Communicating Information Security Value to business: A Security Framework using words and pictures. presented at ITWeb 2014

by Steve Jump,

Summary : In today's competitive world a business faces a multitude of threats every day. Many of these can pose a material risk of loss or damage to a business unless identified and managed appropriately. A majority of Boards today state that information security risk is at or close to the top of their business priorities.
However when infosec practitioners have completed their business threat assessments, and provided their analysis of how information security risks can affect the business's ability to meet its objectives, even today the Board is often left asking for a translation.
This presentation introduces a high level information security framework that allows the complexity of information security management to be explained at all levels of a business, and provides basic lexicon that may be used to translate the technical threat models used to establish the real risks, into simple, business friendly terminology readily understood by any financial or commercial manager (and even technical managers).