How could organizations better support the CISO and the security function going forward? What organizational changes would reduce burnout risk for cybersecurity leaders (and are you hopeful that we’ll see such changes in the coming years)?

81 views4 Comments
Sort By:
Oldest
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech4 months ago
Even if your company does not have an Enterprise Risk Management program, you should have a cybersecurity risk program. Partner with your governance risk and compliance person. Cyber liability insurance also has deep assessments of your company now and aligns them with the risk tolerance. This can help with your budget.

CISO4 months ago
We have to run our security programs more like an actual business unit. We need to move our security programs into more data-driven analysis. Having good key risk indicators, especially around coverage metrics, is crucial. We also need to talk more about risk acceptance. That's a perfectly viable outcome, especially in a public company environment, if it's appropriately disclosed.
CISO4 months ago
There's going to be a lot of change in the coming years, especially with new regulations. Organizations need to be clear about the support needed for cybersecurity functions. It's about articulating the risk of doing nothing, but also the risks of doing something. As a leader, you need to explain what the risks are to the business. For example, if we make $10K/hour on online sales during Christmas time, that can cost us $50K/hour if we go down due to a cybersecurity incident.

CISOs now have a lot of leverage, especially in public companies. The SEC is tired of being lied to by cybersecurity companies that claim they have security when they don't. It's now mandatory to report risks and governance to the SEC. If you lie or exaggerate the truth, there are serious consequences.

1 Reply
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Board Member, Advisor, Executive Coach in Software4 months ago

I agree with Ian. A lot of people don't connect the dots between cybersecurity and other business risks. Cybersecurity can directly or indirectly cause or enhance other risk issues. However, there can be pressure to reduce the portrait of risk. Don't bend on that. If you want to accept the risk, go ahead, but if it's material, stick it in your 10K saying we have a material cyber risk. There are ways to do it with high integrity.

Content you might like

Does your business have a measurable framework that people or departments must follow when choosing new tools or technologies for your business?

Culture & ValuesVendor/Product Recommendation

Yes, and it is always followed22%

Yes, but it is rarely followed54%

Some departments do, but not across the business14%

No9%

View Results
1.8k views2 Upvotes

If you have had a negative experience with a vendor (without naming the vendor), what did you learn from it?

Financial ManagementVendor Management
VP of Global IT and Cybersecurity in Manufacturing6 years ago
Have clear business requirements up front, make sure the proposal includes items such as scope, timeline, cost, resources.
Read More Comments
22.1k views3 Upvotes28 Comments

I am a CISO in the Boston area. If you are like me, you get numerous event invitations per week.  What CISO events do you attend to gather the most insight? Which have you found to be a waste of time?

Events
1 view

Are you investing security budget in protecting key employees and executives from spear-phishing and social engineering attacks through their personal social media accounts?

Yes, visibility for protecting key employees and executives on social media is part of our cybersecurity budget.56%

No, we do not have a solution or visibility to protect key employees on social media.38%

No, but we plan to budget for key employee and executive protection in the future.5%

View Results
1.5k views2 Upvotes

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment