CISO Advisor Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for maximum business value, build defense-in-depth architecture, and turn security from a cost center into a sales enabler and competitive advantage. Keywords CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity, penetration testing, vulnerability management, data…

:>8} {'ROI':>5} {'Priority':\u003c9}\",\n \"-\" * 75,\n ]\n\n sorted_risks = sorted(results[\"risk_details\"], key=lambda x: x[\"ale\"], reverse=True)\n for r in sorted_risks:\n lines.append(\n f\"{r['id']:\u003c7} {r['threat']:\u003c30} ${r['sle']:>9,.0f} {r['aro']:>4.0%} \"\n f\"${r['ale']:>9,.0f} ${r['mitigation_cost']:>7,.0f} {r['roi']:>4.1f}x \"\n f\"{r['priority'].upper():\u003c9}\"\n )\n\n lines.extend([\"\", \"TOP INVESTMENTS BY ROI:\"])\n for r in results[\"roi_ranked\"][:5]:\n lines.append(\n f\" {r['roi']:.1f}x ROI: {r['threat']} - ${r['mitigation_cost']:,.0f} investment \"\n f\"reduces ALE by ${r['ale_reduction']:,.0f}\"\n )\n\n bs = results[\"budget_summary\"]\n lines.extend([\n \"\",\n \"BUDGET SUMMARY:\",\n f\" Total Exposure: ${bs['total_risk_exposure']:>12,.0f}\",\n f\" Investment Ask: ${bs['recommended_investment']:>12,.0f}\",\n f\" Risk Reduction: ${bs['expected_risk_reduction']:>12,.0f} ({bs['coverage_pct']}% coverage)\",\n f\" Residual Risk: ${bs['residual_exposure']:>12,.0f}\",\n f\" Portfolio ROI: {bs['portfolio_roi']:.1f}x\",\n ])\n\n br = results[\"board_report\"]\n lines.extend([\n \"\",\n \"BOARD SUMMARY:\",\n f\" {br['headline']}\",\n f\" Critical: {br['critical_risks']} | High: {br['high_risks']}\",\n f\" Top Risk: {br['top_risk']}\",\n f\" Ask: {br['investment_ask']}\",\n \"\",\n \"=\" * 75,\n ])\n\n return \"\\n\".join(lines)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Manage and analyze cyber risk register\")\n parser.add_argument(\"--input\", \"-i\", help=\"JSON file with risk register data\")\n parser.add_argument(\"--json\", action=\"store_true\", help=\"Output as JSON\")\n parser.add_argument(\"--sort-by\", choices=[\"ale\", \"roi\", \"priority\"], default=\"ale\", help=\"Sort risks by (default: ale)\")\n args = parser.parse_args()\n\n if args.input:\n with open(args.input) as f:\n data = json.load(f)\n risks = data if isinstance(data, list) else data.get(\"risks\", DEFAULT_RISKS)\n else:\n risks = DEFAULT_RISKS\n\n results = analyze_register(risks)\n\n if args.sort_by == \"roi\":\n results[\"risk_details\"] = results[\"roi_ranked\"]\n elif args.sort_by == \"priority\":\n results[\"risk_details\"] = sorted(results[\"risk_details\"], key=lambda x: {\"critical\": 0, \"high\": 1, \"medium\": 2, \"low\": 3}[x[\"priority\"]])\n\n if args.json:\n print(json.dumps(results, indent=2))\n else:\n print(format_text(results))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":9137,"content_sha256":"93e22d95387ceff741ebe5c3592287a68d3ee0ebfd57b66c228498b783030394"},{"filename":"scripts/security_posture_scorer.py","content":"#!/usr/bin/env python3\n\"\"\"\nSecurity Posture Scorer - Assess organizational security maturity.\n\nScores security posture across NIST CSF 2.0 functions (Govern, Identify, Protect,\nDetect, Respond, Recover) and CISA Zero Trust pillars. Produces board-ready\nsecurity health report with prioritized remediation roadmap.\n\"\"\"\n\nimport argparse\nimport json\nimport sys\nfrom datetime import datetime\n\n\nNIST_CSF_FUNCTIONS = {\n \"govern\": {\n \"weight\": 0.15,\n \"controls\": [\n {\"id\": \"GV-1\", \"name\": \"Security policy documented\", \"description\": \"Formal security policy exists, approved by leadership\"},\n {\"id\": \"GV-2\", \"name\": \"Risk management strategy\", \"description\": \"Risk appetite defined and communicated\"},\n {\"id\": \"GV-3\", \"name\": \"Roles and responsibilities\", \"description\": \"Security roles clearly defined with accountability\"},\n {\"id\": \"GV-4\", \"name\": \"Supply chain risk policy\", \"description\": \"Vendor security requirements documented\"},\n {\"id\": \"GV-5\", \"name\": \"Security reporting to leadership\", \"description\": \"Regular board/exec security reporting cadence\"},\n ]\n },\n \"identify\": {\n \"weight\": 0.15,\n \"controls\": [\n {\"id\": \"ID-1\", \"name\": \"Asset inventory\", \"description\": \"Complete inventory of hardware, software, data assets\"},\n {\"id\": \"ID-2\", \"name\": \"Data classification\", \"description\": \"Data classified by sensitivity (public, internal, confidential, restricted)\"},\n {\"id\": \"ID-3\", \"name\": \"Risk assessment\", \"description\": \"Annual risk assessment with quantified ALE\"},\n {\"id\": \"ID-4\", \"name\": \"Vulnerability management\", \"description\": \"Regular vulnerability scanning with SLA-based patching\"},\n {\"id\": \"ID-5\", \"name\": \"Threat modeling\", \"description\": \"Threat models for critical systems\"},\n ]\n },\n \"protect\": {\n \"weight\": 0.25,\n \"controls\": [\n {\"id\": \"PR-1\", \"name\": \"MFA enforcement\", \"description\": \"MFA required for all users on all systems\"},\n {\"id\": \"PR-2\", \"name\": \"Endpoint protection (EDR)\", \"description\": \"EDR deployed on all endpoints\"},\n {\"id\": \"PR-3\", \"name\": \"Encryption at rest\", \"description\": \"All sensitive data encrypted at rest (AES-256)\"},\n {\"id\": \"PR-4\", \"name\": \"Encryption in transit\", \"description\": \"TLS 1.2+ for all data in transit\"},\n {\"id\": \"PR-5\", \"name\": \"Access control (RBAC)\", \"description\": \"Role-based access with least privilege\"},\n {\"id\": \"PR-6\", \"name\": \"Security awareness training\", \"description\": \"Annual training with phishing simulations\"},\n {\"id\": \"PR-7\", \"name\": \"Backup and recovery\", \"description\": \"Regular backups tested for restoration\"},\n {\"id\": \"PR-8\", \"name\": \"Network segmentation\", \"description\": \"Production isolated from corporate network\"},\n ]\n },\n \"detect\": {\n \"weight\": 0.20,\n \"controls\": [\n {\"id\": \"DE-1\", \"name\": \"Centralized logging\", \"description\": \"All critical systems send logs to SIEM\"},\n {\"id\": \"DE-2\", \"name\": \"Alerting rules\", \"description\": \"Detection rules for common attack patterns\"},\n {\"id\": \"DE-3\", \"name\": \"Anomaly detection\", \"description\": \"Behavioral analytics for user/network anomalies\"},\n {\"id\": \"DE-4\", \"name\": \"Penetration testing\", \"description\": \"Annual pen test by qualified third party\"},\n {\"id\": \"DE-5\", \"name\": \"Monitoring 24/7\", \"description\": \"Security monitoring with defined on-call rotation\"},\n ]\n },\n \"respond\": {\n \"weight\": 0.15,\n \"controls\": [\n {\"id\": \"RS-1\", \"name\": \"Incident response plan\", \"description\": \"Documented IR plan with severity classification\"},\n {\"id\": \"RS-2\", \"name\": \"IR team defined\", \"description\": \"Named incident response team with contact info\"},\n {\"id\": \"RS-3\", \"name\": \"Tabletop exercises\", \"description\": \"Annual IR tabletop exercise conducted\"},\n {\"id\": \"RS-4\", \"name\": \"Communication plan\", \"description\": \"Stakeholder notification procedures defined\"},\n {\"id\": \"RS-5\", \"name\": \"Forensic capability\", \"description\": \"Ability to preserve evidence and investigate\"},\n ]\n },\n \"recover\": {\n \"weight\": 0.10,\n \"controls\": [\n {\"id\": \"RC-1\", \"name\": \"Recovery plan\", \"description\": \"Documented recovery procedures for critical systems\"},\n {\"id\": \"RC-2\", \"name\": \"RTO/RPO defined\", \"description\": \"Recovery objectives set and communicated\"},\n {\"id\": \"RC-3\", \"name\": \"DR testing\", \"description\": \"Disaster recovery tested within last 12 months\"},\n {\"id\": \"RC-4\", \"name\": \"Lessons learned\", \"description\": \"Post-incident reviews conducted and tracked\"},\n ]\n },\n}\n\nZERO_TRUST_PILLARS = {\n \"identity\": {\"controls\": [\"MFA enforcement\", \"SSO\", \"Privileged access management\", \"Identity governance\"], \"weight\": 0.25},\n \"devices\": {\"controls\": [\"EDR\", \"Device compliance\", \"Patch management\", \"Mobile device management\"], \"weight\": 0.20},\n \"networks\": {\"controls\": [\"Micro-segmentation\", \"ZTNA/SDP\", \"DNS filtering\", \"DDoS protection\"], \"weight\": 0.15},\n \"applications\": {\"controls\": [\"SAST/DAST\", \"WAF\", \"API security\", \"Container security\"], \"weight\": 0.20},\n \"data\": {\"controls\": [\"Classification\", \"DLP\", \"Encryption\", \"Rights management\"], \"weight\": 0.20},\n}\n\nMATURITY_LEVELS = {\n 0: {\"label\": \"Ad Hoc\", \"description\": \"No formal processes\"},\n 1: {\"label\": \"Initial\", \"description\": \"Some processes defined but inconsistent\"},\n 2: {\"label\": \"Developing\", \"description\": \"Processes defined and partially implemented\"},\n 3: {\"label\": \"Managed\", \"description\": \"Processes implemented and measured\"},\n 4: {\"label\": \"Optimized\", \"description\": \"Continuous improvement, fully automated where possible\"},\n}\n\n\ndef score_posture(data: dict) -> dict:\n \"\"\"Score security posture across all frameworks.