What’s So Hard About Creating an Action Plan? (Week 10)

For the last two weeks I have been creating an action plan that specifies the controls I recommended to manage the risk associated with the threats identified from the threat analysis previously completed.  One thing that troubled me while completing the action plan was determining which threats to address.  In short, should I identify a control to transfer, mitigate, or eliminate every threat or should I pick and choose the threats I feel should be mitigated?  After much thought, I decided that since I was tasked with determining the cause of recent data breach and preventing it from occurring again that it was not my place to pick and choose the controls to present to the senior management.  Instead, I decided I would present all of the controls and let the senior management determine which ones to implement.

Finally, I had a resolution to my initial problem.  However, after reviewing my final product I felt as if it presented “the sky is falling” kind of assessment.  That is definitely not what I was trying accomplish.  I simply wanted to make the management aware of all the potential security issues found with the organization’s network.  How in the world was I going to be able to achieve senior management buy in and get them to implement some or all of the controls developed to fix the critical vulnerabilities?

After some more critical thinking and one sleepless night I developed a course of action that I would employ in order to achieve senior management buy in without making them feel as if the sky was falling.  The first thing I would do is show the senior managers the level of risk assigned to each threat.  It would be recommended that threats with a higher level of risk should be addressed prior to threats with a lower risk rating.  The second method that could be used to achieve senior management buy in is to present each threat with a cost benefit analysis.  The cost benefit analysis can be used to compare the cost of implementing a recommended control with the cost associated with responding and recovering from an incident caused by a threat.  If the cost to implement a control is less than an unwanted incident then it only makes sense to opt to implement the recommended control.  The last option I thought of is something I learned in one of my previous classes.  It is called a la carte pricing.  Basically, recommended controls are represented as options to select from.  For example, Option A is to transfer the risk and costs $1,000.  Option B is to accept the risk and costs $2,000.  Option C is to mitigate the risk and costs $500.  I wonder which option the senior management would choose if presented the aforementioned options?  I know the one I would probably choose.