Using the Goldilocks Principle

The frugal chief information security officer (CISO) endeavors to size and scope his or her organization’s information security program to fit just right by using the Goldilocks Principle. The Goldilocks Principle says that something must fall within certain margins rather than going to opposite ends of a spectrum of options. One common error occurs when a CISO or information security manager attempts to re-create the program at their prior employer rather than developing a program based on their new organization’s risk profile. Even if a new CISO manages to recruit a number of members of their former team, it can be difficult to re-create that je ne sais quoi behind its success. Attempts to re-create old teams more often result in failures for the CISO attempting them. Most importantly from the frugal CISO perspective, there needs to be proper justification beyond a control is a best practice for its implementation.