In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.
Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.
Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.