1. Keep one for you.
That’s right. Visibility is the most important word in information security.
You cannot manage risk of what you don’t know.You cannot defend what you don’t know. You cannot react against what you don’t know.
Before putting more effort on additional hardening, ask yourself how much visibility you have into your organization, environment, network, apps. Preventing efforts are not always the top priority.
2. Share some others.
When talking to management change the words to be in line with your audience.
- Firewall/Backup -> Prevention
- Cost -> Investment
- Probability -> Risk
- Incident -> Damage (Consequence)
- Benefit -> Saving
- Disaster -> Loss/Downtime
“ISO 27001 will pay off it it prevents only one medium incident, not to mention large ones.”
Replacing the word “learn” with “demonstrate”, “prove” or “calibrate” makes submission more worthy.