You are the CFO of a midsized manufacturing firm. You have heard nothing but positive comments about the new CIO you hired three months ago. As you watch her outline what needs to be done to improve the firm's computer security, you are impressed with her energy, enthusiasm, and presentation skills. However, your jaw drops when she states that the total cost of the computer security improvements will be $300,000. This seems like a lot of money for security, given that your firm has had no major incident. Several other items in the budget will either have to be dropped or trimmed back to accommodate this project. In addition, the $300,000 is above your spending authorization and will require approval by the CEO. This will force you to defend the expenditure, and you are not sure how to do this. You wonder if this much spending on security is really required.
How can you sort out what really needs to be done without appearing to be micromana-ging or discouraging the new CIO?
Read "What would you do?" #5 on page 120 of the text. Put yourself in the CIO position. Write a 2 - 3 page paper formulating a risk assessment plan that you think would justify a $300,000 investment even though your firm has never had a major incident.
Your paper should include the following:
- Consider all the data that must be secure.
- What types of data are at risk?
- Research IT security threats and risks.
- Research risk assessment templates and tools.