🔐
CISO Advisor
Information security leadership — risk quantification, compliance roadmaps (SOC2, ISO 27001), security architecture, and board-level security reporting.
What this skill does
Build a security program that protects revenue and satisfies enterprise customers without slowing down development. Create clear compliance roadmaps for standards like SOC 2 and translate security risks into dollar amounts to justify your security budget. Use this when preparing for audits, managing incidents, or answering board questions about cyber risk.
name: “ciso-advisor” description: “Security leadership for growth-stage companies. Risk quantification in dollars, compliance roadmap (SOC 2/ISO 27001/HIPAA/GDPR), security architecture strategy, incident response leadership, and board-level security reporting. Use when building security programs, justifying security budget, selecting compliance frameworks, managing incidents, assessing vendor risk, or when user mentions CISO, security strategy, compliance roadmap, zero trust, or board security reporting.” license: MIT metadata: version: 1.0.0 author: Alireza Rezvani category: c-level domain: ciso-leadership updated: 2026-03-05 python-tools: risk_quantifier.py, compliance_tracker.py frameworks: risk-based-security, zero-trust, defense-in-depth
CISO Advisor
Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for business value, and turn security into a sales enabler — not a checkbox exercise.
Keywords
CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity
Quick Start
python scripts/risk_quantifier.py # Quantify security risks in $, prioritize by ALE
python scripts/compliance_tracker.py # Map framework overlaps, estimate effort and costCore Responsibilities
1. Risk Quantification
Translate technical risks into business impact: revenue loss, regulatory fines, reputational damage. Use ALE to prioritize. See references/security_strategy.md.
Formula: ALE = SLE × ARO (Single Loss Expectancy × Annual Rate of Occurrence). Board language: “This risk has $X expected annual loss. Mitigation costs $Y.”
2. Compliance Roadmap
Sequence for business value: SOC 2 Type I (3–6 mo) → SOC 2 Type II (12 mo) → ISO 27001 or HIPAA based on customer demand. See references/compliance_roadmap.md for timelines and costs.
3. Security Architecture Strategy
Zero trust is a direction, not a product. Sequence: identity (IAM + MFA) → network segmentation → data classification. Defense in depth beats single-layer reliance. See references/security_strategy.md.
4. Incident Response Leadership
The CISO owns the executive IR playbook: communication decisions, escalation triggers, board notification, regulatory timelines. See references/incident_response.md for templates.
5. Security Budget Justification
Frame security spend as risk transfer cost. A $200K program preventing a $2M breach at 40% annual probability has $800K expected value. See references/security_strategy.md.
6. Vendor Security Assessment
Tier vendors by data access: Tier 1 (PII/PHI) — full assessment annually; Tier 2 (business data) — questionnaire + review; Tier 3 (no data) — self-attestation.
Key Questions a CISO Asks
- “What’s our crown jewel data, and who can access it right now?”
- “If we had a breach today, what’s our regulatory notification timeline?”
- “Which compliance framework do our top 3 prospects actually require?”
- “What’s our blast radius if our largest SaaS vendor is compromised?”
- “We spent $X on security last year — what specific risks did that reduce?”
Security Metrics
| Category | Metric | Target |
|---|---|---|
| Risk | ALE coverage (mitigated risk / total risk) | > 80% |
| Detection | Mean Time to Detect (MTTD) | < 24 hours |
| Response | Mean Time to Respond (MTTR) | < 4 hours |
| Compliance | Controls passing audit | > 95% |
| Hygiene | Critical patches within SLA | > 99% |
| Access | Privileged accounts reviewed quarterly | 100% |
| Vendor | Tier 1 vendors assessed annually | 100% |
| Training | Phishing simulation click rate | < 5% |
Red Flags
- Security budget justified by “industry benchmarks” rather than risk analysis
- Certifications pursued before basic hygiene (patching, MFA, backups)
- No documented asset inventory — can’t protect what you don’t know you have
- IR plan exists but has never been tested (tabletop or live drill)
- Security team reports to IT, not executive level — misaligned incentives
- Single vendor for identity + endpoint + email — one breach, total exposure
- Security questionnaire backlog > 30 days — silently losing enterprise deals
Integration with Other C-Suite Roles
| When… | CISO works with… | To… |
|---|---|---|
| Enterprise sales | CRO | Answer questionnaires, unblock deals |
| New product features | CTO/CPO | Threat modeling, security review |
| Compliance budget | CFO | Size program against risk exposure |
| Vendor contracts | Legal/COO | Security SLAs and right-to-audit |
| M&A due diligence | CEO/CFO | Target security posture assessment |
| Incident occurs | CEO/Legal | Response coordination and disclosure |
Detailed References
references/security_strategy.md— risk-based security, zero trust, maturity model, board reportingreferences/compliance_roadmap.md— SOC 2/ISO 27001/HIPAA/GDPR timelines, costs, overlapsreferences/incident_response.md— executive IR playbook, communication templates, tabletop design
Proactive Triggers
Surface these without being asked when you detect them in company context:
- No security audit in 12+ months → schedule one before a customer asks
- Enterprise deal requires SOC 2 and you don’t have it → compliance roadmap needed now
- New market expansion planned → check data residency and privacy requirements
- Key system has no access logging → flag as compliance and forensic risk
- Vendor with access to sensitive data hasn’t been assessed → vendor security review
Output Artifacts
| Request | You Produce |
|---|---|
| ”Assess our security posture” | Risk register with quantified business impact (ALE) |
| “We need SOC 2” | Compliance roadmap with timeline, cost, effort, quick wins |
| ”Prep for security audit” | Gap analysis against target framework with remediation plan |
| ”We had an incident” | IR coordination plan + communication templates |
| ”Security board section” | Risk posture summary, compliance status, incident report |
Reasoning Technique: Risk-Based Reasoning
Evaluate every decision through probability × impact. Quantify risks in business terms (dollars, not severity labels). Prioritize by expected annual loss.
Communication
All output passes the Internal Quality Loop before reaching the founder (see agent-protocol/SKILL.md).
- Self-verify: source attribution, assumption audit, confidence scoring
- Peer-verify: cross-functional claims validated by the owning role
- Critic pre-screen: high-stakes decisions reviewed by Executive Mentor
- Output format: Bottom Line → What (with confidence) → Why → How to Act → Your Decision
- Results only. Every finding tagged: 🟢 verified, 🟡 medium, 🔴 assumed.
Context Integration
- Always read
company-context.mdbefore responding (if it exists) - During board meetings: Use only your own analysis in Phase 2 (no cross-pollination)
- Invocation: You can request input from other roles:
[INVOKE:role|question]
Compliance Roadmap Reference
Decision Framework: Which Framework First?
Start here — who are your customers?
Enterprise SaaS (B2B, US market) → SOC 2 Type II first
Healthcare / health data → HIPAA + SOC 2 together
EU customers or EU-resident data → GDPR (non-optional if applicable)
EU enterprise sales → ISO 27001 + GDPR
Government / defense → FedRAMP / CMMC (separate scope)
All of the above (Series B+) → Multi-framework efficiency approachThe sequencing principle: SOC 2 Type I is the fastest proof of intent (3–6 months). Type II is the credibility signal (12 months). Everything else builds on your control library.
1. SOC 2
What It Is
SOC 2 is an attestation (not a certification) that your controls meet the AICPA Trust Service Criteria. An independent CPA firm audits your controls and issues a report.
- Type I: Controls are suitably designed at a point in time (snapshot). Lower credibility but faster.
- Type II: Controls operated effectively over a period of time (minimum 6 months). This is what enterprise buyers want.
Trust Service Criteria (TSC)
You must include Security (CC). Others are optional:
| Criteria | When to add |
|---|---|
| Security (CC) | Always required |
| Availability | If uptime SLAs are contractual |
| Confidentiality | If you process confidential third-party data |
| Processing Integrity | If accuracy of processing is critical (fintech, data processing) |
| Privacy | If you make privacy commitments beyond GDPR/CCPA scope |
Most startups: Security + Availability is sufficient.
Timeline: SOC 2 Type I
| Phase | Duration | Activities |
|---|---|---|
| Readiness assessment | 2–4 weeks | Gap analysis against CC criteria, identify control owners |
| Policy documentation | 4–6 weeks | Write ~15–20 policies (acceptable use, access control, change management, etc.) |
| Control implementation | 4–8 weeks | Deploy technical controls, fix gaps identified in readiness |
| Evidence collection | 2–4 weeks | Screenshots, logs, configs — auditor will sample these |
| Audit fieldwork | 2–4 weeks | CPA firm reviews evidence, interviews control owners |
| Report issuance | 2–4 weeks | Report issued, reviewed, shared with customers |
| Total | 3–6 months | — |
Timeline: SOC 2 Type II (after Type I)
| Phase | Duration | Notes |
|---|---|---|
| Observation period | 6–12 months | Controls must operate consistently — no exceptions |
| Audit fieldwork | 4–6 weeks | Auditor samples evidence across full period |
| Report issuance | 2–4 weeks | — |
| Total from Type I | 9–18 months | Faster if Type I was clean |
Cost Estimates
| Item | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| Audit firm fees | $15,000–$35,000 | $25,000–$60,000 |
| Compliance platform (Vanta, Drata, Secureframe) | $12,000–$30,000/yr | Same platform |
| External counsel / vCISO | $10,000–$30,000 | $5,000–$15,000 maintenance |
| Internal time (eng + ops) | 200–400 hours | 100–200 hours/yr |
| Total first year | $40,000–$100,000 | +$30,000–$75,000 |
Cost optimization tips:
- Use a compliance platform (Vanta, Drata, Secureframe) — automated evidence collection halves audit cost
- Choose a mid-tier audit firm; Big 4 is overkill for startups
- Type I and Type II with same auditor = continuity discount
Common Failure Modes
- Controls documented but not operating (access reviews on paper only)
- Exceptions during observation period (one admin account without MFA = finding)
- No formal security awareness training (required for CC criteria)
- Change management not followed (no ticket for that production change)
- Vendor risk management missing (you must assess your critical vendors)
2. ISO 27001
What It Is
ISO 27001 is an internationally recognized certification for an Information Security Management System (ISMS). Unlike SOC 2, it's a certification (pass/fail), not an attestation report. Issued by accredited certification bodies (BSI, Bureau Veritas, DNV, TÜV).
Why ISO 27001 over SOC 2: EU enterprise buyers, government contracts, and global markets often prefer or require ISO 27001. It's geographically neutral.
Scope Decision
ISO 27001 scope is flexible — you can certify a subset of the organization.
- Narrow scope: The production environment only — fastest, cheapest
- Full scope: Entire organization — most credibility, highest effort
- Recommended for startups: Production environment + key business processes
Certification Timeline
| Phase | Duration | Activities |
|---|---|---|
| Gap analysis | 2–4 weeks | Assess current state vs. 93 controls in Annex A |
| ISMS design | 4–8 weeks | Scope, risk methodology, SoA (Statement of Applicability) |
| Policy and procedure development | 6–10 weeks | Mandatory documents: risk treatment plan, asset register, ISMS policy |
| Risk assessment | 4–6 weeks | Identify, analyze, evaluate risks; produce risk register |
| Control implementation | 8–16 weeks | Implement gaps from risk assessment |
| Internal audit | 2–4 weeks | First internal audit of ISMS |
| Management review | 1–2 weeks | Leadership sign-off on ISMS |
| Stage 1 audit (documentation) | 1–2 weeks | Certification body reviews docs and scope |
| Stage 2 audit (implementation) | 1–2 weeks | Certification body verifies controls are operating |
| Certification issued | 1–2 weeks | Certificate valid for 3 years with annual surveillance audits |
| Total | 9–18 months | — |
Cost Estimates
| Item | Cost |
|---|---|
| Certification body fees (Stage 1 + Stage 2) | $15,000–$40,000 |
| Annual surveillance audits | $8,000–$20,000/yr |
| vCISO / consultant (if not in-house) | $30,000–$80,000 |
| GRC platform | $10,000–$25,000/yr |
| Internal time | 400–800 hours |
| Total first year | $55,000–$150,000 |
Mandatory ISO 27001:2022 Documents
- ISMS scope document
- Information security policy
- Risk assessment methodology
- Risk register with risk treatment plan
- Statement of Applicability (SoA)
- Asset inventory
- Competence and awareness records
- Internal audit reports
- Management review minutes
- Nonconformity and corrective action records
3. HIPAA for Health Tech Startups
When HIPAA Applies
HIPAA applies if you are a Covered Entity (healthcare provider, health plan, clearinghouse) or a Business Associate (you process, store, or transmit Protected Health Information on behalf of a Covered Entity).
Key trigger: If your product touches patient data in any way and a US healthcare provider uses your product, you are likely a Business Associate. You must sign a BAA (Business Associate Agreement) with each Covered Entity customer.
