Penn Medicine CISO Dan Costantino outlines the steps to gathering information so you can plan strategically and educate the business about threats. Choosing an approach to information security for many programs is rarely as straightforward as it may seem.So-called best practices, compliance, and frameworks appear around every corner, all of which have a slightly unique take on a similar grouping of foundational security control areas. This increasing amount of information, regulated or not, can be your best friend or worst enemy.Infosec teams can easily get sucked into the business of hammering home controls based on what a best practice suggested, rather than what the business actually needs.Lets discuss how all of this information can aid a program, and where an evidence-based approach comes into play in order to take the organizations posture to a more thoughtful and heightened level.

Source: Click here