi-level reporting to different securitystakeholder communities. Depending on the reporting audience,you will be able to consolidate capabilities in different ways to suppovarious communication objectives.

To help companies achieve this level of planning control,PricewaterhouseCoopers has developed the Enterprise SecurityCapability Model (ESCM), an industry-neutral, technology-independent capability framework that forms the basis for anorganized approach to managing information security.

Based on the ESBM, PricewaterhouseCoopers view of the enterprissecurity value chain,5 the ESCM defines the full set of securitycapabilities that comprise any organizations security programitspeople, business processes and technology infrastructure. The modedetails over 400 measurements of an organizations maturity acrossthe security continuum and helps companies establish commonbenchmarks and control points across different control frameworksand standards.

4 Developed by Carnegie Mellon, the Capability Maturity Model has been used by many organizations toidentify best practices useful in helping them increase the maturity of their processes.

5 The Enterprise Security Business Model is an industry-leading model developed by PricewaterhouseCoopersthat uses a value chain concept to explain how security adds value to an organization.



32/71

How to select a taxonomy systemfor an IT security program.

Here are four criteria to consider when selectinga taxonomy for IT security:

1. Logical relationships. The taxonomy should grouptogether technically similar functional areas, activitiesand capabilities.

2. Consolidation and detail. The taxonomy should supportat least three layers of detail. These should readilyconsolidate to support reporting and communication toa senior executive audience. Detail must be availableto support actionable technical communication acrossthe IT and security organizations as well as to enable atightly focused level of managerial planning, analysis andperformance measurement.

3. Completeness. The taxonomy should be comprehensivein nature. It must be able to support, for example,the lexicon used to develop and describe both yourcurrent- and future-state definitions.

4. Value chaindriven and aligned. The taxonomy shouldsupport how the organization identifies and demonstratesvalue. Ensuring that the measurement and organizationof information security maps clearly to the companyskey value statements will help strengthen and retain theawareness and attention of senior executives.

32


33/71

33

Before you step into the gap-analysis phase, be sure that youhave a system in place that can quantitatively measure differencesbetween your current- and future-state capabilities.

Not all capability gaps are equivalent. You will be weighting,or prioritizing, some capability differences over others. In addition,you will need to have a means of measuring each gap in terms

of the difficulty required to remediate it.

6

Develop an effective weighting system.

6 Using a linear mathematical system (e.g., 4-2=2) will not work well. For example, it may be more difficult to

close the gap between two capabilities rated 3 and 4 than it is to close the gap between two capabilities rated1 and 2. A linear rating system, however, would value the task equivalently.



34/71

34

At this point, you are ready to conduct the gap analysis. Using avariety of analytical methods and tools such as current- and future-state scorecards, examine and document the differences betweenyour current and future states. Ask questions such as the following:

Where are the shortcomings in our capabilities now?

What will it take to fulfill these requirements? Do we have the right organization to meet these capability

needs?

Where are the disconnects between our security technologiesand practices? How should these be integrated, consolidatedor coordinated?

Which manual processes should we replace with automatedones?

What and where are the technical interdependencies thatwill inform our later focus on prioritization, sequencing anddual-track avenues of implementation?

Conduct a gap analysis.



35/71

35

Security organizations without strong analytical capabilities tendto adopt tactical or automatic reactions to negative security-relatedeventsparticularly to those events that are most apparent andurgent. While understandable, this approach is potentially costly.Capability gaps that are highly visible and urgent may be the result ofweaknesses in other areas, and a reactive approach to applying afix is not likely to yield desired results over the long term.

In most cases, a multi-dimensional analytical tool should be usedto develop planning insight into the root causes that drive theorganizations symptoms of need.

When selecting analytical techniques, take care that they allow youto view the information in your repository from various perspectives.For example, gaps that may not appear to be critical from a regulatoryangle may be revealed as critically significant to the organization ifviewed from a business requirements perspective.

Remember, if you limit your ability to assess security capabilitiesfrom different angles, you may miss or underestimate the magnitudeof the capability gap most in need of redress.

Look for root causes.



36/71

36

It can be challenging to get a comprehensive picture of all securityprojects being executed across the organizationand even moredifficult to decide which projects to approve and support.

