ciso-advisor

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CISO Advisor

CISO 顾问

Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for maximum business value, build defense-in-depth architecture, and turn security from a cost center into a sales enabler and competitive advantage.

为成长期企业提供基于风险的安全框架。以美元量化风险，规划合规顺序以实现最大业务价值，构建纵深防御架构，将安全从成本中心转变为销售赋能工具和竞争优势。

Keywords

关键词

CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity, penetration testing, vulnerability management, data classification, threat modeling, security awareness, phishing, MFA, IAM

CISO、安全策略、风险量化、ALE、SLE、ARO、安全态势、合规路线图、SOC 2、ISO 27001、HIPAA、GDPR、零信任、纵深防御、事件响应、董事会安全报告、供应商评估、安全预算、网络风险、程序成熟度、渗透测试、漏洞管理、数据分类、威胁建模、安全意识、钓鱼攻击、MFA、IAM

Risk Quantification Framework

风险量化框架

Every security investment must be justified in business terms. "We need better security" is not a business case. "$800K expected annual loss from this unmitigated risk" is.

每项安全投资都必须以业务术语论证合理性。“我们需要更好的安全”不是业务案例，“此未缓解风险的年度预期损失为80万美元”才是。

Core Formula

核心公式

ALE = SLE x ARO

ALE  = Annual Loss Expectancy (expected cost per year)
SLE  = Single Loss Expectancy (cost if the event occurs once)
ARO  = Annual Rate of Occurrence (probability of occurrence per year)

ALE = SLE x ARO

ALE  = Annual Loss Expectancy (年度损失预期，每年预计成本)
SLE  = Single Loss Expectancy (单次损失预期，事件发生一次的成本)
ARO  = Annual Rate of Occurrence (年度发生频率，每年发生的概率)

Risk Register Template

风险登记模板

Risk ID	Threat	Asset	SLE	ARO	ALE	Mitigation Cost	ROI	Priority
R-001	Data breach (customer PII)	Customer database	$2.5M	0.15	$375K	$120K/yr	3.1x	Critical
R-002	Ransomware	Production systems	$1.8M	0.10	$180K	$80K/yr	2.3x	High
R-003	Insider threat	Source code	$500K	0.05	$25K	$40K/yr	0.6x	Medium
R-004	DDoS	Customer-facing app	$200K	0.20	$40K	$30K/yr	1.3x	Medium
R-005	Third-party breach	Vendor with PII access	$1.2M	0.08	$96K	$25K/yr	3.8x	High

风险ID	威胁	资产	SLE	ARO	ALE	缓解成本	ROI	优先级
R-001	数据泄露（客户PII）	客户数据库	$2.5M	0.15	$375K	$120K/年	3.1x	关键
R-002	勒索软件	生产系统	$1.8M	0.10	$180K	$80K/年	2.3x	高
R-003	内部威胁	源代码	$500K	0.05	$25K	$40K/年	0.6x	中
R-004	DDoS攻击	面向客户的应用	$200K	0.20	$40K	$30K/年	1.3x	中
R-005	第三方数据泄露	可访问PII的供应商	$1.2M	0.08	$96K	$25K/年	3.8x	高

Risk Prioritization Decision Tree

风险优先级决策树

START: New risk identified
  |
  v
[Calculate ALE]
  |
  +-- ALE > $200K/yr --> CRITICAL: Board-level reporting, immediate mitigation
  |
  +-- ALE $50K-$200K --> HIGH: Quarterly review, funded mitigation plan
  |
  +-- ALE $10K-$50K --> MEDIUM: Annual review, budget if ROI > 1.5x
  |
  +-- ALE < $10K --> LOW: Accept risk, document decision, monitor

开始：识别新风险
  |
  v
[计算ALE]
  |
  +-- ALE > $200K/年 --> 关键：董事会级报告，立即缓解
  |
  +-- ALE $50K-$200K --> 高：季度评审，已规划缓解方案
  |
  +-- ALE $10K-$50K --> 中：年度评审，若ROI > 1.5x则纳入预算
  |
  +-- ALE < $10K --> 低：接受风险，记录决策，持续监控

SLE Component Breakdown

SLE 组成部分细分

Cost Component	Description	Typical Range
Direct costs	Forensics, remediation, legal	$100K-$500K
Regulatory fines	GDPR: up to 4% revenue; HIPAA: $100-$50K per record	Varies widely
Notification costs	$5-$50 per affected individual	Scale with records
Business interruption	Lost revenue during downtime	Hours x hourly revenue
Reputation damage	Customer churn, brand impact	2-5% annual revenue
Legal liability	Lawsuits, settlements	$50K-$5M+

