Related Posts
SM promoted from M salary range? EY
I joined Tiger Analytics with CTC of 9lpa. When I check in greythr IT statement, it shows 7.14lpa.
In the CTC payslip, it shows 75k per month as my salary. But this month I got 61k.
I understand they deduct tax, but I feel it is too much. IDK where I'm losing the money. Can someone tell if this is normal. I'm a fresher so, IDK much about it.
Also, what can I do to pay less taxes? Any help on that?
Rising Star
Chief
Chief
Updated my wifi SSID
Additional Posts in Cyber Security Bowl
Views on carbon black as a product?
Coach
Any tips or tricks for CSX certification?
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.
This will always be the case.
There is nothing you can do, that’s for sure. It depends entirely on the internal dynamic at each client, and how the CISO there is able to position Security at the Board level (or not).
If they treat it as an existential threat and in the top 3 most critical risks to the enterprise, then you’ll usually see the right balance of investment and maturity. If not, then not.
Federal/state requirements should be the start because it’s mandated. Think FedRAMP, HIPAA, etc.
Identify gaps that elevate risk against compliance, suggest cyber remediation with options that meet fiduciary goals and business strategy. Also tie in brand trust/customer trust - data protection is king in most industries and orgs.
Ultimately…..the right amount of security is just enough security. If the company needs to invest $500k/yr to protect something but the fine for not doing so would only be 50k/mo indefinitely with no loss to revenue…it’ll never happen.
Mentor
Good point, they definitely weigh the cost of doing nothing. I often have to point out the risk of doing nothing, brand/reputation damage, loss of revenue, derailing partnerships/lost opportunities.
I heard one of the Executives at Experian used the Equifax breach as an example of why security was more critical than they were treating it! I wasn’t in the meeting, so it could be a complete fabrication, but he said they could be next and if it happened the next meeting would be them all being terminated
Best way is to build a financial model and show them a cost benefit analysis. Them when something happens, say "See, I told you". Basically you have to ream them and hurt their pride for them to do something.
Just do a pen test, show them what you could have done to their systems. Then bring up the fact that hackers have near unlimited resources.
Find that usually means money comes thru
Mentor
I usually come from the risk perspective. My recent example. I discovered 5500 unmanaged API’s using various security postures. These API’s handle customer data such as birth date, social security number, bank account, routing number, address. They are exposed externally with outdated authentication (basic auth) or misconfigured Oauth2.0 (single page apps storing secrets in the frontend), which can be easily stolen and used to leak customer data. Without looking too hard we see developers are exposing their Kubernetes control plane to the outside world by accident due to misconfiguration, which allows external parties to own the cluster containing all the customer data. Also no one in the company has any idea what API’s exist in the company, so you have duplicated work, no ability to discover data. We also have an independent audit confirming what we’re explaining. Then once they are nice and scared I propose a centralized approach to exposing API’s, defense in depth strategy, how to discover data in a dev portal. Overwhelming evidence is usually required, but I usually get funded. This one was barely funded for 2024, low priority. After my presentation and discovery its highest priority, must be completed before 2025.
Quantify the risk of no increased security spending, and make sure it will cost more to not increase security spending than the requested security spending difference.
The higher ups only understand P&L
Put it in the language they understand if possible eg in healthcare talk about clinical risk and impact on patients
Its always been a zero sum game imo, as paying to try to prevent something that may not happen is seen as a negative investment. Its cliche but linking investment to risk, compliance and audit has always been the driving force.