If you have conducted thorough and accurate assessments of yourcurrent and future state, you know exactly where security is, or shoulbe, contributing value to the organization. But that does not mean

you can afford every project that contributes incremental value to theorganizations efforts. Here are some questions to ask:

How should our limited resources be optimally allocated?

Where are the redundancies in project objectives,which, if eliminated, can reduce waste and free resourcesfor other initiatives?

How can we leverage our capability-specific gap analysis toidentify and address the projects most important to supportingthe organizations objectives?

How can we focus our resources on the correct sequence ofcapabilities in order to achieve our vision while minimizingrework and completing the project on time and within budget?

How can we optimize our product mix to demonstratecontinuous value to the organization? Are projects takingtoo long to show demonstrable value?

Analyze your projects.



37/71

37

Now that your gap analysis has identified the organizations securityneeds and requirements, look at how best to prioritize these projects

Adopting an effective capability framework will allow you to compareprojects based on many more factors than just cost, resourceavailability and timing constraints. You will also be able to defineproject prioritization and sequencing based on (1) the relative

importance of the gap the project is intended to redress, (2) the degreto which repairing or achieving a capability closes this gap and (3)whether the project should be addressed earlier in the strategy dueto capability or implementation interdependencies.

This exercise would help you, for example, determine which projectshould be given higher priority: an initiative to bridge capability gapsessential for compliance with three different regulations, or an initiativto close a single large capability gap important to the business unitthat generates 65% of the organizations profit.

Repeat this process to analyze various scenarios based on differentfunding requirement levels, shifting business and regulatory prioritiesand changes in project timelines. This should be an iterative process

in order to clarify the full range of options available and to build thebusiness case that will support your final recommendations as towhich investments in security are most valuable to the organization.

Prioritize and align your projects.



38/71

How to improve the results ofthe analysis process.

This is an important stage: rigor in the analysis willdetermine the effectiveness of the strategy. Facilitate theprocess by taking the following steps:

1. Be sure to define the full set of assumptions that drive

your strategy model. Whenever possible, secure fromother executives feedback and buy-in on assumptionsearly in the strategy process. It will help you defend theresults of the analysis later.

2. Have a clear understanding of how your variousorganizational capabilities relate to one another. Thisis essential. Many organizations overlook criticaldependency relationships that dictate the need toaddress some capabilities before otherssuch asgaining comfort that the organization has an adequatedata infrastructure before implementing an enterpriseauthorization solution.

3. Set aside preconceived notions about the outcome of

the analysis. In some cases, the data and analysis willsupport conclusions you and others have anticipated.In other cases, the analysis will surface unexpectedrelationships between capabilities or needs that have notbeen previously identified.

4. Dont spend too much time on the assessment andanalysis phases of the strategy development process.Some CISOs get stuck in this stage, as do securityexecutives who are chronically reluctant to move forwabecause they know that the information supporting the

analysis is not fully complete or accurate. Far betterto focus on getting the best information possible andmove forward into executionassuming you continue tcollect, refine and improve the information that informsyour strategy on an ongoing basis.

5. Recognize that gaining acceptance of the results of youanalysis depends on decision-makers understandingthe framework supporting the analysis. Be ready todemonstrate to your executive colleagues that theanalytical methods you have relied on can be usedto derive a consistent and repeatable result.

38


39/71

39

Our ApproachStrategize


40/71

40

How can you translate this information and analysisinto an actionable, repeatable and reportablestrategy that identifies the business case supportingproject creation, project prioritization and investmentoptimization while also generating a strategic

implementation roadmap?

It is now time to shape your analysis into a comprehensive strategy.When complete, the strategic assessment should include a writtenin-depth analysis of your current security posture, as well as arecommended implementation roadmap.

Depending on the scope of the initiative, you will likely be using thestrategy to identify where resources need to be focused to best alignsecurity with key business and regulatory compliance objectives. Theanalysis document has other uses as well, such as validating existingand future funding levels.

As your strategy begins to take shape, keep in mind a word of warning:with remarkable frequencydespite having developed a security visionand a roadmapmany CISOs and organizations either fail to act onthe plans guidelines and recommendations or, just as unfortunately,take concerted action in a manner inconsistent with the organizationsbusiness objectives. Deviation from the plan happens for many reasons;a common problem is that the security strategy is neither reasonable

nor actionable.