HIPAA Rule Structure
| Rule | Focus | Key Requirements |
|---|---|---|
| Privacy Rule | How PHI can be used and disclosed | Minimum necessary, patient rights, notice of privacy practices |
| Security Rule | Technical and physical safeguards for ePHI | Required and addressable safeguards |
| Breach Notification Rule | What to do if PHI is breached | Timing and content of breach notifications |
Security Rule: Required vs. Addressable
Required safeguards must be implemented exactly as specified. Addressable safeguards must be implemented or documented why an equivalent measure was used.
Key Required Safeguards:
- Unique user IDs (no shared logins)
- Emergency access procedure
- Audit controls (logging access to ePHI)
- Transmission security (encryption in transit)
- Person or entity authentication
Key Addressable Safeguards (implement or document why not):
- Automatic logoff
- Encryption and decryption (encryption at rest — despite being "addressable," regulators expect it)
- Audit review procedures
- Security reminders and training
HIPAA Compliance Timeline
| Phase | Duration | Activities |
|---|---|---|
| Risk analysis | 4–6 weeks | Document all PHI flows, assess risks to PHI — required by law |
| Policy development | 4–8 weeks | Privacy policies, breach notification, workforce training |
| Technical safeguard implementation | 4–12 weeks | Encryption, audit logging, access controls, BAA templates |
| Workforce training | 2–4 weeks | Annual HIPAA training for all staff with PHI access |
| BAA execution | Ongoing | Execute with all vendors who process PHI |
| Total | 4–8 months | — |
Cost Estimates
| Item | Cost |
|---|---|
| Initial risk analysis (consultant) | $15,000–$40,000 |
| Policy development | $8,000–$20,000 |
| Technical implementation | $20,000–$60,000 |
| Annual training and maintenance | $5,000–$15,000/yr |
| HIPAA compliance platform | $10,000–$20,000/yr |
| Total first year | $45,000–$130,000 |
HIPAA Penalties (Why This Matters)
| Violation Category | Penalty per Violation | Annual Cap |
|---|---|---|
| Unaware | $100–$50,000 | $25,000 |
| Reasonable cause | $1,000–$50,000 | $100,000 |
| Willful neglect (corrected) | $10,000–$50,000 | $250,000 |
| Willful neglect (not corrected) | $50,000 | $1,500,000 |
4. GDPR Compliance Program
When GDPR Applies
GDPR applies if you:
- Are established in the EU/EEA
- Process personal data of EU/EEA residents (regardless of your location)
- Offer goods or services to EU residents
- Monitor the behavior of EU residents
Key point for US startups: If you have EU users or EU employees, GDPR applies to you.
Core GDPR Principles (Build These In)
- Lawfulness, fairness, transparency — have a legal basis for every processing activity
- Purpose limitation — collect data for specified, explicit purposes only
- Data minimization — collect only what you need
- Accuracy — keep data accurate
- Storage limitation — delete data when no longer needed
- Integrity and confidentiality — appropriate security measures
- Accountability — demonstrate compliance
Legal Bases for Processing
| Basis | When to use |
|---|---|
| Consent | Marketing, non-essential cookies, optional features |
| Contract | Processing necessary to deliver your service |
| Legitimate interests | Analytics, fraud prevention, security (requires LIA) |
| Legal obligation | Compliance with legal requirements |
| Vital interests | Emergency situations only |
Avoid over-relying on consent — it must be freely given, specific, informed, and unambiguous. Contractual basis is more robust for core product data.
GDPR Compliance Checklist
Governance:
- Data Protection Officer (DPO) appointed (required for large-scale processing or sensitive data)
- Record of Processing Activities (RoPA) maintained
- Data Protection Impact Assessments (DPIA) for high-risk processing
Rights Management (respond within 1 month):
- Right of access (data subject access requests — DSARs)
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
Technical Measures:
- Privacy by design in product development
- Data minimization enforced
- Encryption at rest and in transit
- Pseudonymization where possible
- Retention policies and automated deletion
Vendor Management:
- Data Processing Agreements (DPAs) with all processors
- Standard Contractual Clauses (SCCs) for non-EU transfers
Breach Notification:
- Notify supervisory authority within 72 hours of awareness
- Notify affected individuals if high risk to their rights and freedoms
GDPR Compliance Timeline
| Phase | Duration | Activities |
|---|---|---|
| Data mapping | 3–6 weeks | Map all personal data flows: collect, store, process, share, delete |
| Legal basis review | 2–4 weeks | Assign legal basis to each processing activity |
| Policy updates | 4–6 weeks | Privacy policy, cookie policy, employee data notices |
| DPA execution | 2–4 weeks | Execute DPAs with all processors (SaaS vendors, cloud providers) |
| Technical controls | 4–12 weeks | Consent management, data subject rights automation, retention |
| Staff training | 2–4 weeks | GDPR awareness for all staff |
| Total | 3–6 months | — |
GDPR Fines
- Standard violations: Up to €10M or 2% of global annual revenue
- Major violations (basic principles, consent, data subject rights): Up to €20M or 4% of global annual revenue
- Highest ever fine: Meta, €1.2B (2023, data transfers to US)
5. Multi-Framework Efficiency
Control Overlap Analysis
The same underlying controls satisfy multiple frameworks. Build once, certify multiple times.
Core Control Domain Overlap:
| Control Domain | SOC 2 | ISO 27001 | HIPAA | GDPR |
|---|---|---|---|---|
| Access control / IAM | CC6 | A.5.15–A.5.18 | §164.312(a) | Art. 32 |
| Encryption at rest/transit | CC6.7 | A.8.24 | §164.312(a)(2)(iv) | Art. 32 |
| Audit logging | CC7.2 | A.8.15, A.8.17 | §164.312(b) | Art. 32 |
| Incident response | CC7.3–CC7.5 | A.5.24–A.5.28 | §164.308(a)(6) | Art. 33–34 |
| Vendor/third-party mgmt | CC9 | A.5.19–A.5.22 | §164.308(b) | Art. 28 |
| Risk assessment | CC3 | Clause 6.1 | §164.308(a)(1) | Art. 32 |
| Security training | CC1.4 | A.6.3, A.6.8 | §164.308(a)(5) | Art. 39 |
| Business continuity | A1 | A.5.29–A.5.30 | §164.308(a)(7) | Art. 32 |
| Data classification | CC6.1 | A.5.9–A.5.13 | §164.514 | Art. 5(1)(c) |
| Change management | CC8 | A.8.32 | §164.312(c) | Art. 25 |
Efficiency Rule: If you build SOC 2 controls correctly, you're ~65–75% of the way to ISO 27001 and ~70% of the way to HIPAA. Don't rebuild — extend.
Recommended Sequencing by Company Profile
B2B SaaS (US-focused):
Month 0–6: SOC 2 Type I → unblocks early enterprise deals
Month 6–18: SOC 2 Type II → enterprise table stakes
Month 18–30: ISO 27001 → EU market expansion
(GDPR should be woven in from month 0 if any EU data)HealthTech (US):
Month 0–8: HIPAA compliance + BAA readiness → enables healthcare customers
Month 6–18: SOC 2 Type II → enterprise IT requirements on top of HIPAA
Month 18+: ISO 27001 if entering European marketEU-founded SaaS:
Month 0–3: GDPR compliance → legal requirement, not optional
Month 3–12: ISO 27001 → EU enterprise default expectation
Month 12–24: SOC 2 → US market expansionHealthTech (EU):
Concurrent: GDPR + ISO 27001 (strong overlap with MDR/IVDR security requirements)
Month 12+: HIPAA if entering US marketShared Evidence Model
Build your evidence library once. Tag each piece of evidence by framework:
evidence/
├── access_control/
│ ├── iam_policy.pdf [SOC2:CC6, ISO:A5.15, HIPAA:164.312a]
│ ├── mfa_screenshot_Q1.png [SOC2:CC6, ISO:A8.5, HIPAA:164.312d]
│ └── access_review_log.xlsx [SOC2:CC6, ISO:A5.18, HIPAA:164.308a]
├── encryption/
│ ├── kms_config.png [SOC2:CC6.7, ISO:A8.24, HIPAA:164.312e]
│ └── tls_policy.md [SOC2:CC6.7, ISO:A8.24, HIPAA:164.312e]
└── incident_response/
├── ir_plan.pdf [SOC2:CC7, ISO:A5.24, HIPAA:164.308a6]
└── tabletop_log.pdf [SOC2:CC7, ISO:A5.26, HIPAA:164.308a6]GRC Platform Comparison
| Platform | Best For | Price/yr | SOC 2 | ISO 27001 | HIPAA | GDPR |
|---|---|---|---|---|---|---|
| Vanta | Fast SOC 2, US startups | $15–30K | ✅ | ✅ | ✅ | ✅ |
| Drata | Automation depth | $18–35K | ✅ | ✅ | ✅ | ✅ |
| Secureframe | Cost-effective | $10–20K | ✅ | ✅ | ✅ | ✅ |
| Sprinto | SMB, global | $12–25K | ✅ | ✅ | ✅ | ✅ |
| Tugboat Logic | Mid-market | $20–40K | ✅ | ✅ | ✅ | ✅ |
| Manual | Budget-constrained | $0 + time | ✅ | ✅ | ✅ | ✅ |
Recommendation: For Series A startups, Vanta or Drata pays for itself in reduced auditor fees and internal time savings. Budget $15–25K/year.
Compliance Maintenance Annual Budget
| Item | SOC 2 | ISO 27001 | HIPAA | GDPR |
|---|---|---|---|---|
| Annual audit / surveillance | $25–60K | $8–20K | n/a (self-assessed) | n/a (self-assessed) |
| GRC platform | $15–30K | Shared | Shared | Shared |
| Annual training | $3–8K | Shared | Shared | Shared |
| Policy review | $2–5K | $2–5K | $2–5K | $2–5K |
| Total ongoing | $45–103K/yr | +$10–25K/yr | +$5–15K/yr | +$5–15K/yr |
Incident Response Reference (Executive Playbook)
This is the executive IR playbook — strategic decisions, communication, and leadership during incidents. For technical playbooks (containment procedures, forensics), see your SOC runbooks.
1. Incident Classification
Severity Levels
| Severity | Definition | Examples | Response Time | Escalation |
|---|---|---|---|---|
| SEV-1 (Critical) | Confirmed breach, data exfil, ransomware, production down | Active ransomware, confirmed data theft, complete service outage | Immediate (< 1 hour) | CEO, board within 24 hrs |
| SEV-2 (High) | Suspected breach, significant security event, extended outage | Credential compromise suspected, DDoS, 4-hour+ outage | < 4 hours | CEO, legal within 48 hrs |
| SEV-3 (Medium) | Security event with limited impact, short outage | Phishing success (contained), brief outage, single system compromise | < 24 hours | CISO-owned, weekly rollup |
| SEV-4 (Low) | Minor security event, near-miss | Failed phishing attempt, minor policy violation | < 72 hours | Team-owned |
Breach vs. Security Incident
Security incident: Unplanned event affecting security — may or may not involve data. Data breach: Confirmed unauthorized access to personal data — triggers regulatory notification obligations.
Critical distinction for response planning: A ransomware attack is an incident. If data was exfiltrated before encryption, it's also a breach. Assume breach until proven otherwise.
