How do you evaluate overall Product Security risk in a software company? Do you use $$$, percentages, Risk levels (L,M,H). Do you reciprocate risk with the estimated effort required to reduce it? If yes, do you use $$$, effort days, or similar?
Sort By:
Oldest
Chief Information Security Officer in Healthcare and Biotecha year ago
Quantification of impact is super important. If the product ( s/w) is down then the business loss and reputation is the primary; if legal implication is there - count that too.
We are HIPAA and GDPR heavy, in terms of regulatory compliance, and we have PCI-DSS and other customer/patient data that could potentially be exposed unless we ratchet up our security posture and we most definitely focus on code hygiene and security by way of end-to-end encryption.