How can infosec leaders/CISOs get their org to shift from a legacy security strategy that’s more compliance-focused to one that’s focused on risk reduction?
Sort By:
Oldest
Head of Information Security in Services (non-Government)a year ago
Having the right governance structures in place is important. We have a committee that's called the Protect Subcommittee that comprises the general counsel's office and leaders from our privacy and security practice groups. It helps us apply a business lens and risk focus to certain security decisions. At the end of the day, security and risk acceptance is a business decision, so I always try to emphasize that it's not my decision whether a risk is appropriate for the firm to accept or not, it's the business' decision.CISO in Healthcare and Biotecha year ago
Shifting an organization from a compliance-focused security strategy to one focused on risk reduction requires a multifaceted approach. Educate and Communicate, Align with Business Objectives, Develop a Risk Management Framework, Implement Proactive Security Measures, Enhance Governance and Accountability, Foster a Security Culture, Engage with the Board and Senior Management, Optimize Budget Allocation, Leverage Technology and Automation, Continuous Improvement, Legal and Regulatory Alignment
Director of Cybersecurity Data and App Protection in Healthcare and Biotecha year ago
Having managed a Red Team before, I think those activities can be a powerful way to show the gaps between security and compliance. Those types of findings are realistic and show real risks in the organization that must be remediated. It should be eye opening that a "compliant" organization is still vulnerable. Ideally those activities would provide motivation to build out further risk remediation program which would actually reduce risk through a risk register type of process.