成本组成	描述	典型范围
直接成本	取证、修复、法律费用	$100K-$500K
监管罚款	GDPR：最高年收入的4%；HIPAA：每条记录$100-$50K	差异极大
通知成本	每位受影响个人$5-$50	随记录数量递增
业务中断	停机期间的收入损失	小时数 × 每小时收入
声誉损失	客户流失、品牌影响	年收入的2-5%
法律责任	诉讼、和解费用	$50K-$5M+

Compliance Roadmap

合规路线图

Sequencing for Maximum Business Value

以最大业务价值为目标的规划顺序

Phase 1: Foundation (Months 1-3)
  Basic hygiene: MFA, endpoint protection, access controls, backups
  Cost: $20-50K   Impact: Blocks 80% of common attacks

Phase 2: SOC 2 Type I (Months 3-6)
  Policies, procedures, controls documentation
  Cost: $50-100K  Impact: Unlocks mid-market enterprise sales

Phase 3: SOC 2 Type II (Months 6-12)
  Sustained controls operation + audit
  Cost: $80-150K  Impact: Required by most enterprise buyers

Phase 4: Specialized (Months 12-18)
  ISO 27001, HIPAA, or GDPR based on market requirements
  Cost: $100-250K Impact: Market-specific requirement fulfillment

阶段1：基础搭建（第1-3个月）
  基础安全措施：MFA、终端防护、访问控制、备份
  成本：$20-50K   影响：阻止80%常见攻击

阶段2：SOC 2 Type I（第3-6个月）
  政策、流程、控制措施文档
  成本：$50-100K  影响：解锁中端企业销售

阶段3：SOC 2 Type II（第6-12个月）
  持续控制措施运营 + 审计
  成本：$80-150K  影响：多数企业客户的必备要求

阶段4：专项合规（第12-18个月）
  根据市场需求推进ISO 27001、HIPAA或GDPR
  成本：$100-250K 影响：满足特定市场要求

Compliance Framework Comparison

合规框架对比

Framework	Timeline	Cost	Best For	Customer Requirement
SOC 2 Type I	3-6 months	$50-100K	B2B SaaS selling to US companies	Most common ask
SOC 2 Type II	6-12 months	$80-150K	Sustained enterprise sales	Required for large deals
ISO 27001	9-15 months	$100-200K	European market, global companies	EU enterprise standard
HIPAA	6-12 months	$80-200K	Healthcare data handling	Healthcare vertical
GDPR	3-6 months	$30-80K	Any company with EU users	Legal requirement
PCI DSS	6-12 months	$100-300K	Payment card processing	Payment requirement
FedRAMP	12-24 months	$500K-2M	US federal government sales	Government requirement

框架	时间周期	成本	适用场景	客户需求
SOC 2 Type I	3-6个月	$50-100K	面向美国企业的B2B SaaS	最常见需求
SOC 2 Type II	6-12个月	$80-150K	持续企业销售	大型交易必备
ISO 27001	9-15个月	$100-200K	欧洲市场、全球化企业	欧盟企业标准
HIPAA	6-12个月	$80-200K	处理医疗数据	医疗垂直领域
GDPR	3-6个月	$30-80K	服务欧盟用户的任何企业	法律强制要求
PCI DSS	6-12个月	$100-300K	支付卡处理	支付场景要求
FedRAMP	12-24个月	$500K-2M	面向美国联邦政府销售	政府需求

Framework Overlap Matrix

框架重叠矩阵

Control Area	SOC 2	ISO 27001	HIPAA	GDPR
Access control	Yes	Yes	Yes	Yes
Encryption	Yes	Yes	Yes	Yes
Incident response	Yes	Yes	Yes	Yes
Risk assessment	Yes	Yes	Yes	Yes
Vendor management	Yes	Yes	Yes	Yes
Data classification	Partial	Yes	Yes	Yes
Physical security	Yes	Yes	Yes	Partial
Business continuity	Yes	Yes	Partial	Partial
Privacy by design	No	Partial	Partial	Yes

Key insight: SOC 2 + ISO 27001 share approximately 70% of controls. Do SOC 2 first, then extend to ISO 27001 with ~30% incremental effort.

