I was about to jump on the commentary wagon for the Verizon breach report. However faster, better, and real writers beat me to it e.g. one of my favs, Krebs. Reading the report and commentary, which year/year calls out low-hanging fruit, really solidifies a trend I've heard over the past year as a vendor:
"Jared, we need to define what we do, measure it, and prioritize the improvement areas for the business leaders." Honestly, I'm not making this up because the statement defines our app set. The app set is intentionally aligned to the statement!
So please, whether you use our Service Catalog, Metrics Manager, Risk Communicator app or not, add the Verizon evidence to your own and make the business leader (or IT leader in many cases) understand and explicitly accept the level of risk they're currently under. I've done this for years with spreadsheets so tools shouldn't be a barrier. Apps like ours make the process efficient so time shouldn't be a barrier. (However if time still is a barrier, check out our beta for Capacity Management. I don't think security expertise is a barrier because almost every security manager I meet is capable and working their tail off. The remaining barrier in my experience is: executive leadership. If your boss/exec isn't ready to have the conversation, I'm with you on taking it easy...
My generic advice is to bring the exec along slowly as your evidence emerges (audits, assessments, incidents, A-players leaving). They'll let you know when they're ready and you can strike while the iron's hot. If you don't have the support I hate to say find another job. Before that point, I always preferred to find an empathetic ear - someone in another company you trust and can relate to.
Wow. This post took a somber turn! Back to the goodness. The Verizon report continues to be a wonderful tool. Add it to your collective, resisting the benefits of a mature, proactive security program is futile.
Have a great weekend.