Who pays for InfoSec?
Protecting our digital assets has a cost, and the cost must be lower than the cost of losing our digital assets. Who must pay for this cost? Information security is no longer an IT centric responsibility. Even though the leadership may fall in IT realms (CIOs) or outside of IT (CISOs), individual responsibility and accountability is the way to go in organizations that aim for a digital trust inside and outside of the company. Once we identify the System, Process and Control Owners, we may assign the cost of cybersecurity controls according to the value of the information. Traditionally, the cost of implementing and operating information security related controls has been assigned to the technical department that knows how to operate them. That is like charging electrical costs to the facilities area instead of charging the cost to each department according to their use of this resource. Distributing the cost of information security proportionally to the value of information used a...