控制领域	SOC 2	ISO 27001	HIPAA	GDPR
访问控制	是	是	是	是
加密	是	是	是	是
事件响应	是	是	是	是
风险评估	是	是	是	是
供应商管理	是	是	是	是
数据分类	部分	是	是	是
物理安全	是	是	是	部分
业务连续性	是	是	部分	部分
隐私设计	否	部分	部分	是

关键洞察：SOC 2 + ISO 27001约有70%的控制措施重叠。先完成SOC 2，再扩展到ISO 27001仅需约30%的增量工作。

Security Architecture Strategy

安全架构策略

Zero Trust Maturity Model

零信任成熟度模型

Level	Description	Key Controls	Timeline
0: Ad-hoc	No formal security architecture	--	Current state for most startups
1: Identity	MFA everywhere, SSO, role-based access	IAM + MFA + SSO	Months 1-3
2: Network	Network segmentation, VPN/ZTNA	Micro-segmentation, ZTNA	Months 3-6
3: Data	Data classification, encryption at rest/transit, DLP	Encryption + classification	Months 6-12
4: Monitoring	SIEM, logging, anomaly detection	Centralized logging + alerting	Months 9-15
5: Automated	Automated response, continuous verification	SOAR + automated remediation	Months 12-24

级别	描述	关键控制措施	时间周期
0: 临时阶段	无正式安全架构	--	多数初创企业当前状态
1: 身份层	全场景MFA、SSO、基于角色的访问	IAM + MFA + SSO	第1-3个月
2: 网络层	网络分段、VPN/ZTNA	微分段、ZTNA	第3-6个月
3: 数据层	数据分类、静态/传输加密、DLP	加密 + 分类	第6-12个月
4: 监控层	SIEM、日志记录、异常检测	集中式日志 + 告警	第9-15个月
5: 自动化层	自动化响应、持续验证	SOAR + 自动化修复	第12-24个月

Security Architecture Decision Tree

安全架构决策树

START: New system or feature being designed
  |
  v
[Does it handle sensitive data?]
  |
  +-- YES --> [What classification level?]
  |            |
  |            +-- PII/PHI --> Full security review + threat model
  |            +-- Business-critical --> Standard security review
  |            +-- Internal --> Lightweight checklist
  |
  +-- NO  --> [Is it internet-facing?]
              |
              +-- YES --> Standard security review + pen test
              +-- NO  --> Security checklist only

开始：新系统或功能设计
  |
  v
[是否处理敏感数据？]
  |
  +-- 是 --> [数据分类级别？]
  |            |
  |            +-- PII/PHI --> 全面安全评审 + 威胁建模
  |            +-- 业务关键数据 --> 标准安全评审
  |            +-- 内部数据 --> 轻量化检查清单
  |
  +-- 否  --> [是否面向互联网？]
              |
              +-- 是 --> 标准安全评审 + 渗透测试
              +-- 否  --> 仅安全检查清单

Defense-in-Depth Layers

纵深防御层级

Layer	Controls	Investment Priority
Identity	MFA, SSO, RBAC, privileged access management	1st (highest ROI)
Endpoint	EDR, device management, patching	2nd
Network	Segmentation, ZTNA, firewall, IDS/IPS	3rd
Application	SAST, DAST, dependency scanning, WAF	4th
Data	Encryption, DLP, classification, backup	5th
Monitoring	SIEM, logging, alerting, threat detection	6th

层级	控制措施	投资优先级
身份	MFA、SSO、RBAC、特权访问管理	第1位（最高ROI）
终端	EDR、设备管理、补丁更新	第2位
网络	分段、ZTNA、防火墙、IDS/IPS	第3位
应用	SAST、DAST、依赖扫描、WAF	第4位
数据	加密、DLP、分类、备份	第5位
监控	SIEM、日志记录、告警、威胁检测	第6位

Incident Response Protocol

事件响应协议

Severity Classification

严重程度分类

Severity	Definition	Response Time	Notification
P0: Critical	Active breach, data exfiltration, ransomware	Immediate (< 15 min)	CEO + Legal + Board
P1: High	Vulnerability being exploited, service down	< 1 hour	CTO + CEO
P2: Medium	Vulnerability discovered, suspicious activity	< 4 hours	CTO + Security team
P3: Low	Policy violation, minor misconfiguration	< 24 hours	Security team only

严重程度	定义	响应时间	通知对象
P0: 关键	活跃数据泄露、数据窃取、勒索软件	立即响应（<15分钟）	CEO + 法务 + 董事会
P1: 高	漏洞被利用、服务中断	<1小时	CTO + CEO
P2: 中	发现漏洞、可疑活动	<4小时	CTO + 安全团队
P3: 低	政策违规、轻微配置错误	<24小时	仅安全团队

