Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 34

Perhaps the greatest form of self-sabotage you can commit as a security awareness professional is to overpromise what your program can deliver. For example, telling management to expect a human firewall to work — that your users will be both your first and last line of defense — sets you up for failure.

In the first place, nobody will believe you. Because no experienced security professional would expect perfection, you lose at least some of the credibility you may have had from the start. Then, the first time you have an inevitable security incident, the occurrence chips away at your remaining credibility.

As I discuss in Chapter 3, the goal of a security program is risk management. A competent CISO doesn’t promise perfect security. They say that they’re working to manage the organization’s risk by implementing a security program. They don’t promise to defeat bad people. They don’t promise that incidents will never happen. They essentially say that they will reduce loss.

Focus any and all claims you might make to be reasonable and based on the potential for risk reduction. To perform risk reduction, you must gather data and make reasonable and defensible claims of potential loss reduction.