\"\"\"\n control_scores = data.get(\"controls\", {})\n zt_scores = data.get(\"zero_trust\", {})\n\n results = {\n \"timestamp\": datetime.now().isoformat(),\n \"company\": data.get(\"company\", \"Company\"),\n \"overall_score\": 0,\n \"overall_maturity\": 0,\n \"maturity_label\": \"\",\n \"nist_csf_scores\": {},\n \"zero_trust_scores\": {},\n \"critical_gaps\": [],\n \"quick_wins\": [],\n \"remediation_roadmap\": [],\n \"board_summary\": {},\n }\n\n # Score NIST CSF functions\n total_weighted = 0\n for func_name, func_config in NIST_CSF_FUNCTIONS.items():\n func_total = 0\n func_count = 0\n gaps = []\n for ctrl in func_config[\"controls\"]:\n score = control_scores.get(ctrl[\"id\"], 0) # 0-4 maturity\n func_total += score\n func_count += 1\n if score \u003c 2:\n gaps.append({\"control\": ctrl[\"id\"], \"name\": ctrl[\"name\"], \"current\": score, \"description\": ctrl[\"description\"]})\n\n avg_maturity = func_total / func_count if func_count > 0 else 0\n pct_score = avg_maturity / 4 * 100\n weighted = pct_score * func_config[\"weight\"]\n total_weighted += weighted\n\n results[\"nist_csf_scores\"][func_name] = {\n \"maturity\": round(avg_maturity, 1),\n \"score_pct\": round(pct_score, 1),\n \"weight\": func_config[\"weight\"],\n \"weighted_score\": round(weighted, 1),\n \"controls_assessed\": func_count,\n \"gaps\": gaps,\n }\n\n # Critical gaps (Protect and Detect are highest priority)\n for gap in gaps:\n severity = \"critical\" if func_name in [\"protect\", \"detect\"] and gap[\"current\"] == 0 else \"high\" if gap[\"current\"] == 0 else \"medium\"\n results[\"critical_gaps\"].append({\n \"function\": func_name,\n \"control\": gap[\"control\"],\n \"name\": gap[\"name\"],\n \"current_maturity\": gap[\"current\"],\n \"severity\": severity,\n })\n\n results[\"overall_score\"] = round(total_weighted, 1)\n overall_maturity = total_weighted / 25 # Convert to 0-4 scale\n results[\"overall_maturity\"] = round(overall_maturity, 1)\n results[\"maturity_label\"] = MATURITY_LEVELS.get(round(overall_maturity), {}).get(\"label\", \"Unknown\")\n\n # Zero Trust scoring\n zt_total = 0\n for pillar, config in ZERO_TRUST_PILLARS.items():\n pillar_scores = zt_scores.get(pillar, {})\n implemented = sum(1 for c in config[\"controls\"] if pillar_scores.get(c, False))\n total = len(config[\"controls\"])\n pct = (implemented / total * 100) if total > 0 else 0\n stage = \"Optimal\" if pct >= 90 else \"Advanced\" if pct >= 65 else \"Initial\" if pct >= 30 else \"Traditional\"\n zt_total += pct * config[\"weight\"]\n results[\"zero_trust_scores\"][pillar] = {\n \"implemented\": implemented,\n \"total\": total,\n \"pct\": round(pct, 1),\n \"stage\": stage,\n }\n results[\"zero_trust_overall_pct\"] = round(zt_total, 1)\n\n # Quick wins (low effort, high impact)\n for gap in results[\"critical_gaps\"]:\n if gap[\"current_maturity\"] == 0 and gap[\"name\"] in [\"MFA enforcement\", \"Backup and recovery\", \"Security awareness training\", \"Incident response plan\"]:\n results[\"quick_wins\"].append({\n \"control\": gap[\"name\"],\n \"effort\": \"Low-Medium\",\n \"impact\": \"High\",\n \"timeline\": \"2-4 weeks\",\n })\n\n # Remediation roadmap\n sorted_gaps = sorted(results[\"critical_gaps\"], key=lambda x: {\"critical\": 0, \"high\": 1, \"medium\": 2}.get(x[\"severity\"], 3))\n phase = 1\n for i, gap in enumerate(sorted_gaps[:12]):\n if i \u003c 4:\n phase = 1\n timeline = \"Month 1-2\"\n elif i \u003c 8:\n phase = 2\n timeline = \"Month 3-4\"\n else:\n phase = 3\n timeline = \"Month 5-6\"\n results[\"remediation_roadmap\"].append({\n \"phase\": phase,\n \"timeline\": timeline,\n \"control\": gap[\"name\"],\n \"function\": gap[\"function\"],\n \"severity\": gap[\"severity\"],\n \"target_maturity\": 3,\n })\n\n # Board summary\n critical_count = sum(1 for g in results[\"critical_gaps\"] if g[\"severity\"] == \"critical\")\n results[\"board_summary\"] = {\n \"posture_score\": f\"{results['overall_score']:.0f}/100\",\n \"maturity_level\": f\"{results['maturity_label']} ({results['overall_maturity']:.1f}/4.0)\",\n \"critical_gaps\": critical_count,\n \"zero_trust_progress\": f\"{results['zero_trust_overall_pct']:.0f}%\",\n \"top_risk\": sorted_gaps[0][\"name\"] if sorted_gaps else \"None identified\",\n \"recommendation\": \"Immediate action on critical gaps\" if critical_count > 2 else \"Continue maturity improvement\" if results[\"overall_score\"] \u003c 70 else \"Strong posture - maintain and optimize\",\n }\n\n return results\n\n\ndef format_text(results: dict) -> str:\n \"\"\"Format as human-readable report.\"\"\"\n lines = [\n \"=\" * 68,\n \"SECURITY POSTURE ASSESSMENT\",\n \"=\" * 68,\n f\"Company: {results['company']}\",\n f\"Date: {results['timestamp'][:10]}\",\n f\"Overall Score: {results['overall_score']:.0f}/100 | Maturity: {results['maturity_label']} ({results['overall_maturity']:.1f}/4.0)\",\n \"\",\n \"NIST CSF 2.0 FUNCTION SCORES:\",\n f\"{'Function':\u003c12} {'Maturity':>9} {'Score':>7} {'Weighted':>9} {'Gaps':>5}\",\n \"-\" * 50,\n ]\n\n for func, data in results[\"nist_csf_scores\"].items():\n gap_count = len(data[\"gaps\"])\n lines.append(\n f\"{func.title():\u003c12} {data['maturity']:>7.1f}/4 {data['score_pct']:>6.0f}% {data['weighted_score']:>8.1f} {gap_count:>5}\"\n )\n\n lines.extend([\"\", \"ZERO TRUST MATURITY:\"])\n for pillar, data in results[\"zero_trust_scores\"].items():\n bar_len = int(data[\"pct\"] / 5)\n bar = \"#\" * bar_len + \".\" * (20 - bar_len)\n lines.append(f\" {pillar.title():\u003c15} [{bar}] {data['pct']:>5.0f}% ({data['stage']})\")\n\n if results[\"critical_gaps\"]:\n lines.extend([\"\", \"CRITICAL GAPS (top 5):\"])\n for gap in results[\"critical_gaps\"][:5]:\n lines.append(f\" [{gap['severity'].upper():\u003c8}] {gap['function'].title()}/{gap['name']} (maturity: {gap['current_maturity']}/4)\")\n\n if results[\"quick_wins\"]:\n lines.extend([\"\", \"QUICK WINS:\"])\n for qw in results[\"quick_wins\"]:\n lines.append(f\" -> {qw['control']} ({qw['timeline']}, {qw['impact']} impact)\")\n\n if results[\"remediation_roadmap\"]:\n lines.extend([\"\", \"REMEDIATION ROADMAP:\"])\n current_phase = 0\n for item in results[\"remediation_roadmap\"]:\n if item[\"phase\"] != current_phase:\n current_phase = item[\"phase\"]\n lines.append(f\" Phase {current_phase} ({item['timeline']}):\")\n lines.append(f\" - {item['control']} [{item['severity']}]\")\n\n bs = results[\"board_summary\"]\n lines.extend([\n \"\",\n \"BOARD SUMMARY:\",\n f\" Score: {bs['posture_score']} | Maturity: {bs['maturity_level']}\",\n f\" Critical Gaps: {bs['critical_gaps']} | Zero Trust: {bs['zero_trust_progress']}\",\n f\" Top Risk: {bs['top_risk']}\",\n f\" Recommendation: {bs['recommendation']}\",\n \"\",\n \"=\" * 68,\n ])\n\n return \"\\n\".join(lines)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Score organizational security posture\")\n parser.add_argument(\"--input\", \"-i\", help=\"JSON file with control assessments\")\n parser.add_argument(\"--json\", action=\"store_true\", help=\"Output as JSON\")\n args = parser.parse_args()\n\n if args.input:\n with open(args.input) as f:\n data = json.load(f)\n else:\n # Demo data - realistic Series B company\n data = {\n \"company\": \"SaaSCo\",\n \"controls\": {\n \"GV-1\": 3, \"GV-2\": 2, \"GV-3\": 2, \"GV-4\": 1, \"GV-5\": 