Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization
After the Evaluation
After the evaluation, the CIO and CFO presented the three recommended areas of improvement to the other members of the professional society's management team. OCTAVE helped them (particularly the CFO) to understand the relationship between security threats and their potential impact on the organization's mission and business objectives. Both managers were able to articulate the business implications of security to the entire management team.
OCTAVE was completed just as the budgeting cycle for the next year was about to begin. The management team allocated funds for each of the improvement areas and increased the overall budget for IT. Finally, they decided to assign responsibility to the analysis team for implementing the results of the evaluation. In this way, security improvement became part of the professional society's organizational processes.
Parts 1 and 2 of this series have shown how two vastly different organizations implemented OCTAVE successfully. Part 3 contrasts the paths that the two organizations took to improve their security postures and examines the relationship between security and business processes.