Incident Response Workflow

事件响应工作流

DETECT --> CONTAIN --> ERADICATE --> RECOVER --> LEARN

Phase 1: DETECT (Minutes)
  - Identify the scope and nature of the incident
  - Classify severity (P0-P3)
  - Activate response team based on severity

Phase 2: CONTAIN (Hours)
  - Isolate affected systems
  - Preserve evidence (forensic images)
  - Prevent lateral movement
  - Communicate to stakeholders per severity matrix

Phase 3: ERADICATE (Hours-Days)
  - Remove threat actor/malware
  - Patch vulnerability that enabled the incident
  - Verify eradication is complete

Phase 4: RECOVER (Days)
  - Restore from clean backups
  - Verify system integrity
  - Monitor for re-compromise
  - Return to normal operations

Phase 5: LEARN (Days-Weeks)
  - Root cause analysis (blameless)
  - Timeline reconstruction
  - Control gap identification
  - Remediation plan with owners and deadlines

检测 --> 遏制 --> 根除 --> 恢复 --> 复盘

阶段1：检测（数分钟）
  - 确定事件范围和性质
  - 分类严重程度（P0-P3）
  - 根据严重程度激活响应团队

阶段2：遏制（数小时）
  - 隔离受影响系统
  - 保留证据（取证镜像）
  - 阻止横向移动
  - 根据严重程度矩阵向利益相关方沟通

阶段3：根除（数小时-数天）
  - 移除威胁 actor/恶意软件
  - 修复导致事件的漏洞
  - 验证根除完成

阶段4：恢复（数天）
  - 从干净备份恢复
  - 验证系统完整性
  - 监控是否再次被入侵
  - 恢复正常运营

阶段5：复盘（数天-数周）
  - 根因分析（无责式）
  - 事件时间线重建
  - 识别控制措施缺口
  - 制定带责任人与截止日期的修复计划

Regulatory Notification Timelines

监管通知时间要求

Regulation	Notification Deadline	To Whom
GDPR	72 hours	Supervisory authority + affected individuals
HIPAA	60 days	HHS + affected individuals (+ media if > 500)
State breach laws (US)	30-90 days (varies)	State AG + affected individuals
SEC (public companies)	4 business days	SEC + public disclosure
PCI DSS	Immediately	Card brands + acquiring bank

法规	通知截止时间	通知对象
GDPR	72小时	监管机构 + 受影响个人
HIPAA	60天	HHS + 受影响个人（若超过500人需通知媒体）
美国州级数据泄露法	30-90天（各州不同）	州总检察长 + 受影响个人
SEC（上市公司）	4个工作日	SEC + 公开披露
PCI DSS	立即	卡组织 + 收单银行

Vendor Security Assessment

供应商安全评估

Vendor Tiering

供应商分级

Tier	Data Access	Assessment Level	Frequency
Tier 1: Critical	PII, PHI, financial data, source code	Full security assessment + pen test review	Annual
Tier 2: Important	Business data, internal communications	Security questionnaire + SOC 2 review	Annual
Tier 3: Standard	No sensitive data access	Self-attestation + privacy policy review	Biennial
Tier 4: Minimal	No data access, no system integration	Contract review only	At contract renewal

级别	数据访问权限	评估级别	频率
1级：关键	PII、PHI、财务数据、源代码	全面安全评估 + 渗透测试评审	每年一次
2级：重要	业务数据、内部通信	安全问卷 + SOC 2评审	每年一次
3级：标准	无敏感数据访问权限	自我声明 + 隐私政策评审	每两年一次
4级：最低	无数据访问权限、无系统集成	仅合同评审	合同续签时

Vendor Assessment Checklist (Tier 1)

1级供应商评估检查清单

Domain	Key Questions	Pass/Fail Criteria
Compliance	SOC 2 Type II or ISO 27001?	Must have at least one
Encryption	Data encrypted at rest and in transit?	AES-256 + TLS 1.2+
Access	MFA enforced? RBAC implemented?	Both required
Incident response	Documented IR plan? Notification timeline?	Must have plan + 24hr notification
Business continuity	DR plan tested? RTO/RPO defined?	Must be tested within 12 months
Data handling	Data classification? Retention policy?	Must have both
Subprocessors	Who else handles our data?	Must disclose all

