I am dealing often with the issue of explaining how you get from a known deficit to actual risk for your organization. We will look into this by revisiting an issue a customer of mine had last year.
This is important for you if you ever need to write a report to higher management or a customer in general. They need to see a case for action that goes beyond "but it is best practice" or "it is written in guideline X".
Unfortunately, I see very few technical guidelines and even management summaries that do properly work out the case for action.
You want others to take action.
The risk gives you the "why" you would want to do something, in the context of cybersecurity. There could be many other reasons, but this is the main driver for us.
It is easier to get management buy-in if they understand the actual risk of not fixing a known deficit.
Any additional workload that has to be done by an operations team, will be more acceptable to this team if they see the benefit for the company.
You are up against the "but it worked until now without, why change" of this world.
To overcome this, I will map out how I got a client last year from having no asset management to structuring their cloud environment into an easily digestible format and keep it updated.
Here's how to step by step:
##Step 1: Ask yourself: What does this try to achieve?
This gives you the first level of abstraction that you need to get to an actual risk to your organization.
Asset management gives you the ability to quickly assess what types of infrastructure you have, where it is running, what is running on it, who is responsible for it, ... and so on.
##Step 2: What can happen when this is not implemented?
Now we get closer to what actually should be in your case for action. This is where your security expertise starts to shine.
Not implementing centralized asset management for example would cause gaps in your detection capabilities. You cannot defend what you don't know exists. It also causes patch management to be inefficient, you will never know if you patched everything. This is the glue that holds everything together.
##Step 3: How does this affect us?
This is the last step, there is light at the end of the (risk communication) tunnel.
In this step, you formulate the actual risk. Look for companies that got bitten by not having implemented your proposed solution. How much damage was caused by that specific breach? How would this map to your organization? In this step, it really pays off to have an ear on the news channels for cybersecurity.