Security Management 1. The appropriate budget allocation will vary by organization based on what? 

The appropriate budget allocation will vary based on the specific profiles of the organization, its needs and the extent to which resources are actually available. In an economic downturn, supply chains can become tight. With tariffs going up or a trade war worsening, obtaining cheap resources becomes more difficult. This has to be taken into consideration when determining a budget--i.e., that organization must look at the macro as well as the micro. The micro in this case would be to determine the individual profile and needs of the organization and how best to obtain a balance between being fiscally conservative and being technologically secure.

2. The information security function should be able to provide a reconciliation of what?

The information security function should be able to provide a reconciliation of prior purchases and their overall effectiveness. The purpose of this is to ensure that disrupted or halted implementation processes are not still drawing money from accounts—i.e., no new purchases are being wasted on processes that are no longer even being implemented. The reconciliation of prior purchases with overall effectiveness also helps in the due diligence process...

Organizations should complete a robust vulnerability assessment and remediation process before attempting what?
Organizations should complete a robust vulnerability assessment and remediation process before attempting a more expensive penetration test. A robust vulnerability assessment and remediation process can help to adequately test the organization’s cybersecurity system and detect any weaknesses in the system. Though the more expensive penetration test will reveal the full extent to which the system is secure, the less expensive vulnerability assessment and remediation process can still allow the organization to identify potential areas that might be exploited by hackers. These could then be fixed and the system upgraded before a full-on penetration test is conducted. The system, in other words, should be in as good a shape as it possibly can be in before the ultimate test is conducted. It is like making sure a team is properly conditioned and has its discernible kinks worked out in practice before the final tournament is played and the true talent of the team is put to the test.

4. Clearly understanding business objectives and selecting street-smart cybersecurity strategies to facilitate those objectives…