领域	核心问题	通过/失败标准
合规性	是否拥有SOC 2 Type II或ISO 27001认证？	至少拥有其中一项
加密	数据是否在静态和传输时加密？	AES-256 + TLS 1.2+
访问控制	是否强制MFA？是否实施RBAC？	两项均需满足
事件响应	是否有文档化的IR计划？通知时间要求？	必须有计划 + 24小时通知机制
业务连续性	DR计划是否经过测试？是否定义RTO/RPO？	12个月内必须完成测试
数据处理	是否有数据分类？是否有保留政策？	两项均需具备
分包商	还有哪些方处理我们的数据？	必须披露所有分包商

Security Metrics Dashboard

安全指标仪表盘

Board-Level Metrics (Quarterly)

董事会级指标（季度）

Metric	Target	Red Flag	Board Language
ALE coverage	> 80%	< 60%	"$X of $Y total risk is mitigated"
Mean time to detect (MTTD)	< 24 hours	> 72 hours	"We find threats within X hours"
Mean time to respond (MTTR)	< 4 hours	> 24 hours	"We contain threats within X hours"
Compliance status	All current	Any lapsed	"All certifications active" or "Gap in X"
Critical vulnerabilities open	0	Any > 30 days	"Zero unpatched critical vulnerabilities"

指标	目标	预警阈值	董事会表述方式
ALE覆盖度	>80%	<60%	“总风险中已有$X的$Y得到缓解”
平均检测时间（MTTD）	<24小时	>72小时	“我们能在X小时内发现威胁”
平均响应时间（MTTR）	<4小时	>24小时	“我们能在X小时内遏制威胁”
合规状态	全部有效	任何过期	“所有认证均有效”或“X存在缺口”
未修复关键漏洞数量	0	任何漏洞超过30天未修复	“无未修复的关键漏洞”

Operational Metrics (Monthly)

运营指标（月度）

Metric	Target	Action Trigger
Phishing click rate	< 5%	> 10% = mandatory re-training
Critical patches within SLA	100%	< 95% = process review
Privileged accounts reviewed	100% quarterly	Any unreviewed = immediate review
Tier 1 vendors assessed	100% annually	Any lapsed = assessment needed
Security training completion	> 95%	< 90% = escalate to managers

指标	目标	触发行动
钓鱼攻击点击率	<5%	>10% = 强制重新培训
关键补丁按时安装率	100%	<95% = 流程评审
特权账户评审完成率	季度100%	任何未评审账户 = 立即评审
1级供应商评估完成率	年度100%	任何逾期 = 立即启动评估
安全培训完成率	>95%	<90% = 升级至管理层

Security Budget Framework

安全预算框架

Budget as Percentage of Revenue/IT Spend

预算占收入/IT支出的比例

Company Stage	Security Budget (% of Revenue)	Security Budget (% of IT)
Seed/Series A	2-4%	8-12%
Series B	3-5%	10-15%
Series C+	4-8%	12-18%
Enterprise	5-10%	15-20%

企业阶段	安全预算占收入比例	安全预算占IT支出比例
种子轮/A轮	2-4%	8-12%
B轮	3-5%	10-15%
C轮及以后	4-8%	12-18%
企业级	5-10%	15-20%

Budget Allocation by Category

预算按类别分配

Category	% of Security Budget	Examples
People	40-50%	Security team salaries, training
Tools	25-35%	SIEM, EDR, IAM, vulnerability scanner
Compliance	10-15%	Auditors, certifications, legal
Testing	5-10%	Pen testing, red team, bug bounty
Incident response	5%	Retainer, insurance, forensics

类别	占安全预算比例	示例
人员	40-50%	安全团队薪资、培训
工具	25-35%	SIEM、EDR、IAM、漏洞扫描器
合规	10-15%	审计师、认证、法务
测试	5-10%	渗透测试、红队、漏洞赏金
事件响应	5%	外包服务、保险、取证

Budget Justification Formula

预算论证公式

For each security investment:

Investment ROI = (ALE_before - ALE_after) / Investment_cost

If ROI > 1.5x --> Strong business case, approve
If ROI 1.0-1.5x --> Moderate case, consider alternatives
If ROI < 1.0x --> Weak case, re-evaluate or accept the risk

针对每项安全投资：

投资ROI = (缓解前ALE - 缓解后ALE) / 投资成本

若ROI >1.5x --> 业务案例充分，批准
若ROI 1.0-1.5x --> 案例中等，考虑替代方案
若ROI <1.0x --> 案例薄弱，重新评估或接受风险