2,\n \"ID-1\": 2, \"ID-2\": 1, \"ID-3\": 2, \"ID-4\": 3, \"ID-5\": 1,\n \"PR-1\": 4, \"PR-2\": 3, \"PR-3\": 3, \"PR-4\": 4, \"PR-5\": 2, \"PR-6\": 2, \"PR-7\": 3, \"PR-8\": 1,\n \"DE-1\": 2, \"DE-2\": 2, \"DE-3\": 1, \"DE-4\": 3, \"DE-5\": 1,\n \"RS-1\": 3, \"RS-2\": 3, \"RS-3\": 1, \"RS-4\": 2, \"RS-5\": 1,\n \"RC-1\": 2, \"RC-2\": 2, \"RC-3\": 1, \"RC-4\": 1,\n },\n \"zero_trust\": {\n \"identity\": {\"MFA enforcement\": True, \"SSO\": True, \"Privileged access management\": False, \"Identity governance\": False},\n \"devices\": {\"EDR\": True, \"Device compliance\": True, \"Patch management\": True, \"Mobile device management\": False},\n \"networks\": {\"Micro-segmentation\": False, \"ZTNA/SDP\": False, \"DNS filtering\": True, \"DDoS protection\": True},\n \"applications\": {\"SAST/DAST\": True, \"WAF\": True, \"API security\": False, \"Container security\": False},\n \"data\": {\"Classification\": False, \"DLP\": False, \"Encryption\": True, \"Rights management\": False},\n },\n }\n\n results = score_posture(data)\n if args.json:\n print(json.dumps(results, indent=2))\n else:\n print(format_text(results))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":15224,"content_sha256":"35c4b6a5e9eacb53be940221604773405249a4fb199f022b77d5a2f1ddc9177c"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"CISO Advisor","type":"text"}]},{"type":"paragraph","content":[{"text":"Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for maximum business value, build defense-in-depth architecture, and turn security from a cost center into a sales enabler and competitive advantage.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Keywords","type":"text"}]},{"type":"paragraph","content":[{"text":"CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity, penetration testing, vulnerability management, data classification, threat modeling, security awareness, phishing, MFA, IAM","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Risk Quantification Framework","type":"text"}]},{"type":"paragraph","content":[{"text":"Every security investment must be justified in business terms. \"We need better security\" is not a business case. \"$800K expected annual loss from this unmitigated risk\" is.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Core Formula","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"ALE = SLE x ARO\n\nALE = Annual Loss Expectancy (expected cost per year)\nSLE = Single Loss Expectancy (cost if the event occurs once)\nARO = Annual Rate of Occurrence (probability of occurrence per year)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Risk Register Template","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk ID","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Threat","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Asset","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SLE","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ARO","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ALE","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mitigation Cost","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ROI","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Priority","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"R-001","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data breach (customer PII)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Customer database","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$2.5M","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.15","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$375K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$120K/yr","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3.1x","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Critical","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"R-002","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ransomware","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Production systems","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$1.8M","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.10","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$180K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$80K/yr","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"2.3x","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"High","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"R-003","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Insider threat","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Source code","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$500K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.05","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$25K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$40K/yr","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.6x","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"R-004","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DDoS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Customer-facing app","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$200K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.20","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$40K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$30K/yr","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"1.3x","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"R-005","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Third-party breach","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vendor with PII access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$1.2M","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0.08","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$96K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$25K/yr","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3.8x","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"High","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Risk Prioritization Decision Tree","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"START: New risk identified\n |\n v\n[Calculate ALE]\n |\n +-- ALE > $200K/yr --> CRITICAL: Board-level reporting, immediate mitigation\n |\n +-- ALE $50K-$200K --> HIGH: Quarterly review, funded mitigation plan\n |\n +-- ALE $10K-$50K --> MEDIUM: Annual review, budget if ROI > 1.5x\n |\n +-- ALE \u003c $10K --> LOW: Accept risk, document decision, monitor","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SLE Component Breakdown","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cost Component","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Typical Range","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Direct costs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Forensics, remediation, legal","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$100K-$500K","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regulatory fines","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GDPR: up to 4% revenue; HIPAA: $100-$50K per record","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Varies widely","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Notification costs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$5-$50 per affected individual","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Scale with records","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Business interruption","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Lost revenue during downtime","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hours x hourly revenue","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reputation damage","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Customer churn, brand impact","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"2-5% annual revenue","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Legal liability","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Lawsuits, settlements","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$50K-$5M+","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Compliance Roadmap","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Sequencing for Maximum