Question 1: Your CEO has decided that operating costs need trimming in IT. They are very keen on leveraging shared resource, or cloud computing architectures. As CISO, how would you explain the risks of shared resource computing to the CEO? How would you address the need for confidentiality, integrity and availability? In 500 words or less, draft a position to the CEO discussing these areas and support your position with pertinent citations from publically available sources. Assume that this is a global company with operations in many different geographic areas and different sovereign nations.
Question 2: Policies exist in almost every organization, and many have robust Enterprise Risk Management programs. Yet, many of these firms have been breached and some are targeted with success repeatedly. If ERM programs are critical to managing risk, are they actually effective if firms compromised even though they have them? Why or why not? You may use examples of recent breaches to substantiate your position.
Question 3: First, define what you feel constituents a useable risk management metric. Second, as CISO which metrics would you be most concerned with in your organization and why?