1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »
No real accountability exists today for executives in regards to IT Security failures. Accountability should exist in cases where known security issues existed before the breach and executives failed to address them. Risk acceptance should not be used as an excuse for addressable security gaps.
Currently agencies self assess their cybersecurity posture. OMB should create a assessment standard and have an independent assessment board of government and industry SME's assess each agency, via a framework such as the one used for FEDRAMP.