Business Value","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Phase 1: Foundation (Months 1-3)\n Basic hygiene: MFA, endpoint protection, access controls, backups\n Cost: $20-50K Impact: Blocks 80% of common attacks\n\nPhase 2: SOC 2 Type I (Months 3-6)\n Policies, procedures, controls documentation\n Cost: $50-100K Impact: Unlocks mid-market enterprise sales\n\nPhase 3: SOC 2 Type II (Months 6-12)\n Sustained controls operation + audit\n Cost: $80-150K Impact: Required by most enterprise buyers\n\nPhase 4: Specialized (Months 12-18)\n ISO 27001, HIPAA, or GDPR based on market requirements\n Cost: $100-250K Impact: Market-specific requirement fulfillment","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Compliance Framework Comparison","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Framework","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Timeline","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cost","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Best For","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Customer Requirement","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SOC 2 Type I","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3-6 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$50-100K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"B2B SaaS selling to US companies","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Most common ask","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SOC 2 Type II","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"6-12 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$80-150K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Sustained enterprise sales","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Required for large deals","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ISO 27001","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"9-15 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$100-200K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"European market, global companies","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"EU enterprise standard","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HIPAA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"6-12 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$80-200K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Healthcare data handling","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Healthcare vertical","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GDPR","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3-6 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$30-80K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any company with EU users","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Legal requirement","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PCI DSS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"6-12 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$100-300K","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Payment card processing","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Payment requirement","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"FedRAMP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"12-24 months","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$500K-2M","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"US federal government sales","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Government requirement","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Framework Overlap Matrix","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Control Area","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SOC 2","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ISO 27001","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HIPAA","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GDPR","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Access control","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encryption","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Incident response","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk assessment","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vendor management","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data classification","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Physical security","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Business continuity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Privacy by design","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Partial","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Key insight","type":"text","marks":[{"type":"strong"}]},{"text":": SOC 2 + ISO 27001 share approximately 70% of controls. Do SOC 2 first, then extend to ISO 27001 with ~30% incremental effort.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Architecture Strategy","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Zero Trust Maturity Model","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Level","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key Controls","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Timeline","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0: Ad-hoc","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No formal security architecture","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"--","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Current state for most startups","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"1: Identity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MFA everywhere, SSO, role-based access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IAM + MFA + SSO","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Months 1-3","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"2: Network","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Network segmentation, VPN/ZTNA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Micro-segmentation, ZTNA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Months 3-6","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3: Data","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data classification, encryption at rest/transit, DLP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encryption + classification","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Months 6-12","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4: Monitoring","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM, logging, anomaly detection","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Centralized logging + alerting","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Months 9-15","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5: Automated","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Automated response, continuous verification","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SOAR + automated remediation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Months 12-24","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Security Architecture Decision Tree","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"START: New system or feature being designed\n |\n v\n[Does it handle sensitive data?]\n |\n +-- YES --> [What classification level?]\n | |\n | +-- PII/PHI --> Full security review + threat model\n | +-- Business-critical --> Standard security review\n | +-- Internal --> Lightweight checklist\n |\n +-- NO --> [Is it internet-facing?]