How can infosec leaders/CISOs get their org to shift from a legacy security strategy that’s more compliance-focused to one that’s focused on risk reduction?

Security Strategy & RoadmapRisk ManagementThird Party Risk Management (TPRM)
1.8k views3 Comments
Sort By:
Oldest
Head of Information Security in Services (non-Government)a year ago
Having the right governance structures in place is important. We have a committee that's called the Protect Subcommittee that comprises the general counsel's office and leaders from our privacy and security practice groups. It helps us apply a business lens and risk focus to certain security decisions. At the end of the day, security and risk acceptance is a business decision, so I always try to emphasize that it's not my decision whether a risk is appropriate for the firm to accept or not, it's the business' decision.
3
CISO in Healthcare and Biotecha year ago
Shifting an organization from a compliance-focused security strategy to one focused on risk reduction requires a multifaceted approach. 

Educate and Communicate, Align with Business Objectives, Develop a Risk Management Framework, Implement Proactive Security Measures, Enhance Governance and Accountability, Foster a Security Culture, Engage with the Board and Senior Management, Optimize Budget Allocation, Leverage Technology and Automation, Continuous Improvement, Legal and Regulatory Alignment
2
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Director of Cybersecurity Data and App Protection in Healthcare and Biotecha year ago
Having managed a Red Team before, I think those activities can be a powerful way to show the gaps between security and compliance. Those types of findings are realistic and show real risks in the organization that must be remediated. It should be eye opening that a "compliant" organization is still vulnerable. Ideally those activities would provide motivation to build out further risk remediation program which would actually reduce risk through a risk register type of process.  

Content you might like

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

What's a greater concern for returning to the office? Comment how you are prioritizing...

People & LeadershipStrategy & ArchitectureCloud+29 more

Human Factors (fears, mental health, physical spacing)85%

Technical / IT Factors (on-premise tools, pivoting back away from remote)14%

3.7k views3 Upvotes2 Comments

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Can you share advice for leaders looking to shift to a multi-cloud strategy for better resilience in the event of major disruption (such as the recent CrowdStrike outage)? What best practices or common pitfalls are most important to consider?

Security Strategy & RoadmapSecurityPeer Insights+2 more
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a month ago
1.       Ensure the “different” providers are not front ends for the same foundational provider.

2.       Review the track record of each provider on the whole as well as their record with organizations of your size, ...read more
1
Read More Comments
506 views3 Comments

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes