[adrr]

CISOs are starting to report to the board. The biggest challenge is budget. It's hard to put an ROI on a theoretical risk that chances of risk happening are at best an educated guess. Most company leaders don't value detection of breach but only prevention so things like the significant cost of storing network flow logs is an uphill battle.

[TecoAndJix]

I fumbled on an interview once when asked “tell us how a security initiative you led brought value to your organization”. I rambled on about average breach/downtime cost but i couldn’t quantify anything on the spot. In retrospect, I should have focused on manhours saved through prevention system. It’s a hard sell!