\n |\n +-- YES --> Standard security review + pen test\n +-- NO --> Security checklist only","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Defense-in-Depth Layers","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Layer","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Controls","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Investment Priority","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Identity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MFA, SSO, RBAC, privileged access management","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"1st (highest ROI)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"EDR, device management, patching","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"2nd","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Network","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Segmentation, ZTNA, firewall, IDS/IPS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3rd","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Application","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SAST, DAST, dependency scanning, WAF","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4th","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encryption, DLP, classification, backup","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5th","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Monitoring","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM, logging, alerting, threat detection","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"6th","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Incident Response Protocol","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Severity Classification","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Severity","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Definition","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Response Time","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Notification","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"P0: Critical","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Active breach, data exfiltration, ransomware","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Immediate (\u003c 15 min)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CEO + Legal + Board","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"P1: High","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vulnerability being exploited, service down","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 1 hour","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CTO + CEO","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"P2: Medium","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vulnerability discovered, suspicious activity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 4 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CTO + Security team","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"P3: Low","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Policy violation, minor misconfiguration","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 24 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security team only","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Incident Response Workflow","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"DETECT --> CONTAIN --> ERADICATE --> RECOVER --> LEARN\n\nPhase 1: DETECT (Minutes)\n - Identify the scope and nature of the incident\n - Classify severity (P0-P3)\n - Activate response team based on severity\n\nPhase 2: CONTAIN (Hours)\n - Isolate affected systems\n - Preserve evidence (forensic images)\n - Prevent lateral movement\n - Communicate to stakeholders per severity matrix\n\nPhase 3: ERADICATE (Hours-Days)\n - Remove threat actor/malware\n - Patch vulnerability that enabled the incident\n - Verify eradication is complete\n\nPhase 4: RECOVER (Days)\n - Restore from clean backups\n - Verify system integrity\n - Monitor for re-compromise\n - Return to normal operations\n\nPhase 5: LEARN (Days-Weeks)\n - Root cause analysis (blameless)\n - Timeline reconstruction\n - Control gap identification\n - Remediation plan with owners and deadlines","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Regulatory Notification Timelines","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regulation","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Notification Deadline","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"To Whom","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GDPR","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"72 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Supervisory authority + affected individuals","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HIPAA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"60 days","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HHS + affected individuals (+ media if > 500)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"State breach laws (US)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"30-90 days (varies)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"State AG + affected individuals","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SEC (public companies)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4 business days","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SEC + public disclosure","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PCI DSS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Immediately","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Card brands + acquiring bank","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Vendor Security Assessment","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Vendor Tiering","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data Access","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Assessment Level","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Frequency","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier 1: Critical","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PII, PHI, financial data, source code","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Full security assessment + pen test review","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Annual","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier 2: Important","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Business data, internal communications","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security questionnaire + SOC 2 review","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Annual","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier 3: Standard","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No sensitive data access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Self-attestation + privacy policy review","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Biennial","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier 4: Minimal","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No data access, no system integration","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Contract review only","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"At contract renewal","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Vendor Assessment Checklist (Tier 1)","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Domain","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key Questions","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pass/Fail Criteria","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SOC 2 Type II or ISO 27001?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Must have at least one","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encryption","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data encrypted at rest and in transit?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AES-256 + TLS 1.2+","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MFA enforced? RBAC implemented?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Both required","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Incident response","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Documented IR plan? Notification timeline?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Must have plan + 24hr notification","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Business continuity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DR plan tested? RTO/RPO defined?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Must be tested within 12 months","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data handling","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data classification? Retention policy?