Now that we can look at information and the systems that they interact with, they can be treated in accordance to how much value they mean to the organization. The senior leadership of both IT and security need to:

• Define differences in the security level requirements from copper networks to platinum networks
• Establish metrics of what is good, bad, and ugly for the services and/or end-to-end process
• Monitor and present results visually at all levels

These three things are pretty common when you talk about risk.

Something that is not measured here (that at least I think can be improved) is taking the risk reduction process to a level where we can anticipate relevant threats based on real-time threat intelligence. We want to reduce risk exposure based on relevant threat intelligence by establishing a capability (cyber intelligence) to communicate across the organization. This is an attempt to integrate information being generated from security services (threat intelligence, red team, threat hunting, and so on) into the risk management process.