Our Approach: Strategize


41/71

41

The security strategy should be reasonable, achievable and explicit.Consider limiting the execution horizon to three years or less. Stressthe identification and inclusion of metrics that give the detail necessaat any time to measure progress toward achievement and manage thbenefits that achievement yields. Make sure the planning frameworkyou adopt allows for maximum flexibility. And be ready to change theplan of attack in midstream whenever necessary.

Ground the strategy in realism,and make it actionable.



42/71

42 Our Approach: Strategize

The security strategy is actionable if it meets the following criteria:

Clarity: Executives, managers and administrators at every level ofthe organization need to be able to understand which steps mustbe undertaken, and in which order, to implement the strategy frombeginning to end.

Conciseness: Strategy stakeholders should be able to read thestrategy publication quickly and easily.

Funding alignment: Strategy recommendations should be consistenwith the level of investment and the scale of the resources thatmanagement is willing to commit to execute the plan.

Organization: Rather than defining large sets of overly complexactivities, the strategy documents should organize all steps intosmall, simple groups of tasks logically arranged to result in discrete,measurable deliveries of value.

Adaptability: The strategy must be able to accommodate changesin key assumptions and requirements driven by shifts in the broaderbusiness and IT environments.

Executive leadership support: Management must be confidentthat the strategy has been created with the appropriate level of duediligence, insight, analysis and rigor. Organizational leaders mustbelieve that, if enacted, the strategy would add value to the businessrelative to the size of the investment needed to implement it.


43/71

43

Focus now on building the project roadmap, a step-by-step planthat explains at the project level how the organization is going toachieve implementation.

Make the roadmap explicit with respect to milestones, deadlines,decision checkpoints and deliverables. Also, define resource usage anconstraints, project dependencies, sequencing requirements and critic

inputs required from either internal or external individuals or groups.Be sure the project roadmap allows you to identify, revise and reporton project resources. Where possible, structure activities in discrete,manageable segments that deliver benefit packages quickly, compleand in the right sequence.

Look for opportunities to quickly demonstrate value by ensuring thatinitial activities are focused on a few easily achievable and measurabgoals. Early successes will help build the strong relationship betweenIT and the business units needed to drive more complex and difficultachievements later in the strategy implementation process. A projectroadmap should include, at a minimum, the following core componen

Executive summary presentations: Necessary to demonstratealignment with managements key business objectives and to buildbroad executive sponsorship and support.

Communication plan: Describes how the strategy will becommunicated to various audiences, including developer communitieIT management and affected business communities.

Tactical maps: Identify short-term tactical steps as well as a vision fohow these steps integrate with the longer-term plan.

Value realization plan: Describes the measurable value and benefitsof the program or project.

Comprehensive planning framework: Helps executives re-evaluate

strategic priorities as the needs of the business or technicalassumptions change.

The project roadmap should also include a full complement ofmanagement tools, templates and scorecards that visually reportprogress toward program or project objectives.

Define the project roadmap.



44/71

How to put a strategy in place.

The process of pulling a comprehensive security strategytogether and pushing it out into a working project roadmapcan be rigorous and taxing. Here are three tips to help makeit successful:

1. Recognize that the plan must be actionable at

multiple levels. Apply discipline in shaping the solutioncomponents that make strategy actionable: (a) projectroadmap, (b) dynamic communication framework and(c) structured security management framework.

2. Require that the security strategy be prepared inbusiness, rather than technical, terms and thatthe content of the strategy be communicated in amanner that non-technical executives will find easy tounderstand. Substance, business relevance and insightinto what is required to move the security organizationahead matter far more than technical detail.

3. Ensure that the strategy is developed by incorporatinginput from groups and individuals expected to beresistant to change. Involving them in the developmentof the strategy can present important opportunities toaddress opposition early in the process.

44


45/71

45

Impact on the bottom line speaks volumes.

In the healthcare industry, our business leaders knowthat every dollar spent on security is a dollar notspent on caring for patients or improving the ability to

attract patients and doctors. So as a CISO, whetherwere able to deliver concrete, measurable value tothese leaders can rise or fall entirely on whether wereable to explain securitys contribution to bottom-linebusiness results.