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Must have both","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Subprocessors","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Who else handles our data?","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Must disclose all","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Metrics Dashboard","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Board-Level Metrics (Quarterly)","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Metric","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Target","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Red Flag","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Board Language","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ALE coverage","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"> 80%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 60%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"$X of $Y total risk is mitigated\"","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mean time to detect (MTTD)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 24 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"> 72 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"We find threats within X hours\"","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mean time to respond (MTTR)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 4 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"> 24 hours","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"We contain threats within X hours\"","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance status","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"All current","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any lapsed","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"All certifications active\" or \"Gap in X\"","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Critical vulnerabilities open","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any > 30 days","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Zero unpatched critical vulnerabilities\"","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Operational Metrics (Monthly)","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Metric","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Target","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Action Trigger","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Phishing click rate","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 5%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"> 10% = mandatory re-training","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Critical patches within SLA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"100%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 95% = process review","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Privileged accounts reviewed","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"100% quarterly","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any unreviewed = immediate review","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tier 1 vendors assessed","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"100% annually","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any lapsed = assessment needed","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security training completion","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"> 95%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c 90% = escalate to managers","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Budget Framework","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Budget as Percentage of Revenue/IT Spend","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Company Stage","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Budget (% of Revenue)","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Budget (% of IT)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Seed/Series A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"2-4%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"8-12%","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Series B","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3-5%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"10-15%","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Series C+","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4-8%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"12-18%","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enterprise","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5-10%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"15-20%","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Budget Allocation by Category","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Category","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"% of Security Budget","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Examples","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"People","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"40-50%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security team salaries, training","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tools","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"25-35%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM, EDR, IAM, vulnerability scanner","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"10-15%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Auditors, certifications, legal","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Testing","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5-10%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pen testing, red team, bug bounty","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Incident response","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Retainer, insurance, forensics","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Budget Justification Formula","type":"text"}]},{"type":"paragraph","content":[{"text":"For each security investment:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Investment ROI = (ALE_before - ALE_after) / Investment_cost\n\nIf ROI > 1.5x --> Strong business case, approve\nIf ROI 1.0-1.5x --> Moderate case, consider alternatives\nIf ROI \u003c 1.0x --> Weak case, re-evaluate or accept the risk","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Red Flags","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security budget justified by \"industry benchmarks\" instead of risk analysis -- budget will be wrong","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pursuing certifications before basic hygiene (MFA, patching, backups) -- checkbox without substance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No documented asset inventory -- protecting unknown assets is impossible","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IR plan exists but never tested (no tabletop exercise) -- plan will fail when needed","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security team reports to IT, not executive level -- misaligned incentives, budget competition","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Single vendor for identity + endpoint + email -- vendor compromise = total compromise","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security questionnaire backlog > 30 days -- silently losing enterprise deals","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No security champion program in engineering -- security becomes a bottleneck","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pen test findings unresolved after 90 days -- testing without fixing is theater","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No data classification scheme -- everything treated the same = nothing protected properly","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration with C-Suite","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"When...","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CISO Works With...","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"To...","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enterprise sales