How do you evaluate overall Product Security risk in a software company?  Do you use $$$, percentages, Risk levels (L,M,H).  Do you reciprocate risk with the estimated effort required to reduce it?  If yes, do you use $$$, effort days, or similar?

CloudApplications & PlatformsDisruptive & Emerging Technologies+5 more
3.5k views2 Comments
Sort By:
Oldest
CIO in Services (non-Government)a year ago
We always lead with risk levels and potential regulatory issues that could arise due to product security issues, followed by $$$$ exposure.

We are HIPAA and GDPR heavy, in terms of regulatory compliance, and we have PCI-DSS and other customer/patient data that could potentially be exposed unless we ratchet up our security posture and we most definitely focus on code hygiene and security by way of end-to-end encryption.
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Chief Information Security Officer in Healthcare and Biotecha year ago
Quantification of impact is super important. If the product ( s/w) is down then the business loss and reputation is the primary; if legal implication is there - count that too. 
1

Content you might like

Looking for others insight into how they are measuring capacity for their Robotics Process Automation Programs. We have almost 100 bots in production and a defined amount of developers. We are continuing to deploy new bots/new use cases as well as sustaining all existing bots in production. What have others done to define a "trip wire" for identifying when you hit max capacity?

Disruptive & Emerging Technologies
18 views

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

We are a large manufacturing company with over 17,000 associates, about half of whom have company-provided cell phones. We average two lost devices per week, which seems low, but executive management is concerned and wants to know if our numbers are typical compared to other companies. My questions are: 1. Do other companies also struggle with lost or stolen devices? 2. What is the average number of lost devices per week? 3. Are there repercussions for associates who lose devices due to carelessness or negligence?

Mobile Device Management (MDM)Mobile DevicesSecurity+2 more
VP of IT in Retail3 days ago
My previous organization implemented a strict one-strike policy for lost or damaged devices. While the first incident was considered an accident, repeat offenders were required to reimburse the company for the lost or damaged ...read more
82 views1 Comment

Has your org taken any steps to build a culture of ethical AI? Do you have dedicated resources or teams responsible for AI ethics?

Relationship ManagementDisruptive & Emerging TechnologiesAI & Machine Learning
Director of ITa month ago
We are early in our journey with regards to AI ethics. In a recent AI event at our company, I presented a model that was developed to drive the conversation. Because we all love acronyms, I used DEBTS to help make it stick. ...read more
1 Reply
Read More Comments
2.2k views1 Upvote6 Comments

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRCNetworkThreat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results
1.7k views1 Upvote