We have to be able to do this in a manner that linkssecurity with the business vision, communicates thereal costs of security, and demonstrates a flexible,comprehensively structured approach thats basedon leading industry benchmarks and solid riskmanagement practices. The steps for making thestrategy actionable help avoid the common pitfalls

that result in strategies being nicely printed andput into binders that sit on shelves gathering dust.Letting that happen can doom a security programand CISO to being on the outside looking in, in termsof integration as a critical component of businessoperations. This can be the difference between

success and failure.

Paul Connelly, CISO, Hospital Corporation of America (HCA)


46/71

46

Our ApproachAlign


47/71

47

How can you align your strategy and plan withthe business on a continuous basis to accommodateconstant changes in the business, security andIT environments?

Strategy development is not an annual exercise. It is a continuousprocess that must evolve as the needs of the business change. Infact, one of the most common reasons that even carefully designedstrategies are not implemented is that by the time the strategy hasbeen approved, it is also out of date.

A rigid and inflexible methodology provides a poor foundation fora strategy blueprint, as does a design that resists standardization,systematization and transfer. The strategy you develop mustembrace change.

Our Approach: Align


48/71

48

Look for ways to make your strategy development process acontinuously cycling set of activities. Count on change happening asa matter of course. Build a security planning platform that doesnt justolerate a high level of uncertainty, but is designed to accommodate

Always press for advantage, because, until a dynamic securitystrategy becomes a management standard for CISOs, many of your

business competitors will hang backaddressing security events froa reactive perspective, spending precious security dollars on pointsolutions and forgoing the stream of business benefits that flow fromsecurity strategies that are agile and aligned.

Keep your strategy up-to-date by modeling how you would carry outyour implementation plan under different scenarios, such as amendinit to accommodate a major last-minute shift in a key business driver.Embrace learning from initiatives that succeed as well as those thatfail, and be prepared to change course quickly.

Be certain your strategy can be easily applied at every level of theorganization. Emphasize the importance of using technologies andreusable planning and decision-support templates.

Institutionalize agility.

Our Approach: Align


49/71

49

Simultaneously assessing different strategy options and possibilities not a simple process.

The variables are complex by themselves, and their combinations areeven more so. At different stages, you need to know what outcomesto expect under various scenariosideally, you would like to have thinformation without having to retool your databases, spreadsheets

and templates.The most effective way of gaining this managerial insight is to engagea portfolio management approach. This allows the managementof security technologies, capabilities and resources in order todynamically review the impact of hypothetical changes to the businesenvironment, quantify current spending and justify future increases ordecreases in spending. There are several software tools on the marketoday designed to help automate the portfolio management process.

Portfolio management helps you optimize and manage the allocationof your security budget funds according to your organizations mostimportant business objectives. It also provides the ability todemonstrate the basis of your security decisions and recommendatio

to other senior executives, as well as helping provide scope, contextoptions and direction to discussions that relate to security. This can bespecially useful when, for example, unexpected occurrences (suchas virus infections or hacker attacks) might otherwise compel seniorbusiness leaders to focus on events outside of the organizations cont

Apply principles of portfolio management.

Our Approach: Align


50/71

Security needs to movein tandem with the business.

Day in and day out, were competing for sharein markets that reward agility. That need for agility is

as true for security management as it is for anyother critical facet of operations. In fact, we cantjustify a major security investment without alsohaving the flexibility to continually manage thisinvestment in the face of a constantly changingbusiness environment. Youve got to be able to

reassign committed budget resources, reprioritizeinvestments and ultimately field a security strategythat inherently supports flexibility and change.

Dave Cullinane, CISO, Washington Mutual


51/71

51

SecurityATLAS PortfolioManagement Capabilities

Through a portfolio-based approach tomanaging project mixes and inputs,SecurityATLAS gives CISOs a pragmaticability to optimize the allocation ofsecurity investments. This is a complexundertaking that requires a coordinated abilityto identify, integrate and allow adaptationsto the people, process and technologycomponents that collectively drive anycomplex set of security initiatives. Theapproach also provides management withtransparency into how resources and fundingare being allocated and which trade-offsarise when unexpected issues surface thatcompel executives to reconsider securityinvestment priorities. See page 69of Appendix.

