1 2 3 4 5 How confident are you in understanding the CURRENT state of information security in your organization in terms of an objective, consistent, and relevant measurement of information security risk?*Not at all. Information security hasn’t been something we’ve taken seriously in our organization.While I feel like we’re doing some good things about information security, I don’t feel confident we understand how much risk we’re living with every day.I’m confident we have an idea of our current state, but we’ve got plenty of room for improvement. We have some measurements in place, but they lack scope to account for all of “information security” and/or they lack objectivity.I’m very confident in understanding the current state of information security. We apply consistent measurements across a broad range of relevant criteria, using objective data, to formulate our “current state”.Not sure.*“Information security” is defined as managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, AND technical control. How well have you planned and communicated the FUTURE state of your information security program?*There has been very little information security strategic planning in our organization, if any. We don’t know what the future state of our information security program looks like.Strategic planning is part of our information security program; however, the process is not mature, and our future state is not well defined.The future of our information security program is planned and communicated to management, but the future state is not based upon consistently objective criteria.The future of our information security program is planned, using objective criteria, and it’s very well understood by management.Not sure. At what TIME will your organization reach an acceptable level of information security risk, one where management feels comfortable?*We’re not sure. An acceptable level of risk has not been defined by management.Management has generally communicated their acceptable level of risk; however, it’s not defined enough to define at time frame for the organization to meet their expectations.An acceptable level of risk is defined, and strategic planning has been conducted, but a definitive timeline has not been established for the future state of our information security program.The timeline for the future state of our information security program is well defined, based on an objective level of risk as communicated by executive management.Not sure. How much will it COST to reach the management-defined level of acceptable information security risk in your organization?*We don’t know. We spend money on information security, but we can’t quantify how it affects risk.General budget numbers are established for information security, but a management-defined level of acceptable information security has not been established and/or communicated.An information security budget is defined, and it’s been defined with consistent management input. What’s missing is objectivity, clarity, and/or consistent performance measurement.An information security budget is established to meet objective and measurable levels of risk as defined by management. Information security dollars are spent on our most significant unacceptable risks, as indicated by objective data.Not sure. Calculate Your Results We’ll show you the results right away*