2. Executive IR Plan
Phase 1: Detection & Initial Assessment (0–2 hours for SEV-1)
Immediate actions (CISO):
- Receive alert from SOC/monitoring system or team member report
- Make initial severity classification — don't wait for perfect information
- Activate incident response team (IR lead, legal counsel, comms lead)
- Create incident war room (dedicated Slack channel, video bridge, shared document)
- Stop the clock — document exact time of discovery (regulatory timelines start here)
- Begin chain of custody documentation if forensics may be needed
Executive notification trigger (within 1 hour for SEV-1):
- Notify CEO: incident status, initial severity, IR team activated
- Put legal counsel on notice — don't wait to determine if breach occurred
- If public company: notify General Counsel immediately (potential disclosure obligations)
What you do NOT do in Phase 1:
- Do not notify customers yet (confirm scope first)
- Do not delete or modify any logs or systems (evidence preservation)
- Do not make public statements
- Do not speculate about cause or scope
Phase 2: Containment & Assessment (2–24 hours for SEV-1)
Executive decisions required:
- Scope authorization: Approve IR firm engagement (have a retainer in place)
- System isolation: Authorize taking systems offline if needed (revenue vs. evidence tradeoff)
- Evidence preservation: Authorize forensic image capture
- Communication timing: When to notify customers/partners (legal drives this)
Board notification (for SEV-1/2):
- Notify board chair / audit committee chair within 24 hours for SEV-1
- Board notification format: what we know, what we don't know, what we're doing, next update time
- Do not speculate on financial impact in board notification until known
Legal assessment (with counsel):
- Determine if personal data was involved
- Identify applicable notification laws (GDPR 72-hour, state breach notification, HIPAA 60-day)
- Assess litigation risk (document with privilege from this point)
- Evaluate cyber insurance policy coverage and notification requirements
Phase 3: Notification & Communication (24–72 hours for SEV-1)
Notification decision matrix:
| Audience | Trigger | Timeline | Owner |
|---|---|---|---|
| Board | SEV-1/2 confirmed | < 24 hours | CEO/CISO |
| Regulators (GDPR) | Personal data breach confirmed | < 72 hours from awareness | Legal + CISO |
| Regulators (HIPAA) | PHI breach confirmed | < 60 days (early notice to HHS ASAP) | Legal + CISO |
| State regulators (US) | State breach notification laws vary | 30–90 days depending on state | Legal |
| Enterprise customers | Data confirmed in scope | As soon as practical after legal review | CEO/CRO |
| All customers | Data potentially in scope | After regulators notified | CEO/Comms |
| Media | Proactive or reactive | After notifying affected parties | CEO/Comms |
| Cyber insurer | Incident confirmed | Per policy terms (often 48–72 hours) | CFO/Legal |
Phase 4: Recovery (Ongoing)
Executive decisions:
- Approve recovery timeline and communicate to customers
- Determine customer compensation or remediation (if applicable)
- Authorize security improvements identified during incident
- Decide on public disclosure beyond mandatory reporting
Phase 5: Post-Incident Review (Within 30 days)
Covered in Section 5 of this document.
3. Communication Templates
Board/Executive Notification (Initial — Hour 1)
Subject: [CONFIDENTIAL] Security Incident — Immediate Notification
We have identified a security incident as of [DATE/TIME].
Current status: [Brief factual description — what we know happened]
Severity assessment: SEV-[1/2/3]
What we do not yet know:
- [List unknowns — scope of impact, whether data was accessed, root cause]
Actions taken so far:
- IR team activated at [time]
- Legal counsel notified
- [Specific containment actions if applicable]
Next update: [Specific time, e.g., "in 4 hours or when we have material new information"]
Who is managing this: [CISO name] leads technical response; [CEO name] owns executive decisions. Contact: [CISO mobile]
Customer Notification (After Legal Review)
Subject: Important Security Notice — [Company Name]
We are writing to inform you of a security incident that may have affected your data.
What happened: On [DATE], we detected [brief, factual description of the incident — e.g., "unauthorized access to our systems"]. We identified this on [DISCOVERY DATE] and immediately launched an investigation.
What information was involved: Based on our investigation, the following types of information may have been accessed: [list data types — e.g., names, email addresses, [if applicable: payment card information]].
Your [specific data types] [were / were not] affected.
What we are doing: We have [list specific actions: engaged leading cybersecurity firm, notified relevant authorities, implemented additional security controls, etc.].
What you can do:
- [Specific actionable steps for customers]
- Monitor your accounts for unusual activity
- [If passwords: reset your password at X]
- [If payment data: contact your bank to monitor for unauthorized charges]
- Contact our dedicated support line at [contact] with any concerns
For more information: We have set up a dedicated resource page at [URL]. Our support team is available at [contact].
We take the security of your data extremely seriously and deeply regret this incident occurred.
[CEO/CISO Name] [Title], [Company Name]
Regulator Notification — GDPR (72-hour requirement)
To: [Relevant Supervisory Authority — e.g., BfDI (Germany), CNIL (France), ICO (UK)] Subject: Personal Data Breach Notification — [Company Name] — [Reference Number if applicable]
1. Nature of the breach: [Description of what occurred, including how it happened]
2. Categories and approximate number of data subjects concerned: [e.g., "Approximately [X] customers whose [name, email, account data] may have been accessed"]
3. Categories and approximate number of personal data records concerned: [e.g., "Approximately [X] records containing [data categories]"]
4. Likely consequences of the breach: [Risk assessment: what harm could data subjects face?]
5. Measures taken or proposed: [Containment actions, remediation plan, customer notification plan]
6. Contact details of the Data Protection Officer or other contact point: [Name, role, email, phone]
Note: This is an initial notification; we will provide supplemental information as our investigation continues.
Media Statement (Reactive — When Contacted)
"[Company Name] is aware of a security incident that we identified on [date]. We immediately activated our incident response team and launched a comprehensive investigation. We have notified affected customers and relevant regulatory authorities as required. The security and privacy of our customers' data is our top priority, and we are committed to transparency as our investigation proceeds. We will provide updates at [URL]. We cannot provide additional details at this time to protect the integrity of our investigation."
What not to say to media:
- Number of affected users (until confirmed and disclosed to customers first)
- Cause of the incident (until investigation is complete)
- Financial impact (speculation creates liability)
- Anything that could be construed as minimizing the incident
4. Tabletop Exercise Design
Purpose
Test the decision-making and communication processes — not the technical response. The goal is to surface gaps in escalation, communication, and judgment before a real incident.
Recommended Frequency
- Annual full tabletop (2–3 hours, full leadership team)
- Semi-annual mini-tabletop (45 minutes, CISO + legal + CEO)
- Quarterly technical team exercise (separate from executive tabletop)
Sample Tabletop Scenario: Ransomware
Setup (read to participants):
It's 6:47 AM on a Monday. Your DevOps engineer receives automated alerts that production databases are inaccessible. By 7:15 AM, they discover a ransomware note demanding $500,000 in Bitcoin. Several files are already encrypted. Your last verified backup was 48 hours ago. Your business is B2B SaaS serving 200 enterprise customers. You process customer financial data.
Discussion questions (timed, 10 minutes each):
- First 30 minutes — who do you call, in what order? Who decides whether to take production offline?
- Legal assessment — what regulatory obligations have been triggered? What's the timeline?
- Hour 4 — initial forensics suggests data may have been exfiltrated before encryption. How does your response change?
- Customer communication — how do you communicate with enterprise customers who are asking for status?
- Hour 24 — do you pay the ransom? Who makes this decision? What's the decision framework?
- The press has found out and a reporter is calling. What do you say?
- Day 5 — what's your board communication strategy?
Post-discussion captures:
- What decisions were unclear (ownership ambiguous)?
- What information did you need but didn't have?
- What processes did not exist that should?
- What would you do differently in the first hour?
Sample Tabletop Scenario: Insider Threat
Setup:
HR notifies you that an engineer was terminated this morning for performance reasons. 24 hours later, your SIEM generates an alert that this former employee's credentials accessed your customer database 30 minutes before their offboarding was complete. They downloaded 50,000 customer records. You don't know if they shared or sold the data.
Key decision points:
- When does this become a breach vs. a security incident?
- Do you notify customers? When?
- What are your legal options against the former employee?
- How do you handle this with the rest of the engineering team?
5. Post-Incident Review Framework
Timeline
Conduct within 30 days of incident resolution. Do not delay — memory fades and teams move on.
Blameless Post-Mortem Principles
The purpose is to improve systems and processes, not punish individuals. A blame culture means the next incident gets hidden longer.
Post-Incident Review Structure
1. Incident Timeline (factual, no editorializing)
- Hour-by-hour reconstruction from detection to resolution
- Source: logs, Slack messages, incident ticket, war room notes
2. Root Cause Analysis Use the "5 Whys" technique — keep asking why until you reach a systemic root cause, not a human error.
Example:
- Why was there a breach? → Attacker compromised an admin account
- Why was the admin account compromised? → Credentials stolen via phishing
- Why did phishing succeed? → User wasn't trained on this attack type
- Why wasn't training current? → Training program hadn't been updated in 18 months
- Why hadn't it been updated? → No owner was assigned to maintain the training program
- Root cause: No assigned ownership for security training maintenance
3. What Went Well
- Detection mechanisms that worked
- Response actions that contained damage
- Communication that was effective
- Teams that exceeded expectations
4. What Needs Improvement
- Detection gaps (how could we have found this faster?)
- Response gaps (what slowed us down?)
- Communication gaps (who didn't know what, when?)
- Process gaps (what didn't we have documented?)
5. Action Items (with owners and deadlines)
| Action | Owner | Due Date | Priority |
|---|---|---|---|
| [Specific improvement] | [Name] | [Date] | [P0/P1/P2] |
6. Metrics Review
- MTTD (Mean Time to Detect): [actual] vs. [target]
- MTTR (Mean Time to Respond): [actual] vs. [target]
- Customer impact: [affected customers, duration]
- Financial impact: [direct costs, revenue impact]
- Regulatory impact: [notifications sent, fines if any]
6. Insurance and Legal Considerations
Cyber Insurance
What to have before an incident:
- Cyber liability policy with minimum $2M coverage (Series A); $5M+ (Series B+)
- Coverage should include: first-party loss, third-party liability, ransomware, business interruption, regulatory defense
- Pre-approved IR firms on your policy (using an approved firm can expedite claims)
- Notification requirements — know your insurer's required timeline (typically 48–72 hours)
Policy exclusions to watch:
- "War exclusion" — increasingly contested for nation-state attacks (NotPetya precedent)
- "Systemic risk" — some policies exclude widespread events affecting many insureds simultaneously
- "Prior acts" — incidents that began before policy inception
- "Failure to maintain reasonable security" — don't give your insurer a reason to deny
Premium factors:
- Revenue and data volume
- Security control maturity (MFA, EDR, backup, patch management)
- Industry (healthcare, financial services = higher premium)
- Claims history
Ballpark premiums:
- Seed/Series A ($1–10M ARR): $8,000–$25,000/yr
- Series B ($10–50M ARR): $25,000–$75,000/yr
- Series C+ ($50M+ ARR): $75,000–$250,000/yr
Legal Counsel
Have on retainer before an incident:
- Cybersecurity/privacy attorney — breach notification, regulatory response
- General counsel — contracts, employment law (insider threats), litigation
- Consider: a law firm with data breach notification experience by jurisdiction
Attorney-client privilege: Once legal counsel is involved in an incident, communications and work product may be privileged. Engage counsel early to maximize privilege protection.
Key legal decisions during an incident:
- When does notification obligation clock start? (Legal determines this)
- Is this a breach or an incident? (Legal + CISO together)
- Who are the affected data subjects? (Legal + technical together)
- Do we pay the ransom? (Legal, CEO, board — never CISO alone)
- Do we cooperate with law enforcement? (Legal decision, involves trade-offs)
Law Enforcement
FBI Internet Crime Complaint Center (IC3): File a complaint for ransomware or significant cybercrime. Does not obligate you to cooperate but creates a record.
Pros of law enforcement involvement:
- Access to threat intelligence they may have
- May recover funds in some cases (rare)
- Demonstrates good-faith response to regulators
Cons of law enforcement involvement:
- Loss of control over investigation timeline
- Potential for public disclosure if case pursued
- Slows ransom payment decisions (if considering)
- May create discovery obligations in litigation
CISO recommendation: Notify legal before contacting law enforcement. In most cases, file an IC3 complaint but don't actively engage FBI investigation unless there's a clear benefit.
Security Strategy Reference
1. Risk-Based Security (Not Compliance-First)
The Problem with Compliance-First Security
Most startups build security backwards: they get a compliance requirement (SOC 2, ISO 27001) and treat it as the security program. This produces:
- Controls that pass audits but don't reduce actual risk
- Resources allocated to documentation over protection
- Security teams optimizing for auditor satisfaction, not threat reduction
- False confidence ("we passed our audit") before real security exists
The right order:
- Identify your actual threats (what do adversaries want from you?)
- Identify your crown jewels (what's worth protecting most?)