Red Flags

预警信号

Security budget justified by "industry benchmarks" instead of risk analysis -- budget will be wrong
Pursuing certifications before basic hygiene (MFA, patching, backups) -- checkbox without substance
No documented asset inventory -- protecting unknown assets is impossible
IR plan exists but never tested (no tabletop exercise) -- plan will fail when needed
Security team reports to IT, not executive level -- misaligned incentives, budget competition
Single vendor for identity + endpoint + email -- vendor compromise = total compromise
Security questionnaire backlog > 30 days -- silently losing enterprise deals
No security champion program in engineering -- security becomes a bottleneck
Pen test findings unresolved after 90 days -- testing without fixing is theater
No data classification scheme -- everything treated the same = nothing protected properly

安全预算仅以“行业基准”论证而非风险分析——预算会不合理
在完成基础安全措施（MFA、补丁、备份）前就追求认证——形式主义，缺乏实质
无文档化资产清单——无法保护未知资产
有IR计划但从未测试（无桌面演练）——需要时计划会失效
安全团队向IT汇报而非高管层——激励错位，预算竞争
身份+终端+邮件使用单一供应商——供应商被入侵则全盘失守
安全问卷积压超过30天——默默流失企业订单
工程团队无安全负责人制度——安全成为瓶颈
渗透测试发现的问题90天未解决——只测试不修复是作秀
无数据分类方案——所有数据同等对待=没有数据得到妥善保护

Integration with C-Suite

与高管团队的协作

When...	CISO Works With...	To...
Enterprise sales blocked	CRO ( `cro-advisor` )	Complete security questionnaires, unblock deals
New product features	CTO + CPO ( `cto-advisor` , `cpo-advisor` )	Threat modeling, security review
Compliance budget	CFO ( `cfo-advisor` )	Size program against quantified risk exposure
Vendor contracts	COO ( `coo-advisor` )	Security SLAs, right-to-audit clauses
M&A due diligence	CEO + CFO	Target security posture assessment
Incident occurs	CEO + Legal	Response coordination, regulatory notification
Board reporting	CEO ( `ceo-advisor` )	Translate risk into business language
Hiring security team	CHRO ( `chro-advisor` )	Compensation, leveling, recruiting

当...时	CISO 协作对象	目的...
企业销售受阻	CRO ( `cro-advisor` )	完成安全问卷，解锁订单
推出新产品功能	CTO + CPO ( `cto-advisor` , `cpo-advisor` )	威胁建模、安全评审
合规预算制定	CFO ( `cfo-advisor` )	根据量化风险暴露确定项目规模
供应商合同签订	COO ( `coo-advisor` )	安全SLA、审计权条款
并购尽职调查	CEO + CFO	评估目标企业安全态势
发生安全事件	CEO + 法务	响应协调、监管通知
董事会报告	CEO ( `ceo-advisor` )	将风险转化为业务语言
招聘安全团队	CHRO ( `chro-advisor` )	薪酬、职级、招聘

Proactive Triggers

主动触发场景

No security audit in 12+ months -- schedule before a customer or regulator asks
Enterprise deal requires SOC 2 but no certification exists -- compliance roadmap urgently needed
New market expansion planned -- check data residency, privacy requirements, local regulations
Key system has no access logging -- compliance gap and forensic blind spot
Vendor with access to sensitive data not assessed -- vendor risk assessment required
Critical vulnerability disclosed in a dependency -- patch assessment within 24 hours
Employee termination without access revocation SOP -- immediate security gap

12个月以上未进行安全审计——在客户或监管机构要求前安排审计
企业订单要求SOC 2但无相关认证——紧急制定合规路线图
计划拓展新市场——检查数据驻留、隐私要求、当地法规
关键系统无访问日志——合规缺口和取证盲区
可访问敏感数据的供应商未被评估——需进行供应商风险评估
依赖项披露关键漏洞——24小时内完成补丁评估
员工离职无访问权限撤销流程——立即填补安全缺口

Output Artifacts

输出交付物

Request	Deliverable
"Assess our security posture"	Risk register with quantified ALE, prioritized by business impact
"We need SOC 2"	Compliance roadmap: timeline, cost, effort, quick wins, vendor selection
"Prep for security audit"	Gap analysis against target framework + remediation plan with owners
"We had an incident"	IR coordination plan + communication templates + regulatory timeline
"Security board section"	Risk posture summary, compliance status, incident report, budget ask
"Evaluate vendor security"	Vendor tier assessment with risk scoring and contract recommendations
"Justify security budget"	Risk-based budget proposal with ROI for each investment

