Security Program Justification (Firemen’s v. Sorenson (Marriott derivative))

Use this to justify the scope, resourcing, or structure of the security program; supports resource and organizational decisions.

---

Purpose

This justification explains why the scope and structure of the security program are necessary in response to Firemen’s v. Sorenson (Marriott derivative), including capability gaps, risk reduction targets, and resource implications. It supports executive and board approval of sustained program maturity efforts.

Hallucinated writing examples

Scenario: In an illustrative period during Delaware derivative litigation over Marriott-Starwood cyber oversight allegations (time), the Chief Information Security Officer (role) prepares a security program justification (type) for Chief Executive Officer, Board Audit Committee (audience).

SECURITY PROGRAM JUSTIFICATION

To: Chief Executive Officer, Board Audit Committee
From: Chief Information Security Officer
Date: July 10, 2021
Subject: Security Program Scope, Structure, and Resource Request — Integration Oversight Maturity

Program Mission and Context: Program mission is to establish durable cybersecurity governance and control maturity across integrated environments while supporting oversight expectations highlighted in derivative litigation. The program must evidence clear accountability and closure of integration-related risk debt.

Scope and Current State: Scope includes integration control governance, board KPI reporting, identity and logging consistency, third-party risk oversight, and governance documentation. Current structure supports baseline operations but requires additional capacity for timely closure and oversight evidence quality.

Gap Analysis and Recommendation: Gaps include integration backlog aging, uneven KPI automation, and limited dedicated governance operations. Options considered: (1) Recommended—resource expansion for integration control closure and governance analytics. (2) Minimal—maintain current capacity; rejected due to prolonged residual risk. (3) full re-org deferred. We request [X] FTE and [Y] budget with quarterly governance review and escalation criteria.

Document-type guide: Security Program Justification

Writing tips: Writing best practices — Security Program Justification