- Implement controls that address those threats to those assets
- Map existing controls to compliance requirements — most overlap naturally
Risk Identification Framework
Asset Classification:
Tier 1 — Crown Jewels
├── Customer PII/PHI
├── Payment card data
├── Intellectual property (source code, models, trade secrets)
└── Authentication credentials and secrets
Tier 2 — Business Critical
├── Internal communications (Slack, email)
├── Financial systems and data
├── Employee data
└── Business strategy documents
Tier 3 — Operational
├── Internal tooling and infrastructure configs
├── Non-sensitive operational data
└── Public-facing content and marketingThreat Actor Profiling:
| Threat Actor | Motivation | Typical TTPs | Relative Likelihood |
|---|---|---|---|
| Financially motivated criminals | Data theft, ransomware | Phishing, credential stuffing | High |
| Nation-state | IP theft, espionage | Spear phishing, supply chain | Low-Medium (sector-dependent) |
| Insider threat | Financial gain, revenge | Privilege abuse, data exfil | Medium |
| Script kiddies | Notoriety, fun | Known CVEs, scanning | High (low sophistication) |
| Competitors | IP theft | Social engineering, insider recruitment | Low-Medium |
Risk Quantification (FAIR Model Simplified)
Annual Loss Expectancy:
ALE = SLE × ARO
SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
ARO (Annual Rate of Occurrence) = historical frequency or industry estimateBusiness Impact Categories:
- Direct financial loss: fraud, ransomware payment, theft
- Regulatory fines: GDPR (4% global revenue), HIPAA ($100–$50K per violation), PCI DSS
- Revenue impact: customer churn post-breach, deal loss during incident, downtime cost
- Reputational damage: brand devaluation (harder to quantify, but real)
- Legal costs: incident response counsel, class action defense, settlements
Example Risk Quantification:
| Risk Scenario | SLE | ARO | ALE |
|---|---|---|---|
| Customer data breach (10K records) | $850K | 0.15 | $127,500/yr |
| Ransomware attack | $350K | 0.20 | $70,000/yr |
| Credential compromise + fraud | $120K | 0.35 | $42,000/yr |
| Third-party SaaS breach | $95K | 0.25 | $23,750/yr |
| Insider data exfiltration | $180K | 0.10 | $18,000/yr |
Mitigation ROI:
ROSI = (Risk Reduction × ALE) - Control Cost
────────────────────────────────────
Control Cost
Example: MFA deployment
Risk reduction: 99% for credential attacks
ALE reduced: $42,000 × 0.99 = $41,580
Control cost: $5,000/yr
ROSI: ($41,580 - $5,000) / $5,000 = 731%2. Zero Trust Architecture at Strategy Level
What Zero Trust Actually Means
Zero trust is not a product — it's an architectural principle: never trust, always verify, assume breach.
The traditional perimeter model (trust inside the network, distrust outside) fails because:
- Remote work destroyed the perimeter
- Cloud infrastructure has no perimeter
- 80% of breaches involve privileged account abuse (internal trust abused)
- Supply chain attacks compromise trusted software
Zero Trust Maturity Model
Stage 1 — Identity-Centric (Start Here)
- MFA enforced for all users, all applications
- Identity provider (Okta, Azure AD, Google Workspace) as single control plane
- No shared service accounts
- Privileged Access Management (PAM) for admin access
- Cost: $20–80K/year | Timeline: 3–6 months
Stage 2 — Device Trust
- Endpoint detection and response (EDR) on all devices
- Device health checks before granting access
- Mobile device management (MDM) for BYOD
- Certificate-based device authentication
- Cost: $30–60K/year additional | Timeline: 6–12 months
Stage 3 — Network Micro-Segmentation
- Replace VPN with Zero Trust Network Access (ZTNA)
- Segment production from development from corporate
- East-west traffic inspection (not just north-south)
- Cost: $40–100K/year additional | Timeline: 12–18 months
Stage 4 — Application-Level Controls
- Just-in-time access (no standing privileges)
- Workload identity for service-to-service auth
- API gateway with authentication enforcement
- Continuous authorization (not just at login)
- Cost: $50–150K/year additional | Timeline: 18–30 months
Strategic Guidance:
- Don't sell zero trust as a project. It's a 3–5 year direction.
- Start with identity. It gives the most risk reduction per dollar.
- Measure progress by % of access covered by MFA, % of apps behind IdP, privilege account count.
3. Defense in Depth for Startups
The Layered Security Model
Layer 1: Governance & Policies
└── Asset inventory, acceptable use, vendor management
Layer 2: Perimeter Controls
└── WAF, DDoS protection, email security (DMARC/DKIM/SPF)
Layer 3: Identity & Access
└── MFA, SSO, PAM, just-in-time access, least privilege
Layer 4: Endpoint Security
└── EDR, device management, patch management
Layer 5: Application Security
└── SAST/DAST, dependency scanning, code review, API security
Layer 6: Data Protection
└── Encryption at rest and in transit, DLP, backup/recovery
Layer 7: Detection & Response
└── SIEM/SOAR, log aggregation, alerting, incident response
Layer 8: Recovery
└── Backup testing, DR plan, RTO/RPO targetsStartup Security Budget Allocation (Guidance)
| Stage | Annual Revenue | Recommended Security Budget | Priority Spend |
|---|---|---|---|
| Pre-seed/Seed | <$1M | 3–5% opex or $50–100K | MFA, backups, basic EDR |
| Series A | $1–10M | 2–4% revenue | +SIEM, SOC 2 Type I, AppSec |
| Series B | $10–50M | 3–5% revenue | +ZTNA, Red team, dedicated CISO |
| Series C+ | $50M+ | 4–6% revenue | +SOC, threat intelligence, M&A security |
Non-negotiables regardless of stage:
- MFA on everything (particularly email, cloud consoles, code repos)
- Automated backups with tested restore (ransomware defense)
- Secrets management (no hardcoded credentials)
- Dependency vulnerability scanning in CI/CD
- Incident response plan (even a 2-page doc is better than nothing)
4. Security Program Maturity Model
Based on NIST CSF and CMMI, simplified for startup context:
Level 1: Initial
- No formal policies
- Reactive security (respond to incidents, not prevent them)
- No dedicated security personnel
- Basic hygiene gaps (unpatched systems, shared passwords)
- Typical: Pre-seed, <20 employees
Level 2: Developing
- Written security policies (even if not fully followed)
- Dedicated security responsibility (often part-time or dual-role)
- MFA deployed, basic asset inventory
- Incident response process documented
- SOC 2 Type I achievable from here in ~6 months
- Typical: Series A, 20–50 employees
Level 3: Defined
- Security integrated into SDLC
- Dedicated security lead or vCISO
- Regular vulnerability scanning and patching
- Security awareness training program
- SOC 2 Type II and ISO 27001 achievable
- Typical: Series B, 50–150 employees
Level 4: Managed
- Risk-based security program with quantified risks
- Security metrics reported to board quarterly
- Threat intelligence program
- Dedicated security team (3–8 people)
- Red team / penetration testing annually
- Typical: Series C+, 150–500 employees
Level 5: Optimized
- Continuous monitoring and automated response
- Proactive threat hunting
- Industry leadership on security (bug bounty, disclosure program)
- Security as competitive advantage in sales
- Typical: Public company or regulated enterprise
Maturity Assessment Questions
- Can you list all systems that process customer data right now?
- How long would it take to detect if an admin credential was compromised?
- When was your last backup tested with a restore?
- Do developers run any security checks before code is deployed?
- Does the board receive security reporting? What's in it?
Score: 0 = no/don't know, 1 = partially, 2 = yes/verified
- 0–3: Level 1–2
- 4–7: Level 2–3
- 8–10: Level 3–4
5. Board-Level Security Reporting
What the Board Cares About
Boards are not interested in CVE counts or firewall rules. They care about:
- Risk posture: Are we getting better or worse?
- Regulatory exposure: What fines could we face?
- Incident readiness: If we're breached, are we prepared?
- Competitive position: Do customers trust us with their data?
- Budget adequacy: Are we investing appropriately?
Quarterly Board Security Report Structure
Executive Summary (1 page max)
- Security posture score vs. last quarter (directional trend matters more than absolute)
- Top 3 risks and their business impact in dollars
- Key accomplishments this quarter
- Investment requested (if any)
Risk Dashboard
Risk Register Summary:
├── Critical (>$500K ALE): [count] risks, [count] mitigated
├── High ($100K–$500K ALE): [count] risks, [count] mitigated
├── Medium ($10K–$100K ALE): [count] risks
└── Low (<$10K ALE): [count] risks (for awareness only)
Trend: ↑ Risk exposure vs. Q[n-1] / ↓ Risk exposure vs. Q[n-1]Compliance Status
- Framework certifications in scope and current status
- Next audit date
- Any findings from last audit and remediation status
Incident Summary
- Security incidents last quarter (count and severity)
- Time to detect / time to respond (vs. targets)
- Any regulatory reporting obligations triggered
Key Metrics (4–6 max)
- MFA adoption rate
- Critical patch SLA compliance
- Phishing simulation click rate (trend)
- Vendor assessments completed
Budget Summary
- Spend vs. budget
- Headcount
- Next quarter key investments and rationale
Common Board Questions to Prepare For
- "Have we been breached?" (Know your detection capability, not just your answer)
- "How do we compare to peers?" (Benchmarks from Verizon DBIR, industry ISACs)
- "What's the one thing we should invest in?" (Have a clear answer)
- "If we're acquired, what would security due diligence find?" (Be honest)
- "What keeps you up at night?" (Have a real answer, not a vague one)
6. Security as Revenue Enabler
The Sales Angle
For B2B companies, security certifications directly impact revenue:
- Enterprise buyers require SOC 2 as table stakes (increasingly SOC 2 Type II)
- Government and healthcare require ISO 27001 or HIPAA
- Passing security questionnaires faster closes deals faster
- A breach costs 10–30% customer churn; security investment is churn prevention
How to Measure:
- Deals blocked by security questionnaire failures (track in CRM)
- Average security questionnaire turnaround time
- Customer security reviews passed vs. failed
- Revenue attributed to new compliance certifications
The Trust Narrative
Position security certifications in marketing:
- SOC 2 Type II: "Independently audited security controls, verified annually"
- ISO 27001: "Internationally certified information security management"
- HIPAA BAA: "Healthcare data protection to regulatory standards"
These aren't just compliance — they're trust signals that compress the sales cycle.
#!/usr/bin/env python3
"""
CISO Compliance Tracker
========================
Tracks compliance requirements across SOC 2, ISO 27001, HIPAA, and GDPR.
Shows control overlaps, estimates effort and cost, and prioritizes by business value.
Usage:
python compliance_tracker.py # Run with sample data
python compliance_tracker.py --json # JSON output
python compliance_tracker.py --csv output.csv # Export CSV
python compliance_tracker.py --framework soc2 # Show single framework
python compliance_tracker.py --gap-analysis # Show unaddressed requirements
python compliance_tracker.py --roadmap # Show sequenced roadmap
"""
import json
import csv
import sys
import argparse
from datetime import datetime, date
from typing import Optional
# ─── Framework Definitions ───────────────────────────────────────────────────
FRAMEWORKS = {
"soc2": {
"name": "SOC 2 Type II",
"full_name": "AICPA Trust Service Criteria — Security",
"typical_timeline_months": 12,
"typical_cost_usd": 65_000, # Audit + platform
"annual_maintenance_usd": 40_000,
"business_value": "Enterprise sales unblock, US market table stakes",
"mandatory_for": ["B2B SaaS selling to enterprise US companies"],
},
"iso27001": {
"name": "ISO 27001:2022",
"full_name": "Information Security Management System",
"typical_timeline_months": 15,
"typical_cost_usd": 95_000,
"annual_maintenance_usd": 30_000,
"business_value": "EU enterprise sales, global credibility",
"mandatory_for": ["EU enterprise customers", "Government contracts"],
},
"hipaa": {
"name": "HIPAA",
"full_name": "Health Insurance Portability and Accountability Act",
"typical_timeline_months": 7,
"typical_cost_usd": 75_000,
"annual_maintenance_usd": 20_000,
"business_value": "Healthcare customer access, BAA execution",
"mandatory_for": ["Business Associates", "Companies handling PHI"],
},
"gdpr": {
"name": "GDPR",
"full_name": "General Data Protection Regulation (EU) 2016/679",
"typical_timeline_months": 5,
"typical_cost_usd": 45_000,
"annual_maintenance_usd": 15_000,
"business_value": "EU market access, legal compliance",
"mandatory_for": ["EU-based companies", "Any company with EU user data"],
},
}
# ─── Control Domain Library ──────────────────────────────────────────────────
def build_control_domain(
domain_id: str,
name: str,
description: str,
soc2_ref: Optional[str],
iso27001_ref: Optional[str],
hipaa_ref: Optional[str],
gdpr_ref: Optional[str],
effort_days: int, # Estimated implementation effort in person-days
cost_usd: int, # Estimated implementation cost (tooling + time)
implementation_notes: str,
status: str = "Not Started", # Not Started | In Progress | Implemented | Verified
owner: Optional[str] = None,
target_date: Optional[str] = None,
) -> dict:
"""Build a control domain record."""
frameworks_applicable = []
if soc2_ref:
frameworks_applicable.append("soc2")
if iso27001_ref:
frameworks_applicable.append("iso27001")
if hipaa_ref:
frameworks_applicable.append("hipaa")
if gdpr_ref:
frameworks_applicable.append("gdpr")
return {
"domain_id": domain_id,
"name": name,
"description": description,
"references": {
"soc2": soc2_ref,
"iso27001": iso27001_ref,
"hipaa": hipaa_ref,
"gdpr": gdpr_ref,
},
"frameworks_applicable": frameworks_applicable,
"framework_count": len(frameworks_applicable),
"effort_days": effort_days,
"cost_usd": cost_usd,
"implementation_notes": implementation_notes,
"status": status,
"owner": owner,
"target_date": target_date,
}
def load_control_library() -> list[dict]:
"""
Core control domains mapped across SOC 2, ISO 27001, HIPAA, and GDPR.