Portfolio management tools should support the ability to manipulatedata inputs. You should be able to change the assumptions andinputs relatively easily in order to model annual plans and what ifscenarios that will help you develop forward visibility into how, whenand in what combinations and sequences you should be focusing onnew security capabilities. In this regard, software is a critical assetbecause it standardizes analysis models and can forecast impacts

to the organization resulting from changes in the business ortechnology environments.

Under the best circumstances, this is a high-level, dashboard-drivendiscipline that allows you to manage and categorize total securityspending in the organization as a mix of investments whose balanceand make-up you can reconfigure whenever necessary.

Use the right tools.

Our Approach: Align


52/71

How to maintain the strategyas a continuous process.

Managing the strategy in response to changing conditionsis as important as putting the strategy on the ground in thefirst place. Here are five insights to help you manage in achanging environment:

1. Understand how each security initiative advances both thesecurity and business strategy. Define this understandingin terms of the benefits the initiative will help realize. If thisalignment is not fully apparent, be prepared to withholdapproval of the initiative in question.

2. Do not sign off on the security strategy unless the securityinitiatives are examined, assessed and presented as a fullportfolio of investmentsincluding total costs, quantitativeand qualitative benefits and key business risks.

3. Take care that the CIO, CFO and, in some cases, the CEOunderstand your standard of approval. This can be a wisetactic, particularly if you are still working to build credibilityfor the CISO position among your executive colleagues.

4. Recognize that the security strategy is a dynamic,continuous processnot a static event conducted on aquarterly or annual basisand that security is affectedby market forces and other external events as well as bychanges in the internal corporate environment.

5. Suggest to the CIO that you collaborate in preparing areport for presentation to the CEO and the executivemanagement team, highlighting how the security strategyand program are structured to handle change in a flexible,adaptable and continuously cycling manner.

52


53/71

53

Our ApproachCommunicate


54/71

54

How can you communicate securitys currentstatus, vision, strategic road map andprogress-to-date at any point in the businesscycle and in a manner best suited to the differentcommunication needs of a wide range of internal

and external security constituents?

At the executive level, the corporate world provides a framework forindividual performance. Organizations assign titles and responsibilities;leaders bring credibility and impactif they can. The role of CISO isno exception. To build your position, earn credibility and create animpact, we believe it is essential to have a:

Solid understanding of how to communicate the value of securityactivities to a wide range of security consumers

Security management framework with communication toolsand reporting capabilities versatile enough to support yourcommunication objectives

If you do not define the key issues and challenges for your organizationssecurity program, chances are that others will. Unfortunately, remarksmade about security are often critical, inaccurate or both. Why?Because security tends to attract the most attention when things gowrong or when other executives start wondering aloud if the investment

is actually producing a return.As the CISO, you need to get out in front of how security is perceived,understood and supported at every level of your organization. Thispart of the CISO mission requires good communication, clear reportingand an ability to craft crisp messages that can help your audiencesinternalize and quickly accept your information.

Our Approach: Communicate


55/71

55

What, where and how you communicate about security within yourorganization need to take very different forms depending on whichsecurity constituent you are trying to reach.

Are you addressing senior corporate executives at the C-suite level,business-unit leadership or IT managers and administrators? Are youreaching out through email, hand delivering a comprehensive report o

conducting weekly planning meetings at satellite IT offices? Are youcommunicating in action and behavior, as well as through writtenand electronic means? Are you training, coaching and mentoring yousecurity staff to extend, support and explain the communicationsobjectives you have defined?

Work to understand how each security constituent looks at jobobjectives. From this perspective, imagine how each views securityseffectiveness in supporting his or her role in driving the organizationsagenda. For example:

If you are looking to raise the CEOs security awareness, rememberthat the CEO is primarily focused on the drivers behind earnings,profitability and shareholder value. This person may be more receptiv

if you can explicitly link security with a role in supporting thesekey objectives.

If you are addressing the CFO, be prepared to discuss security inthe language and context of financial issues, such as securitys curreand future impact to the corporations assets, liabilities, income andexpenses. How does the security strategy address risk managementmitigation and transfer issues? How does it address short- and long-term effects on the corporations share price?

If you are working with the COO, expect to discuss how securityshould support new product or service strategies. Or how securitywill impact operational availability, business process integrity orcontinuous operational improvement.

