Strategic Security Initiative Justification (FTC v. Drizly 2022)¶
Use this to build a business case for a major security initiative; supports approval, budget, and prioritization under the FTC consent order.
Purpose¶
This document provides the strategic and financial rationale for major security investments required after FTC v. Drizly 2022 and the July 2020 incident, linking the consent order’s program obligations to concrete engineering and assurance outcomes. It is intended to support budget and prioritization decisions with a clear cost-risk-benefit narrative.
Hallucinated writing examples¶
Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Chief Information Security Officer (role) prepares a strategic security initiative justification (type) for Executive Leadership, Board Finance Committee (audience).
STRATEGIC SECURITY INITIATIVE JUSTIFICATION
Initiative Summary: This document requests approval and budget for a consolidated program to implement the written information security program, MFA and access governance, elimination of credentials from source repositories with continuous secret scanning, centralized logging and detection for exfiltration patterns, and a published data retention schedule with deletion jobs—together satisfying the core operational obligations of the Decision and Order accepted October 24, 2022 (In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185). Scope includes developer, cloud, and production administration paths; Phase 1 targets 100% MFA for privileged access and zero critical secret-scan findings by January 31, 2023.
Business and Regulatory Context: The July 2020 incident affected approximately 2.5 million consumers via compromised GitHub access, credential reuse, lack of MFA, and failure to revoke temporary elevated access. External discovery of data for sale amplified regulatory narrative risk. The FTC alleged unfair practices and deception regarding safeguards. The order also imposes individual obligations on the CEO in future covered roles—raising reputational stakes for demonstrable program execution.
Options Considered: (1) Integrated program delivery with assessor-ready evidence and quarterly KPIs (recommended). (2) Tooling purchases without workflow and ownership changes: rejected as inconsistent with order expectations and prior 2018 GitHub warning signals. (3) Defer retention minimization until security tooling completes: rejected because the order couples both threads.
Benefits, Resources, and Risks Of Inaction: Benefits include reduced account-takeover paths, faster detection, defensible retention posture, and biennial assessment readiness. Estimated cost [X]; headcount [Y]; milestones at 90/180/365 days. Risks of inaction: repeat FTC scrutiny, civil litigation leverage, and inability to demonstrate operating effectiveness. We recommend approval of scope, budget, and timeline and authorize the CISO to execute with quarterly reporting to the Board and chief legal officer.
Document-type guide: Strategic Security Initiative Justification
Writing tips: Writing best practices — Strategic Security Initiative Justification