Each domain represents a logical grouping of controls.
"""
controls = []
controls.append(build_control_domain(
domain_id="IAM-001",
name="Identity and Access Management",
description=(
"Unique user identities, MFA enforcement, SSO, least privilege access, "
"role-based access control, access provisioning and de-provisioning workflows."
),
soc2_ref="CC6.1, CC6.2, CC6.3",
iso27001_ref="A.5.15, A.5.16, A.5.17, A.5.18",
hipaa_ref="§164.312(a)(2)(i), §164.308(a)(3)",
gdpr_ref="Art. 32(1)(b)",
effort_days=15,
cost_usd=25_000, # SSO + MFA tooling
implementation_notes=(
"Deploy IdP (Okta/Azure AD/Google Workspace). Enforce MFA on all applications. "
"Document access provisioning process. Implement quarterly access reviews."
),
status="In Progress",
owner="IT/Security",
))
controls.append(build_control_domain(
domain_id="ENC-001",
name="Encryption at Rest and in Transit",
description=(
"Encryption of sensitive data stored in databases, file systems, and backups. "
"TLS 1.2+ for all data in transit. Key management and rotation."
),
soc2_ref="CC6.7",
iso27001_ref="A.8.24",
hipaa_ref="§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
gdpr_ref="Art. 32(1)(a)",
effort_days=10,
cost_usd=8_000,
implementation_notes=(
"Enable encryption at rest on all databases (RDS, S3, etc.). "
"Configure TLS on all services. Use KMS for key management. "
"Document encryption standards in a security policy."
),
status="Implemented",
owner="Engineering",
))
controls.append(build_control_domain(
domain_id="LOG-001",
name="Audit Logging and Monitoring",
description=(
"Comprehensive logging of user activity, system events, and security events. "
"Log integrity protection. SIEM or log aggregation. Alerting on anomalies."
),
soc2_ref="CC7.2, CC7.3",
iso27001_ref="A.8.15, A.8.16, A.8.17",
hipaa_ref="§164.312(b)",
gdpr_ref="Art. 32(1)(b)",
effort_days=20,
cost_usd=30_000, # SIEM tooling
implementation_notes=(
"Centralize logs from application, infrastructure, and cloud provider. "
"Define log retention (minimum 1 year). Set up alerting for authentication "
"failures, privilege escalation, data export events."
),
status="Not Started",
owner="DevOps/Security",
))
controls.append(build_control_domain(
domain_id="IR-001",
name="Incident Response",
description=(
"Documented incident response plan. Defined severity levels. Escalation procedures. "
"Communication templates. Annual tabletop exercise. Post-incident review process."
),
soc2_ref="CC7.3, CC7.4, CC7.5",
iso27001_ref="A.5.24, A.5.25, A.5.26, A.5.27, A.5.28",
hipaa_ref="§164.308(a)(6)",
gdpr_ref="Art. 33, Art. 34",
effort_days=12,
cost_usd=10_000,
implementation_notes=(
"Write IR plan covering detection, containment, eradication, recovery, communication. "
"Define breach notification timelines (GDPR: 72 hours, HIPAA: 60 days). "
"Run annual tabletop exercise. Retain IR firm on retainer."
),
status="In Progress",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="VM-001",
name="Vulnerability Management and Patching",
description=(
"Regular vulnerability scanning of infrastructure and applications. "
"Defined patch SLAs by severity. Penetration testing program. "
"Dependency vulnerability scanning in CI/CD."
),
soc2_ref="CC7.1",
iso27001_ref="A.8.8",
hipaa_ref="§164.308(a)(1)(ii)(A)",
gdpr_ref="Art. 32(1)(d)",
effort_days=15,
cost_usd=20_000,
implementation_notes=(
"Deploy infrastructure scanner (Tenable, Qualys, AWS Inspector). "
"Add SAST/DAST to CI/CD pipeline. Define patch SLAs: Critical <24h, High <7d, "
"Medium <30d. Conduct annual pentest."
),
status="In Progress",
owner="DevOps/Security",
))
controls.append(build_control_domain(
domain_id="VRISK-001",
name="Vendor and Third-Party Risk Management",
description=(
"Inventory of all third-party vendors with data access. Tiered risk assessment "
"process. Contractual security requirements. Annual reviews for critical vendors."
),
soc2_ref="CC9.2",
iso27001_ref="A.5.19, A.5.20, A.5.21, A.5.22",
hipaa_ref="§164.308(b) Business Associate Agreements",
gdpr_ref="Art. 28 Data Processing Agreements",
effort_days=10,
cost_usd=8_000,
implementation_notes=(
"Build vendor inventory spreadsheet. Tier vendors (Tier 1: PII access, "
"Tier 2: business data, Tier 3: no data). Execute DPAs for all processors (GDPR). "
"Execute BAAs for PHI processors (HIPAA). Annual security questionnaire for Tier 1."
),
status="Not Started",
owner="Legal/Security",
))
controls.append(build_control_domain(
domain_id="RISK-001",
name="Risk Assessment and Treatment",
description=(
"Formal risk assessment methodology. Risk register maintained. "
"Risk treatment decisions documented. Annual risk review cycle."
),
soc2_ref="CC3.1, CC3.2, CC3.3, CC3.4",
iso27001_ref="Clause 6.1.2, 6.1.3",
hipaa_ref="§164.308(a)(1) Security Risk Analysis",
gdpr_ref="Art. 32, Art. 35 DPIA",
effort_days=15,
cost_usd=12_000,
implementation_notes=(
"Document risk methodology (FAIR, NIST, ISO 27005). Maintain risk register. "
"HIPAA: formal security risk analysis required — not optional. "
"GDPR: DPIA required for high-risk processing activities. Annual refresh."
),
status="Not Started",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="TRAIN-001",
name="Security Awareness Training",
description=(
"Annual security awareness training for all employees. "
"Role-specific training for high-risk roles. Phishing simulations. "
"Training completion tracking."
),
soc2_ref="CC1.4",
iso27001_ref="A.6.3, A.6.8",
hipaa_ref="§164.308(a)(5)",
gdpr_ref="Art. 39(1)(b)",
effort_days=5,
cost_usd=8_000,
implementation_notes=(
"Deploy security training platform (KnowBe4, Proofpoint, etc.). "
"Annual training required — track completion (100% target). "
"Quarterly phishing simulations. Role-specific training for devs (secure coding), "
"finance (BEC), support (social engineering)."
),
status="Not Started",
owner="HR/Security",
))
controls.append(build_control_domain(
domain_id="CHGMGMT-001",
name="Change Management",
description=(
"Formal change management process for production changes. "
"Code review requirements. Deployment approvals. Rollback procedures. "
"Change log maintained."
),
soc2_ref="CC8.1",
iso27001_ref="A.8.32",
hipaa_ref="§164.312(c)(1) Integrity controls",
gdpr_ref="Art. 25 Privacy by design",
effort_days=10,
cost_usd=5_000,
implementation_notes=(
"Document change management policy. Require peer review for all production changes. "
"Maintain audit trail in version control. No direct production access — "
"all changes via CI/CD pipeline."
),
status="In Progress",
owner="Engineering",
))
controls.append(build_control_domain(
domain_id="BCP-001",
name="Business Continuity and Disaster Recovery",
description=(
"Business continuity plan. Disaster recovery plan with defined RTO/RPO. "
"Backup procedures with tested restores. Failover capabilities."
),
soc2_ref="A1.1, A1.2, A1.3",
iso27001_ref="A.5.29, A.5.30",
hipaa_ref="§164.308(a)(7) Contingency Plan",
gdpr_ref="Art. 32(1)(c)",
effort_days=12,
cost_usd=15_000,
implementation_notes=(
"Define RTO (<4 hours) and RPO (<1 hour) targets. Configure automated backups. "
"Test restore quarterly — paper backups that aren't tested aren't backups. "
"Document DR runbook. Annual DR exercise."
),
status="In Progress",
owner="DevOps",
))
controls.append(build_control_domain(
domain_id="ASSET-001",
name="Asset Inventory and Classification",
description=(
"Complete inventory of hardware, software, and data assets. "
"Data classification scheme. Ownership assigned to all assets. "
"Regular reconciliation."
),
soc2_ref="CC6.1",
iso27001_ref="A.5.9, A.5.10, A.5.11, A.5.12, A.5.13",
hipaa_ref="§164.310(d) Device and Media Controls",
gdpr_ref="Art. 30 Records of Processing Activities",
effort_days=8,
cost_usd=5_000,
implementation_notes=(
"Build asset register (CMDB or spreadsheet at minimum). "
"Classify data: Public, Internal, Confidential, Restricted. "
"GDPR requires RoPA (Record of Processing Activities) — data map of all PII. "
"ISO 27001 requires SoA referencing asset inventory."
),
status="Not Started",
owner="IT/Security",
))
controls.append(build_control_domain(
domain_id="ENDPOINT-001",
name="Endpoint Security",
description=(
"EDR/antivirus on all managed endpoints. Device management (MDM). "
"Full disk encryption. Patch management. BYOD policy."
),
soc2_ref="CC6.8",
iso27001_ref="A.8.1, A.8.7",
hipaa_ref="§164.310(a)(2)(iv) Workstation security",
gdpr_ref="Art. 32(1)(a)",
effort_days=8,
cost_usd=20_000,
implementation_notes=(
"Deploy EDR (CrowdStrike, SentinelOne, or Microsoft Defender for Business). "
"Enable full disk encryption (FileVault/BitLocker). "
"MDM for device management. BYOD policy documented."
),
status="In Progress",
owner="IT",
))
controls.append(build_control_domain(
domain_id="POLICY-001",
name="Security Policies and Procedures",
description=(
"Documented security policies covering acceptable use, access control, "
"incident response, data classification, vendor management, etc. "
"Annual review cycle. Employee attestation."
),
soc2_ref="CC1.2, CC1.3",
iso27001_ref="A.5.1, A.5.2",
hipaa_ref="§164.308(a)(1) Security Management Process",
gdpr_ref="Art. 24 Responsibility of the controller",
effort_days=15,
cost_usd=10_000,
implementation_notes=(
"Minimum policy set: Information Security Policy, Acceptable Use, "
"Access Control, Incident Response, Data Classification, Password, "
"Change Management, Vendor Management, Business Continuity. "
"Use policy templates from GRC platform (Vanta/Drata)."
),
status="In Progress",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="PRIV-001",
name="Privacy and Data Subject Rights",
description=(
"Privacy policy and notices. Data subject rights fulfilment process "
"(access, erasure, portability). Consent management. Cookie compliance. "
"Privacy by design in product development."
),
soc2_ref=None, # Not a SOC 2 requirement (unless Privacy TSC selected)
iso27001_ref="A.5.34",
hipaa_ref="§164.524 Access, §164.528 Accounting of Disclosures",
gdpr_ref="Art. 13, 14, 15–22 (Rights), Art. 25",
effort_days=20,
cost_usd=15_000,
implementation_notes=(
"GDPR: Update privacy policy, implement DSAR process (30-day SLA), "
"build deletion capability into product. Cookie consent (PECR/ePrivacy). "
"HIPAA: Patient rights for PHI access. "
"Consider OneTrust, Termly, or CookieYes for consent management."
),
status="Not Started",
owner="Legal/Product",
))
controls.append(build_control_domain(
domain_id="NET-001",
name="Network Security and Segmentation",
description=(
"Network segmentation (production vs. development vs. corporate). "
"Firewall rules. Intrusion detection. VPN or ZTNA for remote access."
),
soc2_ref="CC6.6, CC6.7",
iso27001_ref="A.8.20, A.8.21, A.8.22",
hipaa_ref="§164.312(e)(1) Transmission security",
gdpr_ref="Art. 32(1)(a)",
effort_days=12,
cost_usd=18_000,
implementation_notes=(
"Segment production from development. WAF in front of public applications. "
"Replace VPN with ZTNA for remote access (Series B+ consideration). "
"DDoS protection (Cloudflare or AWS Shield)."
),
status="In Progress",
owner="DevOps",
))
controls.append(build_control_domain(
domain_id="PENTEST-001",
name="Penetration Testing",
description=(
"Annual external penetration test by qualified third-party firm. "
"Finding remediation tracking. Results reviewed by leadership."
),
soc2_ref="CC7.1",
iso27001_ref="A.8.8",
hipaa_ref="§164.308(a)(8) Evaluation",
gdpr_ref="Art. 32(1)(d)",
effort_days=5,
cost_usd=25_000,
implementation_notes=(
"Scope: external attack surface, application, API, and optionally social engineering. "
"Budget $15–35K for a reputable firm. Track findings in risk register. "
"Re-test critical findings within 90 days. Share pentest summary with enterprise "
"customers on request (under NDA)."