请求	交付物
“评估我们的安全态势”	含量化ALE的风险登记册，按业务影响优先级排序
“我们需要SOC 2认证”	合规路线图：时间周期、成本、工作量、快速见效措施、供应商选择建议
“准备安全审计”	目标框架的差距分析 + 带责任人的修复计划
“我们遭遇了安全事件”	IR协调计划 + 沟通模板 + 监管时间要求
“董事会安全报告部分”	风险态势总结、合规状态、事件报告、预算申请
“评估供应商安全”	供应商分级评估报告，含风险评分和合同建议
“论证安全预算”	基于风险的预算提案，含每项投资的ROI

Tool Reference

工具参考

security_posture_scorer.py

Scores security posture across NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and CISA Zero Trust Maturity Model pillars (Identity, Devices, Networks, Applications, Data). Produces board-ready security health reports.

bash

undefined

基于NIST CSF 2.0功能（治理、识别、保护、检测、响应、恢复）和CISA零信任成熟度模型支柱（身份、设备、网络、应用、数据）对安全态势评分。生成适合董事会查看的安全健康报告。

bash

undefined

Run with demo data (realistic Series B company)

使用演示数据运行（真实B轮企业场景）

python scripts/security_posture_scorer.py

From JSON with control assessments (0-4 maturity per control)

从包含控制措施评估的JSON文件运行（每项控制措施成熟度0-4分）

python scripts/security_posture_scorer.py --input controls.json

JSON output

输出JSON格式结果

python scripts/security_posture_scorer.py --json

undefined

python scripts/security_posture_scorer.py --json

undefined

risk_register_manager.py

Manages cyber risk register with ALE (SLE x ARO) calculations, mitigation ROI, and board-ready risk reports.

bash

undefined

管理网络风险登记册，支持ALE（SLE x ARO）计算、缓解ROI分析，生成适合董事会查看的风险报告。

bash

undefined

Run with demo risk register

使用演示风险登记册运行

python scripts/risk_register_manager.py

From JSON risk register

从JSON风险登记册运行

python scripts/risk_register_manager.py --input risks.json

Sort by ROI (best investments first)

按ROI排序（优先展示投资回报最高的项目）

python scripts/risk_register_manager.py --sort-by roi

JSON output

输出JSON格式结果

python scripts/risk_register_manager.py --json

undefined

python scripts/risk_register_manager.py --json

undefined

compliance_tracker.py

Tracks progress across SOC 2 Type I/II, ISO 27001, HIPAA, and GDPR. Calculates gap analysis, framework overlaps, and effort estimates.

bash

undefined

跟踪SOC 2 Type I/II、ISO 27001、HIPAA和GDPR的合规进度。计算差距分析、框架重叠度和工作量估算。

bash

undefined

Track SOC 2 readiness (default)

跟踪SOC 2就绪状态（默认）

python scripts/compliance_tracker.py

Track multiple frameworks

跟踪多个框架

python scripts/compliance_tracker.py --frameworks soc2_type1 iso27001 gdpr

List available frameworks

列出可用框架

python scripts/compliance_tracker.py --list-frameworks

From JSON

从JSON文件运行

python scripts/compliance_tracker.py --input compliance.json

JSON output

输出JSON格式结果

python scripts/compliance_tracker.py --json

---

python scripts/compliance_tracker.py --json

---

Troubleshooting

故障排查

Problem	Likely Cause	Fix
Security budget justified by "industry benchmarks" not risk data	No risk quantification framework in place	Implement ALE-based risk register; justify every dollar against quantified risk reduction
Pursuing SOC 2 before basic hygiene (MFA, backups)	Checkbox compliance without substance	Phase 1 foundation first: MFA, endpoint protection, backups; then pursue certifications
Pen test findings unresolved after 90 days	Testing without fixing is theater	Set SLA: critical 7 days, high 30 days, medium 90 days; track in risk register
Security team reports to IT, not executive level	Misaligned incentives and budget competition	CISO should report to CEO or COO; separate budget from IT
Enterprise deals blocked by security questionnaires	No SOC 2 or questionnaire response backlog > 30 days	Prioritize SOC 2 Type I; create questionnaire response library; assign dedicated owner
Zero Trust initiative stalled at identity layer	Trying to implement all pillars simultaneously	Follow maturity model: Identity first (months 1-3), then Network, then Data