Take the time to develop good skills in listening, conversing andexchanging information with other business and IT leaders. Take aninterest in their points of view and build rapport at a personal level.

Tailor your communicationapproach to different audiences.



56/71

56

In order to communicate with others at every level of the organizationyou must be supported by a strategy framework or methodology thaprovides a broad number of reporting choices in how you sift, filter,roll up and summarize security information in a manner customizablefor different audiences.

Be certain the strategy frameworksupports customized reporting.



57/71

Become a business leader withthe soul of a technologist.

The most effective CISOs today arent just expertsin technology; theyre experts in how technology

must be positioned and implemented to supportthe business. That represents a quantum shift in thebalance and breadth of skills that a CISO must beable to bring to the organization, because now rathethan being just a technology guru, a CISO must alsobe at home with the skills necessary for leadership,

business management, executive communications,fiscal planning and risk management.

Gary Eppinger, CISO, Rockwell Automation


58/71

58

As a forward-looking CISO, you should be the person in yourorganization who actively defines the quantitative measures andmetrics that will be used by the CIO as well as the executivemanagement team to measure and assess securitys performance.

This means having the ability to prepare reports that include differentsets of metrics for security information consumers with different

needs. Of course, this first requires that you define, embed andtrack metrics in key areas such as strategic alignment and businessvalue, security management and control, and security operationalperformance.

What kinds of metrics should you be using? They should be valuefocused, performance based and improvement oriented. They shouldbe placed throughout the security infrastructure and business unitoperations, as well as at the most illuminating points of friction,integration and support that exist between the two. They should bepositioned at touch points that give you and your operations staff thebest opportunity for assessment, intervention and correction.

Tie metrics to specific audience needs.



59/71

How to make communicationa critical success factor.

Here are four concrete steps you can take to help createand sustain executive security awareness and support:

1. Recognize that effective relationship management isan important driver of your long-term success with

the organization and your ability to be recognized andwelcomed as a peer by other senior executives on theleadership team.

2. If you have a strong background in business, but areless experienced with how technology impacts businessperformance, start with the CIO. Consider spendingsome time shadowing an IT implementation team, orobserving how internal service calls are handled. Thiswill help you understand how the organizationsbusiness users interact with the technology that theCIO is managing, and what kinds of expectations forservice, support and accountability they place on theCIO whether or not they are directly related to security.

3. If you have a predominantly technical background,find ways to live and walk in the shoes of your businessexecutive peers. Spend some time with business-unitmanagerson their terms, in their offices, addressingtheir challenges. You will understand much more abouthow to define, design and communicate your securitystrategy to support their efforts. And youll begin buildinga working platform for trust, communication andcollaborative success.

4. Develop crisp reporting capabilities that supportroll-up activity summaries. Use features that allow youto screen, drill down or manipulate views into yoursecurity strategy to support your teams ability tocustomize communications for different securityinformation audiences.

59


60/71

Arm everyone with the knowledgeto save your company.

Its hard to overstate the importance of effectivesecurity awareness and communication. As one of

the largest power generators, transmitters anddistributors in the United States, were acutely awarethat the weakest link in the information security effortthat protects our data, our control systems and ourgenerating fleet can be something we dont know,leaving our networks or data exposed to attack.

That is why we expect our managersat every levelof our organizationto understand how securitysupports and impacts our processes, assets,efficiency and our operating objectives. At AEP,communication about security isnt just anadministrative functionits an integral component

of how we provide tangible value to our customers,our employees and our shareholders.

Michael Assante, VP and CISO, American Electric Power


61/71

61

Appendix


62/71

62

PricewaterhouseCoopers SecurityATLAS is a comprehensive andflexible concept-to-execution planning, analysis and decision-support framework for the development, delivery, communicationand maintenance of an enterprise-wide information security strategy.

The same insights, knowledge and experience that inform thispublication also represent the core of PricewaterhouseCoopers

comprehensive strategy development and support approach.This integrated and customizable set of tools, templates, software andbusiness processes is based on PricewaterhouseCoopers experiencein helping companies throughout the world align security with theirbusiness and regulatory objectives.