),
status="Not Started",
owner="CISO",
))
return controls
# ─── Analysis ────────────────────────────────────────────────────────────────
def calculate_framework_coverage(controls: list[dict]) -> dict:
"""Calculate per-framework coverage statistics."""
coverage = {}
for fw in FRAMEWORKS:
applicable = [c for c in controls if fw in c["frameworks_applicable"]]
implemented = [c for c in applicable if c["status"] in ("Implemented", "Verified")]
in_progress = [c for c in applicable if c["status"] == "In Progress"]
not_started = [c for c in applicable if c["status"] == "Not Started"]
total_effort = sum(c["effort_days"] for c in applicable)
remaining_effort = sum(
c["effort_days"] for c in applicable
if c["status"] not in ("Implemented", "Verified")
)
total_cost = sum(c["cost_usd"] for c in applicable)
remaining_cost = sum(
c["cost_usd"] for c in applicable
if c["status"] not in ("Implemented", "Verified")
)
pct_complete = (len(implemented) / len(applicable) * 100) if applicable else 0
coverage[fw] = {
"framework": FRAMEWORKS[fw]["name"],
"total_controls": len(applicable),
"implemented": len(implemented),
"in_progress": len(in_progress),
"not_started": len(not_started),
"pct_complete": pct_complete,
"total_effort_days": total_effort,
"remaining_effort_days": remaining_effort,
"total_cost_usd": total_cost,
"remaining_cost_usd": remaining_cost,
"gap_controls": [c["name"] for c in not_started],
}
return coverage
def find_high_leverage_controls(controls: list[dict]) -> list[dict]:
"""Controls that satisfy the most frameworks — highest ROI to implement."""
multi_fw = [c for c in controls if c["framework_count"] >= 3
and c["status"] not in ("Implemented", "Verified")]
return sorted(multi_fw, key=lambda c: (-c["framework_count"], c["effort_days"]))
def estimate_roadmap(controls: list[dict], target_frameworks: list[str]) -> list[dict]:
"""
Generate an ordered implementation roadmap for target frameworks.
Prioritize: (1) controls blocking most frameworks, (2) quick wins (low effort).
"""
applicable = [c for c in controls
if any(fw in c["frameworks_applicable"] for fw in target_frameworks)
and c["status"] not in ("Implemented", "Verified")]
# Score: (frameworks_covered × 10) - (effort_days) → higher is better
for c in applicable:
fw_overlap = len([fw for fw in target_frameworks if fw in c["frameworks_applicable"]])
c["_priority_score"] = (fw_overlap * 10) - c["effort_days"]
return sorted(applicable, key=lambda c: -c["_priority_score"])
def fmt_dollars(amount: float) -> str:
if amount >= 1_000_000:
return f"${amount/1_000_000:.1f}M"
if amount >= 1_000:
return f"${amount/1_000:.0f}K"
return f"${amount:.0f}"
def status_icon(status: str) -> str:
icons = {
"Implemented": "✅",
"Verified": "✅",
"In Progress": "🔄",
"Not Started": "⬜",
"Planned": "📋",
}
return icons.get(status, "❓")
# ─── Display ─────────────────────────────────────────────────────────────────
def print_header():
print("\n" + "=" * 80)
print(" CISO COMPLIANCE TRACKER — Multi-Framework Coverage")
print(f" Generated: {datetime.now().strftime('%Y-%m-%d %H:%M')}")
print("=" * 80)
def print_framework_summary(coverage: dict):
print("\n📋 FRAMEWORK COVERAGE SUMMARY")
print("-" * 80)
header = f"{'Framework':<20} {'Done':<6} {'WIP':<5} {'Gap':<5} {'Complete':<10} {'Remain Cost':<14} {'Remain Days'}"
print(header)
print("-" * 80)
for fw_id, data in coverage.items():
pct = f"{data['pct_complete']:.0f}%"
print(
f"{data['framework']:<20} {data['implemented']:<6} {data['in_progress']:<5} "
f"{data['not_started']:<5} {pct:<10} {fmt_dollars(data['remaining_cost_usd']):<14} "
f"{data['remaining_effort_days']} days"
)
def print_control_table(controls: list[dict], framework_filter: Optional[str] = None):
filtered = controls
if framework_filter:
filtered = [c for c in controls if framework_filter in c["frameworks_applicable"]]
title = f"CONTROL DOMAINS"
if framework_filter:
title += f" — {FRAMEWORKS[framework_filter]['name']}"
print(f"\n🔧 {title}")
print("-" * 90)
header = f"{'ID':<14} {'Control Name':<30} {'Frameworks':<8} {'Effort':<8} {'Cost':<10} {'Status'}"
print(header)
print("-" * 90)
for c in filtered:
fw_badges = "/".join(
fw.upper()[:3] for fw in ["soc2", "iso27001", "hipaa", "gdpr"]
if fw in c["frameworks_applicable"]
)
icon = status_icon(c["status"])
print(
f"{c['domain_id']:<14} {c['name'][:29]:<30} {fw_badges:<8} "
f"{c['effort_days']:>3}d {fmt_dollars(c['cost_usd']):<10} {icon} {c['status']}"
)
def print_gap_analysis(coverage: dict):
print("\n⚠️ GAP ANALYSIS — Controls Not Yet Started")
print("-" * 70)
for fw_id, data in coverage.items():
if data["gap_controls"]:
print(f"\n {data['framework']} — {len(data['gap_controls'])} gaps:")
for gap in data["gap_controls"]:
print(f" • {gap}")
def print_high_leverage(controls: list[dict]):
hl = find_high_leverage_controls(controls)
print(f"\n🎯 HIGH-LEVERAGE CONTROLS — Implement Once, Satisfy Multiple Frameworks")
print("-" * 70)
print(f"{'Control':<30} {'Frameworks':<35} {'Effort':<8} {'Cost'}")
print("-" * 70)
for c in hl:
fw_list = " + ".join(FRAMEWORKS[fw]["name"] for fw in c["frameworks_applicable"])
print(
f"{c['name'][:29]:<30} {fw_list[:34]:<35} "
f"{c['effort_days']:>3}d {fmt_dollars(c['cost_usd'])}"
)
def print_roadmap(controls: list[dict], target_frameworks: list[str]):
ordered = estimate_roadmap(controls, target_frameworks)
fw_names = " + ".join(FRAMEWORKS[fw]["name"] for fw in target_frameworks)
print(f"\n🗺️ IMPLEMENTATION ROADMAP — {fw_names}")
print("-" * 80)
print("Priority order: most framework coverage first, then quick wins")
print()
cumulative_days = 0
cumulative_cost = 0
for i, c in enumerate(ordered, 1):
cumulative_days += c["effort_days"]
cumulative_cost += c["cost_usd"]
fw_badges = ", ".join(
FRAMEWORKS[fw]["name"] for fw in target_frameworks
if fw in c["frameworks_applicable"]
)
print(f" {i:>2}. {c['name']}")
print(f" Frameworks: {fw_badges}")
print(f" Effort: {c['effort_days']} days | Cost: {fmt_dollars(c['cost_usd'])} "
f"| Cumulative: {cumulative_days}d / {fmt_dollars(cumulative_cost)}")
if c.get("owner"):
print(f" Owner: {c['owner']}")
print()
def print_framework_profiles():
print("\n💼 FRAMEWORK PROFILES")
print("-" * 70)
for fw_id, fw in FRAMEWORKS.items():
print(f"\n {fw['name']} ({fw_id.upper()})")
print(f" Timeline: ~{fw['typical_timeline_months']} months")
print(f" First-year cost: {fmt_dollars(fw['typical_cost_usd'])}")
print(f" Annual maintenance: {fmt_dollars(fw['annual_maintenance_usd'])}/yr")
print(f" Business value: {fw['business_value']}")
print(f" Required for: {', '.join(fw['mandatory_for'])}")
def export_csv(controls: list[dict], filepath: str):
fields = [
"domain_id", "name", "frameworks_applicable", "framework_count",
"effort_days", "cost_usd", "status", "owner", "target_date",
"soc2_ref", "iso27001_ref", "hipaa_ref", "gdpr_ref", "implementation_notes"
]
with open(filepath, "w", newline="") as f:
writer = csv.DictWriter(f, fieldnames=fields)
writer.writeheader()
for c in controls:
row = {k: c.get(k, "") for k in fields}
row["frameworks_applicable"] = ", ".join(c["frameworks_applicable"])
row["soc2_ref"] = c["references"].get("soc2", "")
row["iso27001_ref"] = c["references"].get("iso27001", "")
row["hipaa_ref"] = c["references"].get("hipaa", "")
row["gdpr_ref"] = c["references"].get("gdpr", "")
writer.writerow(row)
print(f"✅ Exported {len(controls)} controls to {filepath}")
# ─── Main ────────────────────────────────────────────────────────────────────
def main():
parser = argparse.ArgumentParser(
description="CISO Compliance Tracker — Multi-framework coverage and roadmap"
)
parser.add_argument("--json", action="store_true", help="Output JSON")
parser.add_argument("--csv", metavar="FILE", help="Export CSV to file")
parser.add_argument(
"--framework", metavar="FRAMEWORK",
choices=list(FRAMEWORKS.keys()),
help="Filter to single framework (soc2, iso27001, hipaa, gdpr)"
)
parser.add_argument("--gap-analysis", action="store_true", help="Show gap analysis")
parser.add_argument("--roadmap", metavar="FRAMEWORKS",
help="Sequenced roadmap for frameworks e.g. 'soc2,iso27001'")
parser.add_argument("--profiles", action="store_true", help="Show framework profiles")
parser.add_argument("--leverage", action="store_true", help="Show high-leverage controls")
args = parser.parse_args()
controls = load_control_library()
coverage = calculate_framework_coverage(controls)
if args.json:
output = {
"generated": datetime.now().isoformat(),
"frameworks": FRAMEWORKS,
"coverage": coverage,
"controls": controls,
}
print(json.dumps(output, indent=2, default=str))
return
if args.csv:
export_csv(controls, args.csv)
return
print_header()
if args.profiles:
print_framework_profiles()
return
if args.roadmap:
target_fws = [fw.strip() for fw in args.roadmap.split(",") if fw.strip() in FRAMEWORKS]
if not target_fws:
print(f"Unknown frameworks. Valid: {', '.join(FRAMEWORKS.keys())}")
sys.exit(1)
print_framework_summary(coverage)
print_roadmap(controls, target_fws)
return
print_framework_summary(coverage)
print_control_table(controls, args.framework)
if args.gap_analysis:
print_gap_analysis(coverage)
if args.leverage:
print_high_leverage(controls)
if not any([args.framework, args.gap_analysis, args.leverage]):
print_high_leverage(controls)
print_gap_analysis(coverage)
print("\n💡 NEXT STEPS")
print(" --roadmap soc2,iso27001 Priority order for dual-framework")
print(" --framework hipaa HIPAA-only control view")
print(" --gap-analysis What's not started")
print(" --leverage Controls covering most frameworks")
print(" --profiles Framework timelines and costs")
print(" --csv controls.csv Export for stakeholder review")
print()
if __name__ == "__main__":
main()
#!/usr/bin/env python3
"""
CISO Risk Quantifier
====================
Quantifies security risks in business terms using the FAIR model.
Calculates ALE (Annual Loss Expectancy) and prioritizes by expected annual loss.
