A Decision Model for Cybersecurity Controls

Cybersecurity is an organizational issue that should be looked at through the lens of various stakeholders. However, it is often treated as a siloed issue in which more is always seen as better. The CISOs, CIOs, and the key decision-makers struggle to understand how much security is enough. All cybersecurity solutions, often referred to as controls, result in a residual risk since there is no such thing as perfect security. The level of risk should ultimately be the choice predicated on the business goals of the organization. Cybersecurity controls are often presented in a context that lacks sufficient business context, which is required to optimize the risks and balance them with the needs to run other business operations. For uninterrupted business operations, there is a need to bridge the gap between technology and business decision-making.