blocked","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CRO (","type":"text"},{"text":"cro-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Complete security questionnaires, unblock deals","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"New product features","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CTO + CPO (","type":"text"},{"text":"cto-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"cpo-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Threat modeling, security review","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance budget","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CFO (","type":"text"},{"text":"cfo-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Size program against quantified risk exposure","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vendor contracts","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"COO (","type":"text"},{"text":"coo-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security SLAs, right-to-audit clauses","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"M&A due diligence","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CEO + CFO","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Target security posture assessment","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Incident occurs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CEO + Legal","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Response coordination, regulatory notification","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Board reporting","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CEO (","type":"text"},{"text":"ceo-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Translate risk into business language","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hiring security team","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CHRO (","type":"text"},{"text":"chro-advisor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compensation, leveling, recruiting","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Proactive Triggers","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No security audit in 12+ months -- schedule before a customer or regulator asks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enterprise deal requires SOC 2 but no certification exists -- compliance roadmap urgently needed","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"New market expansion planned -- check data residency, privacy requirements, local regulations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Key system has no access logging -- compliance gap and forensic blind spot","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vendor with access to sensitive data not assessed -- vendor risk assessment required","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Critical vulnerability disclosed in a dependency -- patch assessment within 24 hours","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Employee termination without access revocation SOP -- immediate security gap","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Artifacts","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Request","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Deliverable","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Assess our security posture\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk register with quantified ALE, prioritized by business impact","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"We need SOC 2\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance roadmap: timeline, cost, effort, quick wins, vendor selection","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Prep for security audit\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Gap analysis against target framework + remediation plan with owners","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"We had an incident\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IR coordination plan + communication templates + regulatory timeline","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Security board section\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk posture summary, compliance status, incident report, budget ask","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Evaluate vendor security\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vendor tier assessment with risk scoring and contract recommendations","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Justify security budget\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk-based budget proposal with ROI for each investment","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tool Reference","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"security_posture_scorer.py","type":"text"}]},{"type":"paragraph","content":[{"text":"Scores security posture across NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and CISA Zero Trust Maturity Model pillars (Identity, Devices, Networks, Applications, Data). Produces board-ready security health reports.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run with demo data (realistic Series B company)\npython scripts/security_posture_scorer.py\n\n# From JSON with control assessments (0-4 maturity per control)\npython scripts/security_posture_scorer.py --input controls.json\n\n# JSON output\npython scripts/security_posture_scorer.py --json","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"risk_register_manager.py","type":"text"}]},{"type":"paragraph","content":[{"text":"Manages cyber risk register with ALE (SLE x ARO) calculations, mitigation ROI, and board-ready risk reports.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run with demo risk register\npython scripts/risk_register_manager.py\n\n# From JSON risk register\npython scripts/risk_register_manager.py --input risks.json\n\n# Sort by ROI (best investments first)\npython scripts/risk_register_manager.py --sort-by roi\n\n# JSON output\npython scripts/risk_register_manager.py --json","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"compliance_tracker.py","type":"text"}]},{"type":"paragraph","content":[{"text":"Tracks progress across SOC 2 Type I/II, ISO 27001, HIPAA, and GDPR. Calculates gap analysis, framework overlaps, and effort estimates.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Track SOC 2 readiness (default)\npython scripts/compliance_tracker.py\n\n# Track multiple frameworks\npython scripts/compliance_tracker.py --frameworks soc2_type1 iso27001 gdpr\n\n# List available frameworks\npython scripts/compliance_tracker.py --list-frameworks\n\n# From JSON\npython scripts/compliance_tracker.py --input compliance.json\n\n# JSON output\npython scripts/compliance_tracker.py --json","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Problem","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Likely Cause","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Fix","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security budget justified by \"industry benchmarks\" not risk data","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No risk quantification framework in place","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Implement ALE-based risk register; justify every dollar against quantified risk reduction","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pursuing SOC 2 before basic hygiene (MFA, backups)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Checkbox compliance without substance","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Phase 1 foundation first: MFA, endpoint protection, backups; then pursue certifications","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pen test findings unresolved after 90 days","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Testing without fixing is theater","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Set SLA: critical 7 days, high 30 days, medium 90 days; track in risk register","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security team reports to IT, not executive level","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Misaligned incentives and budget