Built upon a multi-layered planning approach, the SecurityATLASframework helps CISOs develop a current-state assessment, define

a security vision, develop and execute an actionable strategy roadmapsustain the resulting security strategy over time and use the tool setsto create and sustain executive security awareness and sponsorship.

Appendix


63/71

63

As a comprehensive and customizable planning framework,SecurityATLAS integrates the critical processes that linksecurity strategy development, execution and maintenance.

Features and outputs include the following:

Appendix


64/71

64

A comprehensive capability modelBased in part on PwCs Enterprise Security Business Model, thismodel helps clients visualize, summarize, communicate, and executeagainst complex information security objectives.

SecurityATLAS Regulatory BaselineDesigned to provide visibility across regulations, this tool helps

CISOs understand how and where specific regulations impact theirsecurity agendas.

SecurityATLAS Industry BenchmarkUpdated by PwCs global surveys of security practices as well asby experience collected over hundreds of client engagements, thisindustry-specific database of security practices offers insight intohow comparable companies are addressing security.

SecurityATLAS Capability AnalysisDesigned as a rich visual planning aid, this tool helps CISOs analyzeand communicate information along multiple dimensions.

SecurityATLAS Portfolio Management CapabilitiesPortfolio-based analyses give CISOs a pragmatic ability to optimizethe allocation of security investments.

SecurityATLAS Security RoadmapThis is an actionable plan that helps CISOs implement the appropriateproject mix in sequences that minimize rework and maximizevalue creation.

Analytical tools and templatesThese help CISOs conduct graphically enhanced, multi-dimensionalanalyses focused on identifying capability gaps and optimizing projecportfolios. In addition, current- and future-state scorecards providea disciplined framework for setting goals and measuring progress.

A dynamic communication framework

A robust, multilayered reporting structure provides CISOs with alens-based approach to tailoring communications for differentexecutive and technical audiences.

Appendix


65/71

65

SecurityATLAS Strategy Delivery Framework

Assess

Future-state data gathering

Current-state data gathering

Current project data gathering

Data gathering

PwC Enterprise SecurityBusiness Model

PwC SolutionDelivery Expertise

PwC Regulatory andIndustry Expertise

PwC PortfolioManagement Expertise

Appendix

continu


66/71

66

Analyze Strategize Align

Capability gap analysis

Current project alignment analysis

Project creation

Project prioritization

Investment optimization Dynamic communication

Ongoing management

Capability analysis

Project analysis

Project roadmap Dynamic communication framew

Security management framewor

Appendix

SecurityATLAS Strategy Delivery Framework (continued)


67/71

67

The SecurityATLAS Regulatory Baseline provides organizations with a clear picture of howand where specific regulations impact the security agenda. Please note that the informationpresented here is merely representative. Regulations depend in large measure on applicationspecific circumstances, and the data illustrated here is not applicable to all industries oroperating environments.

SecurityATLASRegulatory Baseline

See Page 21

SecurityATLAS Reference Guide

Appendix


68/71

68

The SecurityATLAS Industry Benchmark presents a clear picture of how your industry isaddressing key capabilities in the people, process and technology components of a securityprogram.

We maintain this database with information gained through a global survey of security practicearound the world, as well as through thousands of hours of service to our clients in the contextof security, governance, risk and compliance management engagements. Please note that theinformation presented here is provided on a sample basis only, and is not meant to berepresentative of any particular industry.

SecurityATLASIndustry Benchmark

See Page 22

Appendix


69/71

69

Through a portfolio-based approach to managing project mixes and inputs, SecurityATLASgives CISOs a pragmatic ability to optimize the allocation of security investments. This isa complex undertaking that requires a coordinated ability to identify, integrate and allowadaptations to the people, process and technology components that collectively drive anycomplex set of security initiatives. The approach also provides management with transpareninto how resources and funding are being allocated and which trade-offs arise whenunexpected issues surface that compel executives to reconsider security investment prioritie

SecurityATLAS PortfolioManagement Capabilities

See Page 51

Appendix


70/71

70

2005 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers toPricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires,other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and

independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.

For more information, please contact:

James Quinnild, PartnerPwC Advisory612.596.4486

[email protected]


71/71

Performance ImprovementIT Effectiveness

how to align security with your strategic business objectives.pdf

Documents