问题	可能原因	解决方法
安全预算仅以“行业基准”而非风险数据论证	未建立风险量化框架	实施基于ALE的风险登记册；每项支出都需以量化风险降低为依据
在完成基础安全措施（MFA、备份）前就追求SOC 2认证	形式主义合规，缺乏实质	先完成阶段1基础搭建：MFA、终端防护、备份；再推进认证
渗透测试发现的问题90天未解决	只测试不修复是作秀	设置SLA：关键问题7天内修复，高优先级30天，中优先级90天；在风险登记册中跟踪
安全团队向IT汇报而非高管层	激励错位，预算竞争	CISO应向CEO或COO汇报；安全预算与IT预算分离
企业订单因安全问卷受阻	无SOC 2认证或问卷响应积压超过30天	优先推进SOC 2 Type I；建立问卷响应库；指定专人负责
零信任计划在身份层停滞	试图同时实施所有支柱	遵循成熟度模型：先身份层（第1-3个月），再网络层，再数据层

Success Criteria

成功标准

Security posture score above 70/100 on NIST CSF assessment (measured annually via security_posture_scorer.py)
ALE coverage above 80% -- quantified risk exposure has funded mitigations (tracked in risk register)
Mean time to detect (MTTD) under 24 hours for all severity levels
Mean time to respond (MTTR) under 4 hours for P0/P1 incidents
Zero critical vulnerabilities open longer than 7 days (measured weekly)
SOC 2 Type II certification maintained current with zero control exceptions
Phishing click rate below 5% across quarterly simulation campaigns

NIST CSF评估安全态势得分超过70/100（每年通过security_posture_scorer.py测量）
ALE覆盖度超过80%——量化风险暴露已配备缓解措施（在风险登记册中跟踪）
所有严重程度事件的平均检测时间（MTTD）低于24小时
P0/P1事件的平均响应时间（MTTR）低于4小时
关键漏洞未修复时间不超过7天（每周测量）
持续保持SOC 2 Type II认证，无控制措施例外
季度模拟钓鱼攻击点击率低于5%

Scope & Limitations

范围与局限性

In Scope: Risk quantification (ALE/SLE/ARO), compliance roadmapping, Zero Trust maturity assessment, NIST CSF 2.0 scoring, incident response protocol, vendor security assessment, security budget justification, board-level security reporting.

Out of Scope: Penetration testing execution, malware analysis, SOC operations, firewall configuration, code review, forensic investigation execution, security tool procurement.

Limitations: Security posture scorer uses self-assessed maturity levels which may overstate actual capability. Risk register ALE calculations are estimates based on industry data -- actual losses vary significantly. Compliance tracker measures control implementation, not control effectiveness. Zero Trust scoring uses binary (implemented/not) which oversimplifies partial implementations.

包含范围：风险量化（ALE/SLE/ARO）、合规路线图规划、零信任成熟度评估、NIST CSF 2.0评分、事件响应协议、供应商安全评估、安全预算论证、董事会级安全报告。

排除范围：渗透测试执行、恶意软件分析、SOC运营、防火墙配置、代码评审、取证调查执行、安全工具采购。

局限性：安全态势评分器使用自我评估的成熟度级别，可能高估实际能力。风险登记册的ALE计算基于行业数据估算——实际损失差异极大。合规跟踪器测量控制措施的实施情况，而非有效性。零信任评分采用二元（已实施/未实施）方式，过度简化了部分实施场景。

Integration Points

集成点

Skill	Integration
`cto-advisor`	Security architecture reviews; threat modeling for new features
`cfo-advisor`	Security budget sizing against quantified risk; compliance costs
`ceo-advisor`	Board security reporting; incident communication to stakeholders
`coo-advisor`	Vendor security SLAs; right-to-audit contract clauses
`cro-advisor`	Security questionnaire response; SOC 2 as sales enabler
`chro-advisor`	Security team hiring; security awareness training programs
`board-deck-builder`	Risk/security section of board deck with posture score and compliance status
`ra-qm-team`	Extended compliance frameworks (ISO 13485, MDR, FDA, GDPR, NIS2, DORA)

技能	集成方式
`cto-advisor`	安全架构评审；新功能威胁建模
`cfo-advisor`	根据量化风险确定安全预算规模；合规成本核算
`ceo-advisor`	董事会安全报告；事件利益相关方沟通
`coo-advisor`	供应商安全SLA；合同审计权条款
`cro-advisor`	安全问卷响应；将SOC 2作为销售赋能工具
`chro-advisor`	安全团队招聘；安全意识培训计划
`board-deck-builder`	董事会报告中的风险/安全部分，含态势得分和合规状态
`ra-qm-team`	扩展合规框架（ISO 13485、MDR、FDA、GDPR、NIS2、DORA）