competition","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CISO should report to CEO or COO; separate budget from IT","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enterprise deals blocked by security questionnaires","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No SOC 2 or questionnaire response backlog > 30 days","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Prioritize SOC 2 Type I; create questionnaire response library; assign dedicated owner","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Zero Trust initiative stalled at identity layer","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Trying to implement all pillars simultaneously","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Follow maturity model: Identity first (months 1-3), then Network, then Data","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Success Criteria","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security posture score above 70/100 on NIST CSF assessment (measured annually via security_posture_scorer.py)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ALE coverage above 80% -- quantified risk exposure has funded mitigations (tracked in risk register)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mean time to detect (MTTD) under 24 hours for all severity levels","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mean time to respond (MTTR) under 4 hours for P0/P1 incidents","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zero critical vulnerabilities open longer than 7 days (measured weekly)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SOC 2 Type II certification maintained current with zero control exceptions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Phishing click rate below 5% across quarterly simulation campaigns","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Scope & Limitations","type":"text"}]},{"type":"paragraph","content":[{"text":"In Scope","type":"text","marks":[{"type":"strong"}]},{"text":": Risk quantification (ALE/SLE/ARO), compliance roadmapping, Zero Trust maturity assessment, NIST CSF 2.0 scoring, incident response protocol, vendor security assessment, security budget justification, board-level security reporting.","type":"text"}]},{"type":"paragraph","content":[{"text":"Out of Scope","type":"text","marks":[{"type":"strong"}]},{"text":": Penetration testing execution, malware analysis, SOC operations, firewall configuration, code review, forensic investigation execution, security tool procurement.","type":"text"}]},{"type":"paragraph","content":[{"text":"Limitations","type":"text","marks":[{"type":"strong"}]},{"text":": Security posture scorer uses self-assessed maturity levels which may overstate actual capability. Risk register ALE calculations are estimates based on industry data -- actual losses vary significantly. Compliance tracker measures control implementation, not control effectiveness. Zero Trust scoring uses binary (implemented/not) which oversimplifies partial implementations.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Skill","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Integration","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cto-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security architecture reviews; threat modeling for new features","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cfo-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security budget sizing against quantified risk; compliance costs","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ceo-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Board security reporting; incident communication to stakeholders","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"coo-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vendor security SLAs; right-to-audit contract clauses","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cro-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security questionnaire response; SOC 2 as sales enabler","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"chro-advisor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security team hiring; security awareness training programs","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"board-deck-builder","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk/security section of board deck with posture score and compliance status","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ra-qm-team","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Extended compliance frameworks (ISO 13485, MDR, FDA, GDPR, NIS2, DORA)","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"ciso-advisor","author":"@skillopedia","source":{"stars":209,"repo_name":"claude-skills","origin_url":"https://github.com/borghei/claude-skills/blob/HEAD/c-level-advisor/ciso-advisor/SKILL.md","repo_owner":"borghei","body_sha256":"557a18b25c6c05708a122f94039c5a328fdae1e482a0b0f48a5ce37a5dd32e7a","cluster_key":"ebab494ca0ce38922bc7afcc65d5f14c8e7a52ce3921bde7ead709c8a09e7406","clean_bundle":{"format":"clean-skill-bundle-v1","source":"borghei/claude-skills/c-level-advisor/ciso-advisor/SKILL.md","attachments":[{"id":"0bb6ecf3-a6ba-5816-a846-b3e67dec8792","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0bb6ecf3-a6ba-5816-a846-b3e67dec8792/attachment.py","path":"scripts/compliance_tracker.py","size":12373,"sha256":"dd62c04f1240347c558bbd991cb43437fc970f8704cba259e82d662f7e8bc88c","contentType":"text/x-python; charset=utf-8"},{"id":"dcfccf95-f2a3-525a-8662-5f99937ffaf5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/dcfccf95-f2a3-525a-8662-5f99937ffaf5/attachment.py","path":"scripts/risk_register_manager.py","size":9137,"sha256":"93e22d95387ceff741ebe5c3592287a68d3ee0ebfd57b66c228498b783030394","contentType":"text/x-python; charset=utf-8"},{"id":"ea56e711-ad37-52eb-8e77-63f1f075625d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ea56e711-ad37-52eb-8e77-63f1f075625d/attachment.py","path":"scripts/security_posture_scorer.py","size":15224,"sha256":"35c4b6a5e9eacb53be940221604773405249a4fb199f022b77d5a2f1ddc9177c","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"f1841f74f285d53a6869e24866a6378637bed92f9dd256ebb4feee8649961845","attachment_count":3,"text_attachments":3,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"c-level-advisor/ciso-advisor/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"MIT + Commons Clause","version":"v1","category":"security","metadata":{"author":"borghei","domain":"ciso-leadership","updated":"2026-03-09T00:00:00.000Z","version":"2.0.0","category":"c-level","triggers":["CISO","security strategy","risk quantification","compliance roadmap","SOC 2","ISO 27001","HIPAA","GDPR","zero trust","incident response","board security reporting","vendor assessment","security budget","penetration testing","vulnerability management","data protection","security audit","cyber risk","security program","threat modeling"],"frameworks":["risk-based-security","zero-trust-architecture","defense-in-depth","compliance-sequencing","incident-response-leadership","vendor-risk-management"]},"import_tag":"clean-skills-v1","description":"Security leadership for growth-stage companies. Risk quantification in dollars, compliance roadmap sequencing (SOC 2, ISO 27001, HIPAA, GDPR), security architecture strategy, incident response leadership, vendor security assessment, and board-level security reporting. Use when building security programs, justifying security budget, selecting compliance frameworks, managing incidents, assessing vendor risk, preparing for audits, or when user mentions CISO, security strategy, compliance, zero trust, board security, risk assessment, incident response, SOC 2, ISO 27001, HIPAA, GDPR, penetration testing, or vulnerability management.\n"}},"renderedAt":1782987558990}

CISO Advisor Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for maximum business value, build defense-in-depth architecture, and turn security from a cost center into a sales enabler and competitive advantage. Keywords CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity, penetration testing, vulnerability management, data…