Summary: Investing in security is crucial even when there are no immediate issues to maintain control effectiveness over time. Organizations can sustain security by monitoring organization health, practicing zero-based budgeting, and communicating incremental benefits of security controls. Without proactive measures, security resources will gradually decrease, leading to potential vulnerabilities and incidents.
Most organizations do regular risk and control assessments to determine if risks have been identified and if they are being mitigated appropriately within some defined risk appetite - mostly by ensuring controls are implemented and sustained (View Highlight)
The process of assuming a zero budget and then rebuilding it back up by re-justifying your resources can result in cuts. (View Highlight)
Often, pressures in the system such as stretched resources or services where supply is not capable of meeting demand are not immediately seen as a problem. This is because the security team or other embedded roles are working beyond their natural capacity and progressively burning themselves out. If your only measure is results then your heroics might well be taken for granted vs. rewarded. Instead, figure out ways of making the scarcity visible, (View Highlight)