Usage:
python risk_quantifier.py # Run with sample data
python risk_quantifier.py --json # Output JSON
python risk_quantifier.py --csv output.csv # Export CSV
python risk_quantifier.py --budget 500000 # Show what fits in budget
python risk_quantifier.py --add # Interactive risk entry
"""
import json
import csv
import sys
import os
import argparse
from datetime import datetime
from typing import Optional
# ─── Data Model ─────────────────────────────────────────────────────────────
RISK_CATEGORIES = [
"Data Breach",
"Ransomware / Extortion",
"Insider Threat",
"Third-Party / Supply Chain",
"Application Vulnerability",
"Cloud Misconfiguration",
"Social Engineering",
"Physical Security",
"Business Email Compromise",
"DDoS / Availability",
]
BUSINESS_IMPACT_TYPES = [
"Revenue Loss",
"Regulatory Fine",
"Legal / Litigation",
"Reputational Damage",
"Recovery / Remediation Cost",
"Customer Churn",
"Business Interruption",
]
MITIGATION_STATUSES = ["None", "Planned", "In Progress", "Mitigated", "Accepted"]
def build_risk(
name: str,
category: str,
description: str,
asset_value: float,
exposure_factor: float, # 0.0–1.0: fraction of asset value lost in breach
annual_rate: float, # ARO: expected incidents per year (0.01 = once per 100 years)
mitigation_cost: float,
mitigation_effectiveness: float, # 0.0–1.0: fraction of risk reduced by control
mitigation_status: str,
business_impacts: dict, # {impact_type: dollar_amount}
notes: str = "",
) -> dict:
"""Construct a risk record with calculated metrics."""
sle = asset_value * exposure_factor # Single Loss Expectancy
ale = sle * annual_rate # Annual Loss Expectancy (inherent)
mitigated_ale = ale * (1 - mitigation_effectiveness) # Residual after mitigation
mitigation_roi = ((ale - mitigated_ale - mitigation_cost) / mitigation_cost * 100
if mitigation_cost > 0 else 0)
total_business_impact = sum(business_impacts.values())
return {
"name": name,
"category": category,
"description": description,
"asset_value": asset_value,
"exposure_factor": exposure_factor,
"annual_rate": annual_rate,
"mitigation_cost": mitigation_cost,
"mitigation_effectiveness": mitigation_effectiveness,
"mitigation_status": mitigation_status,
"business_impacts": business_impacts,
"notes": notes,
# Calculated
"sle": sle,
"ale": ale,
"mitigated_ale": mitigated_ale,
"mitigation_roi_pct": mitigation_roi,
"total_business_impact": total_business_impact,
"priority_score": ale, # Primary sort key
}
# ─── Sample Data ─────────────────────────────────────────────────────────────
def load_sample_risks() -> list[dict]:
"""
Sample risk register for a Series B SaaS company with ~$15M ARR,
~50K customer records, B2B enterprise focus.
"""
risks = []
risks.append(build_risk(
name="Customer Database Breach",
category="Data Breach",
description=(
"Unauthorized access to production database containing 50K+ customer records "
"including PII (name, email, company, payment method). Attack vector: SQL injection, "
"compromised credentials, or insider access."
),
asset_value=5_000_000, # Value of customer database (revenue impact + regulatory)
exposure_factor=0.30, # ~30% of asset value lost in a breach event
annual_rate=0.12, # ~12% chance per year (based on Verizon DBIR industry data)
mitigation_cost=45_000, # WAF + DAST + DB activity monitoring annual cost
mitigation_effectiveness=0.80,
mitigation_status="In Progress",
business_impacts={
"Regulatory Fine": 85_000, # GDPR/CCPA exposure
"Legal / Litigation": 150_000, # Class action exposure
"Customer Churn": 300_000, # Lost ARR from breach-triggered churn
"Reputational Damage": 200_000, # Brand impact / deal loss
"Recovery / Remediation Cost": 65_000,
},
notes="SOC 2 Type II controls partially address. Next step: DB activity monitoring.",
))
risks.append(build_risk(
name="Ransomware Attack",
category="Ransomware / Extortion",
description=(
"Ransomware encrypts production systems. Average ransom demand for a "
"Series B company is $350K–$800K. Recovery without ransom payment: 2–6 weeks downtime. "
"Attack vector: phishing email with malicious attachment, RDP exposure."
),
asset_value=3_500_000,
exposure_factor=0.25,
annual_rate=0.15,
mitigation_cost=60_000, # EDR + email security + backup hardening
mitigation_effectiveness=0.85,
mitigation_status="Planned",
business_impacts={
"Business Interruption": 450_000, # 4 weeks downtime × $112K/week revenue
"Recovery / Remediation Cost": 180_000,
"Customer Churn": 125_000,
"Revenue Loss": 75_000,
},
notes="Offline, tested backups reduce recovery time and eliminate ransom pressure.",
))
risks.append(build_risk(
name="Privileged Insider Data Theft",
category="Insider Threat",
description=(
"Disgruntled or financially motivated employee with elevated access exfiltrates "
"customer data, IP, or trade secrets. Detection is typically slow (median: 197 days "
"per IBM Cost of Data Breach Report)."
),
asset_value=2_800_000,
exposure_factor=0.20,
annual_rate=0.08,
mitigation_cost=35_000, # DLP + UEBA + PAM
mitigation_effectiveness=0.65,
mitigation_status="None",
business_impacts={
"Legal / Litigation": 120_000,
"Customer Churn": 90_000,
"Reputational Damage": 75_000,
"Recovery / Remediation Cost": 40_000,
},
notes="No DLP or UEBA currently deployed. Highest detection gap.",
))
risks.append(build_risk(
name="Critical SaaS Vendor Breach (Supply Chain)",
category="Third-Party / Supply Chain",
description=(
"A critical SaaS vendor (e.g., Salesforce, Slack, AWS, GitHub) suffers a breach "
"that compromises data entrusted to them or disrupts your operations. You have "
"limited control but full liability to customers."
),
asset_value=2_200_000,
exposure_factor=0.15,
annual_rate=0.18,
mitigation_cost=20_000, # Vendor risk assessment program
mitigation_effectiveness=0.40, # Limited — you can't control vendor security
mitigation_status="Planned",
business_impacts={
"Business Interruption": 95_000,
"Customer Churn": 75_000,
"Reputational Damage": 50_000,
"Recovery / Remediation Cost": 30_000,
},
notes="Third-party risk is partially transferable via contractual SLAs and cyber insurance.",
))
risks.append(build_risk(
name="Business Email Compromise (BEC)",
category="Business Email Compromise",
description=(
"Attacker impersonates CEO, CFO, or vendor to redirect wire transfers, gift card "
"purchases, or payroll. Median BEC loss: $125K. FBI IC3 reports BEC as #1 "
"cybercrime by financial loss."
),
asset_value=500_000,
exposure_factor=0.40,
annual_rate=0.30,
mitigation_cost=12_000, # Email authentication (DMARC) + training + callback procedures
mitigation_effectiveness=0.90,
mitigation_status="In Progress",
business_impacts={
"Revenue Loss": 125_000, # Direct financial theft (often unrecoverable)
"Recovery / Remediation Cost": 25_000,
"Legal / Litigation": 15_000,
},
notes="DMARC deployed. Need to enforce wire transfer callback procedures.",
))
risks.append(build_risk(
name="Cloud Misconfiguration — S3 / Storage Exposure",
category="Cloud Misconfiguration",
description=(
"Public exposure of S3 buckets, GCS buckets, or Azure Blob storage containing "
"sensitive data. One of the most common causes of data breaches. Often undetected "
"for months. 2023 IBM study: 82% of breaches involved data stored in cloud."
),
asset_value=1_800_000,
exposure_factor=0.20,
annual_rate=0.20,
mitigation_cost=18_000, # CSPM tool + IaC scanning
mitigation_effectiveness=0.90,
mitigation_status="Planned",
business_impacts={
"Regulatory Fine": 60_000,
"Reputational Damage": 120_000,
"Legal / Litigation": 45_000,
"Recovery / Remediation Cost": 35_000,
},
notes="No CSPM currently. High frequency, high detectability, low mitigation cost.",
))
risks.append(build_risk(
name="Credential Stuffing — Customer Accounts",
category="Application Vulnerability",
description=(
"Attackers use leaked credential lists to compromise customer accounts. "
"Account takeover leads to data theft, fraudulent transactions, and support burden. "
"16 billion credentials available on darknet as of 2024."
),
asset_value=1_200_000,
exposure_factor=0.12,
annual_rate=0.40,
mitigation_cost=15_000, # MFA + rate limiting + bot detection
mitigation_effectiveness=0.95,
mitigation_status="In Progress",
business_impacts={
"Customer Churn": 80_000,
"Revenue Loss": 45_000,
"Recovery / Remediation Cost": 19_000,
"Reputational Damage": 30_000,
},
notes="MFA available but optional. Enforcing MFA cuts this risk by ~99%.",
))
risks.append(build_risk(
name="Phishing — Employee Credential Compromise",
category="Social Engineering",
description=(
"Employee clicks phishing link, surrenders credentials. Without MFA, "
"this provides full access to email, SaaS apps, and potentially production. "
"Phishing is the #1 attack vector in the Verizon DBIR."
),
asset_value=1_500_000,
exposure_factor=0.15,
annual_rate=0.35,
mitigation_cost=25_000, # MFA + security awareness training + email security
mitigation_effectiveness=0.92,
mitigation_status="In Progress",
business_impacts={
"Business Interruption": 65_000,
"Customer Churn": 55_000,
"Recovery / Remediation Cost": 45_000,
"Reputational Damage": 60_000,
},
notes="Primary vector for ransomware and BEC. MFA is the single highest-ROI control.",
))
risks.append(build_risk(
name="Application API Vulnerability",
category="Application Vulnerability",
description=(
"Unauthenticated or improperly authorized API endpoint exposes customer data "
"or administrative functions. OWASP API Security Top 10 — broken object-level "
"authorization is the most common API vulnerability."
),
asset_value=2_000_000,
exposure_factor=0.18,
annual_rate=0.15,
mitigation_cost=30_000, # DAST + API gateway + code review
mitigation_effectiveness=0.75,
mitigation_status="Planned",
business_impacts={
"Regulatory Fine": 70_000,
"Customer Churn": 90_000,
"Reputational Damage": 100_000,
"Legal / Litigation": 60_000,
},
notes="Need automated API security testing in CI/CD pipeline.",
))
risks.append(build_risk(
name="DDoS Attack — Production Service",
category="DDoS / Availability",
description=(
"Distributed denial-of-service attack renders production service unavailable. "
"Average DDoS duration: 4–8 hours. Enterprise SLA breach triggers contractual "
"penalties. Increasingly used as extortion or distraction tactic."
),
asset_value=1_000_000,
exposure_factor=0.10,
annual_rate=0.25,
mitigation_cost=15_000, # CDN with DDoS protection (Cloudflare, AWS Shield)
mitigation_effectiveness=0.85,
mitigation_status="Mitigated",
business_impacts={
"Business Interruption": 45_000,
"Customer Churn": 30_000,
"Revenue Loss": 25_000,
},
notes="Cloudflare deployed. Residual risk from very large volumetric attacks.",
))
return risks
# ─── Analysis & Reporting ────────────────────────────────────────────────────
def calculate_portfolio_summary(risks: list[dict]) -> dict:
"""Aggregate portfolio-level metrics."""
total_inherent_ale = sum(r["ale"] for r in risks)
total_mitigated_ale = sum(r["mitigated_ale"] for r in risks)
total_mitigation_cost = sum(r["mitigation_cost"] for r in risks)
risk_reduction = total_inherent_ale - total_mitigated_ale
portfolio_roi = ((risk_reduction - total_mitigation_cost) / total_mitigation_cost * 100
if total_mitigation_cost > 0 else 0)
by_category = {}
for r in risks:
cat = r["category"]
if cat not in by_category:
by_category[cat] = {"count": 0, "total_ale": 0.0}
by_category[cat]["count"] += 1
by_category[cat]["total_ale"] += r["ale"]
by_status = {}
for r in risks:
status = r["mitigation_status"]
by_status[status] = by_status.get(status, 0) + 1
return {
"total_risks": len(risks),
"total_inherent_ale": total_inherent_ale,
"total_mitigated_ale": total_mitigated_ale,
"total_risk_reduction": risk_reduction,
"total_mitigation_cost": total_mitigation_cost,
"portfolio_roi_pct": portfolio_roi,
"by_category": dict(sorted(by_category.items(), key=lambda x: -x[1]["total_ale"])),
"by_mitigation_status": by_status,
}
def prioritize_risks(risks: list[dict], budget: Optional[float] = None) -> list[dict]:
"""Return risks sorted by ALE. If budget given, show what fits."""
sorted_risks = sorted(risks, key=lambda r: -r["ale"])
if budget is None:
return sorted_risks
# Greedy budget allocation by ROI
actionable = [r for r in sorted_risks if r["mitigation_status"] in ("None", "Planned")
and r["mitigation_cost"] > 0]
actionable.sort(key=lambda r: -r["mitigation_roi_pct"])
allocated = []
remaining = budget
for risk in actionable:
if risk["mitigation_cost"] <= remaining:
allocated.append(risk)
remaining -= risk["mitigation_cost"]
return allocated
def fmt_dollars(amount: float) -> str:
"""Format a dollar amount."""
if amount >= 1_000_000:
return f"${amount/1_000_000:.2f}M"
if amount >= 1_000:
return f"${amount/1_000:.0f}K"
return f"${amount:.0f}"
def fmt_pct(value: float) -> str:
return f"{value:.1f}%"
def severity_label(ale: float) -> str:
if ale >= 200_000:
return "CRITICAL"
if ale >= 75_000:
return "HIGH"
if ale >= 25_000:
return "MEDIUM"
return "LOW"
def severity_color(label: str) -> str:
"""ANSI color codes."""
