Towards Automated Modelling of Large-scale Cybersecurity Transformations: Potential Model and Methodology

摘要

The purpose of this paper is to propose a proprietary methodology and model to generate a "cybersecurity transformation workplan" for large organizations that can improve their cybersecurity posture. The key input is based on risk-based assessment or maturity-based questionnaires depending on existing governance processes and available information. The original scoring can be then used to prioritize a portfolio of all possible initiatives by selecting the ones that are missing from typical foundation elements or would have high potential impact in relation to required investment and effort. Additional constraints such as budget limitation and FTE availability, logical sequencing and time requirements could be added to ensure effective use of company resources and actionability of the recommendations. The Gantt-like output would ease the burden on the security teams by providing an individualized set of activities to be implemented to improve risk posture.