colors = {
"CRITICAL": "\033[91m", # Red
"HIGH": "\033[93m", # Yellow
"MEDIUM": "\033[94m", # Blue
"LOW": "\033[92m", # Green
}
return colors.get(label, "") + label + "\033[0m"
# ─── Display ─────────────────────────────────────────────────────────────────
def print_header():
print("\n" + "=" * 80)
print(" CISO RISK QUANTIFIER — Security Risk Portfolio")
print(f" Generated: {datetime.now().strftime('%Y-%m-%d %H:%M')}")
print("=" * 80)
def print_portfolio_summary(summary: dict):
print("\n📊 PORTFOLIO SUMMARY")
print("-" * 60)
print(f" Total risks tracked: {summary['total_risks']}")
print(f" Total inherent ALE: {fmt_dollars(summary['total_inherent_ale'])}/yr")
print(f" Total ALE after mitigations: {fmt_dollars(summary['total_mitigated_ale'])}/yr")
print(f" Risk reduction from controls: {fmt_dollars(summary['total_risk_reduction'])}/yr")
print(f" Total mitigation spend: {fmt_dollars(summary['total_mitigation_cost'])}/yr")
print(f" Portfolio ROI: {fmt_pct(summary['portfolio_roi_pct'])}")
print()
print(" Risk by Category (sorted by ALE):")
for cat, data in summary["by_category"].items():
print(f" {cat:<35} {data['count']} risks ALE: {fmt_dollars(data['total_ale'])}/yr")
print()
print(" Mitigation Status:")
for status, count in summary["by_mitigation_status"].items():
print(f" {status:<20} {count} risks")
def print_risk_table(risks: list[dict], title: str = "RISK REGISTER"):
print(f"\n🎯 {title}")
print("-" * 80)
header = f"{'#':<3} {'Risk Name':<35} {'Severity':<10} {'ALE/yr':<12} {'Mitig Cost':<12} {'ROI':<8} {'Status':<12}"
print(header)
print("-" * 80)
for i, risk in enumerate(risks, 1):
sev = severity_label(risk["ale"])
sev_str = sev.ljust(10)
roi = fmt_pct(risk["mitigation_roi_pct"]) if risk["mitigation_cost"] > 0 else "N/A"
print(
f"{i:<3} {risk['name'][:34]:<35} {sev_str} "
f"{fmt_dollars(risk['ale']):<12} {fmt_dollars(risk['mitigation_cost']):<12} "
f"{roi:<8} {risk['mitigation_status']}"
)
def print_risk_detail(risk: dict, index: int):
sev = severity_label(risk["ale"])
print(f"\n{'─' * 70}")
print(f" #{index} — {risk['name']} [{sev}]")
print(f"{'─' * 70}")
print(f" Category: {risk['category']}")
print(f" Description: {risk['description'][:120]}...")
print()
print(f" RISK CALCULATION:")
print(f" Asset Value: {fmt_dollars(risk['asset_value'])}")
print(f" Exposure Factor: {fmt_pct(risk['exposure_factor'] * 100)}")
print(f" Single Loss Expectancy: {fmt_dollars(risk['sle'])}")
print(f" Annual Rate (ARO): {risk['annual_rate']:.2f}x/year")
print(f" Annual Loss Expectancy: {fmt_dollars(risk['ale'])}/yr ← INHERENT RISK")
print()
print(f" MITIGATION:")
print(f" Mitigation Cost: {fmt_dollars(risk['mitigation_cost'])}/yr")
print(f" Effectiveness: {fmt_pct(risk['mitigation_effectiveness'] * 100)}")
print(f" Residual ALE: {fmt_dollars(risk['mitigated_ale'])}/yr")
print(f" Mitigation ROI: {fmt_pct(risk['mitigation_roi_pct'])}")
print(f" Status: {risk['mitigation_status']}")
print()
print(f" BUSINESS IMPACT BREAKDOWN:")
for impact_type, amount in risk["business_impacts"].items():
print(f" {impact_type:<30} {fmt_dollars(amount)}")
print(f" {'TOTAL':<30} {fmt_dollars(risk['total_business_impact'])}")
if risk["notes"]:
print(f"\n NOTES: {risk['notes']}")
def print_board_summary(risks: list[dict], summary: dict):
"""One-page board-ready summary."""
print("\n" + "═" * 80)
print(" BOARD SECURITY REPORT — Risk Summary")
print("═" * 80)
critical = [r for r in risks if severity_label(r["ale"]) == "CRITICAL"]
high = [r for r in risks if severity_label(r["ale"]) == "HIGH"]
medium = [r for r in risks if severity_label(r["ale"]) == "MEDIUM"]
low = [r for r in risks if severity_label(r["ale"]) == "LOW"]
print(f"\n RISK EXPOSURE SUMMARY")
print(f" ┌─────────────┬────────┬──────────────┐")
print(f" │ Severity │ Count │ Total ALE/yr │")
print(f" ├─────────────┼────────┼──────────────┤")
for label, group in [("Critical", critical), ("High", high), ("Medium", medium), ("Low", low)]:
ale = sum(r["ale"] for r in group)
print(f" │ {label:<11} │ {len(group):<6} │ {fmt_dollars(ale):<12} │")
print(f" └─────────────┴────────┴──────────────┘")
print(f"\n TOTAL INHERENT RISK: {fmt_dollars(summary['total_inherent_ale'])}/yr")
print(f" SECURITY INVESTMENT: {fmt_dollars(summary['total_mitigation_cost'])}/yr")
print(f" RESIDUAL RISK: {fmt_dollars(summary['total_mitigated_ale'])}/yr")
print(f" RISK REDUCTION: {fmt_dollars(summary['total_risk_reduction'])}/yr")
print(f" PORTFOLIO ROI: {fmt_pct(summary['portfolio_roi_pct'])}")
print(f"\n TOP 3 RISKS BY EXPECTED ANNUAL LOSS:")
top3 = sorted(risks, key=lambda r: -r["ale"])[:3]
for i, risk in enumerate(top3, 1):
print(f" {i}. {risk['name']}: {fmt_dollars(risk['ale'])}/yr expected annual loss")
print(f" Mitigation: {fmt_dollars(risk['mitigation_cost'])}/yr | "
f"Status: {risk['mitigation_status']}")
unmitigated = [r for r in risks if r["mitigation_status"] == "None"]
if unmitigated:
print(f"\n ⚠️ UNMITIGATED RISKS ({len(unmitigated)}):")
for r in sorted(unmitigated, key=lambda x: -x["ale"]):
print(f" • {r['name']}: {fmt_dollars(r['ale'])}/yr — Action required")
def export_csv(risks: list[dict], filepath: str):
fields = [
"name", "category", "asset_value", "exposure_factor", "annual_rate",
"sle", "ale", "mitigation_cost", "mitigation_effectiveness",
"mitigated_ale", "mitigation_roi_pct", "mitigation_status", "notes"
]
with open(filepath, "w", newline="") as f:
writer = csv.DictWriter(f, fieldnames=fields)
writer.writeheader()
for risk in risks:
row = {k: risk.get(k, "") for k in fields}
writer.writerow(row)
print(f"✅ Exported {len(risks)} risks to {filepath}")
def export_json(risks: list[dict]) -> str:
return json.dumps(risks, indent=2, default=str)
# ─── Interactive Entry ───────────────────────────────────────────────────────
def interactive_add_risk() -> dict:
"""Interactive CLI for adding a new risk."""
print("\n── ADD NEW RISK ──────────────────────────────────────")
name = input("Risk name: ").strip()
print(f"Category options: {', '.join(RISK_CATEGORIES)}")
category = input("Category: ").strip()
description = input("Description (brief): ").strip()
print("\nAsset valuation:")
asset_value = float(input(" Asset value ($): ").replace(",", "").replace("$", ""))
exposure_factor = float(input(" Exposure factor (0.0–1.0, fraction of value lost): "))
annual_rate = float(input(" Annual rate of occurrence (e.g., 0.10 = once per 10 years): "))
print("\nMitigation:")
mitigation_cost = float(input(" Mitigation cost ($/yr): ").replace(",", "").replace("$", ""))
mitigation_effectiveness = float(input(" Mitigation effectiveness (0.0–1.0): "))
print(f"Status options: {', '.join(MITIGATION_STATUSES)}")
mitigation_status = input(" Status: ").strip()
print("\nBusiness impacts (enter 0 to skip):")
business_impacts = {}
for impact_type in BUSINESS_IMPACT_TYPES:
val = input(f" {impact_type} ($): ").replace(",", "").replace("$", "")
amount = float(val) if val else 0
if amount > 0:
business_impacts[impact_type] = amount
notes = input("\nNotes: ").strip()
return build_risk(
name=name,
category=category,
description=description,
asset_value=asset_value,
exposure_factor=exposure_factor,
annual_rate=annual_rate,
mitigation_cost=mitigation_cost,
mitigation_effectiveness=mitigation_effectiveness,
mitigation_status=mitigation_status,
business_impacts=business_impacts,
notes=notes,
)
# ─── Main ────────────────────────────────────────────────────────────────────
def main():
parser = argparse.ArgumentParser(
description="CISO Risk Quantifier — Quantify security risks in business terms"
)
parser.add_argument("--json", action="store_true", help="Output full JSON")
parser.add_argument("--csv", metavar="FILE", help="Export CSV to file")
parser.add_argument("--budget", type=float, metavar="DOLLARS",
help="Show recommended mitigations within budget")
parser.add_argument("--board", action="store_true", help="Show board-ready summary only")
parser.add_argument("--detail", action="store_true", help="Show detailed risk breakdowns")
parser.add_argument("--add", action="store_true", help="Interactively add a risk")
args = parser.parse_args()
risks = load_sample_risks()
if args.add:
new_risk = interactive_add_risk()
risks.append(new_risk)
print(f"\n✅ Added risk: {new_risk['name']} | ALE: {fmt_dollars(new_risk['ale'])}/yr")
# Sort by ALE descending
risks_sorted = sorted(risks, key=lambda r: -r["ale"])
summary = calculate_portfolio_summary(risks_sorted)
if args.json:
output = {
"generated": datetime.now().isoformat(),
"summary": summary,
"risks": risks_sorted,
}
print(json.dumps(output, indent=2, default=str))
return
if args.csv:
export_csv(risks_sorted, args.csv)
return
print_header()
if args.board:
print_board_summary(risks_sorted, summary)
return
print_portfolio_summary(summary)
print_risk_table(risks_sorted)
if args.detail:
for i, risk in enumerate(risks_sorted, 1):
print_risk_detail(risk, i)
if args.budget:
recommended = prioritize_risks(risks_sorted, args.budget)
print(f"\n💰 BUDGET ALLOCATION — ${args.budget:,.0f}")
print(f" Recommended mitigations (sorted by ROI):")
if recommended:
for r in recommended:
print(f" • {r['name']}: {fmt_dollars(r['mitigation_cost'])}/yr "
f"| ALE reduction: {fmt_dollars(r['ale'] - r['mitigated_ale'])}/yr "
f"| ROI: {fmt_pct(r['mitigation_roi_pct'])}")
else:
print(" No actionable mitigations fit within budget.")
print_board_summary(risks_sorted, summary)
print("\n💡 NEXT STEPS")
print(" 1. Run `--detail` to see full breakdown of each risk")
print(" 2. Run `--budget 200000` to see what you can mitigate with a given budget")
print(" 3. Run `--board` for a board-ready one-page summary")
print(" 4. Run `--csv risks.csv` to export for stakeholder review")
print(" 5. Run `--add` to interactively add risks to the register")
print()
if __name__ == "__main__":
main()
Install this Skill
Skills give your AI agent a consistent, structured approach to this task — better output than a one-off prompt.
npx skills add alirezarezvani/claude-skills --skill c-level-advisor/ciso-advisor Community skill by @alirezarezvani. Need a walkthrough? See the install guide →
Works with
Prefer no terminal? Download the ZIP and place it manually.
Details
- Category
- Leadership
- License
- MIT
- Author
- @alirezarezvani
- Source
- GitHub →
- Source file
-
show path
c-level-advisor/ciso-advisor/SKILL.md
CISO security compliance SOC2 ISO27001 risk
People who install this also use
🛡️
Senior SecOps Engineer
SAST/DAST scanning automation, CVE triage and remediation, GDPR and SOC2 compliance workflows, and security operations from a senior SecOps perspective.
@alirezarezvani
🔐
Senior Security Engineer
Threat modeling, penetration testing guidance, zero-trust architecture design, and security code review from a senior security engineering perspective.
@alirezarezvani
🔐
Information Security Manager (ISO 27001)
Implement and manage an ISMS per ISO 27001/27002 — risk assessments, security controls, incident management, and certification readiness.
@alirezarezvani