What savvy hiring execs look for in a CISO today https://trib.al/t9AQ33V
CSO Online’s Post
More Relevant Posts
-
Computerworld Columnist, writer for DarkReading, TechCrunch, SCMedia, podcaster, blogger. Focuses on cybersecurity and analytics issues for IT and Security enterprise executives.
The enterprise struggle to figure out how to hire a CISO. First, they have to figure out what they want that CISO to do https://lnkd.in/eeuXif9p
What savvy hiring execs look for in a CISO today
csoonline.com
To view or add a comment, sign in
-
CISO's should be covered under their company's D&O program. Ask the question. Have the conversation. BEFORE there is an incident. #directorsandofficers #riskmanagement #cyberawareness
If you’re a CISO without D&O insurance, you may need to fight for it
csoonline.com
To view or add a comment, sign in
-
More enterprises are now expecting the CISO role to shift from security techno brain to executive risk manager who's there to protect the business. It’s critical for chief information security officers to talk about the stress and get support. Learn more.
Let's Converge Podcast | Ep. 15: It’s Tougher Than Ever to Be a CISO – and It’s Time to Admit It
tanium.com
To view or add a comment, sign in
-
More enterprises are now expecting the CISO role to shift from security techno brain to executive risk manager who's there to protect the business. It’s critical for chief information security officers to talk about the stress and get support. Learn more.
Let's Converge Podcast | Ep. 15: It’s Tougher Than Ever to Be a CISO – and It’s Time to Admit It
tanium.com
To view or add a comment, sign in
-
18+ years of Information/IT/Cyber Security excellence, securing your business today and protecting your digital legacy tomorrow.
“We’ve gotten to the point where nobody is sufficiently qualified to be a CISO. We are asking these people to be experts in cybersecurity, information technology, data privacy, AI, governance, risk, compliance, and business. Although they are rarely lawyers, we want them to be able to interpret and comply with myriad frameworks, industry standards, state, federal, and international regulations,” says Brian Levine, managing director at Ernst & Young overseeing cybersecurity. “Although we do not leave them with sufficient time to read, we want them to keep up with technology that is changing on a daily basis. Although they are technology experts, we also need them to be stellar managers — to be able to manage global vendors, employees, contractors, counsel, executives, and board members. CISOs are doing their best, but nobody can really live up to these standards.” https://lnkd.in/gasu_gUH
What savvy hiring execs look for in a CISO today
csoonline.com
To view or add a comment, sign in
-
Interesting article by The Wall Street Journal's James Rundle and Kim Nash about crisis communications during and following a serious cyber incident. From my experience, secure, compliant, and resilient organizations are always ready for their CEO to honestly and unequivocally communicate the following facts about their enterprise cyber risk management (ECRM) program: · Our board has been and is proactively engaged in ECRM. · Our board has adopted and communicated strong governance principles which require a risk-based (not checklist-based) approach to ECRM. · Our Executive Team is responsible and accountable for ECRM, and we have formed a cross-functional team of leaders across the organization to execute our ECRM strategy. · We have adopted the NIST Cybersecurity Framework (a non-proprietary, open framework) and use it as the basis for our ECRM program. · We have implemented the internationally-recognized NIST process for ECRM (NIST Special Publication 800-39 and NIST Special Publication 800-37). · We regularly engage with our liability insurance brokers to inform our risk transfer and retention decisions. · To ensure progress and continuous process improvement of our ECRM program, we monitor all changes in our program, measure our program maturity annually, and execute continuous improvement plans. · Recognizing the dynamic nature of cyber risks, we conduct ongoing cyber risk and opportunity assessments · We execute risk management and opportunity leverage plans to ensure maximum business value and competitive advantage is gained from our ECRM program. Is your organization ready to communicate all the above items about your ECRM program? #riskmanagement #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors https://lnkd.in/gt6yzXWn
UnitedHealth Grapples With Communications During Hack Crisis
wsj.com
To view or add a comment, sign in
-
Court cases against CISOs that threaten jail time and expensive penalties such as those against former Uber CISO Joe Sullivan and SolarWinds’ Timothy G. Brown, have kept CISOs awake at night. The pressure is on for CISOs to figure out how to minimize not only professional but personal risk from the important work they do at their organizations — even when budgets and business executive decisions may expose their companies to potential security incidents. Because when big breaches hit, today’s climate is such that a CISO is no longer just worried about getting fired — they could be on the hook for life changing consequences. While some CISOs may be considering leaving their role altogether in favor or greener pastures, others are staying and doing what they do best: managing risk. Only this time the risk management is on a personal level.
How CISOs can protect their personal liability
csoonline.com
To view or add a comment, sign in
-
There is a hidden problem in our industry: most security professionals don't understand control systems, even as we talk about implementing controls. Consider a common security/safety control objective: software changes require approval from some entity besides the developer. Without any control, the process looks like (handwaving away complexities around branching and labeling software): Developer writes code ---(A)---> Developer pushes code to main ---(B)---> Ops deploys main to production The first way this often gets implemented in an organization is to create a parallel process, hanging off (A) above, where the review and approval happens. But it's just a fork: ---(C)---> Approve Write -| ---(A)---> Main --(B)--> Deploy This now requires some form of annual check: pull all records of Deployment, and, for some sample of them, go look for approval records. Variants get flagged for exception; semi-mature organizations often have someone who, before the quarterly audits, goes and checks for all changes to have approvals, and makes them get approved retroactively. The next level of maturity is to add in inline assertion: after approval, the developer adds some note/ticket into their deployment request, so that approval can be "verified" more easily, or at deployment time. This is easily forgeable (ask me about the time a customer handed a script to support staff to auto-push their desired changes, which included filling out the approval field!) This takes away the need for someone to check afterwards, but doesn't really provide a control. ---(C)--> Approve--\ Write -| V ---(A)---> Main --(B)--> Deploy Above that – and still, probably, the most mature most companies get to – is when that approval step isn't documented by the developer, but is instead controlled by the system: the approval requires an authenticated step from an authorized entity. Without that step? Your deployment system won't accept the change. Now I've handwaved over a lot of complexity - what actually is an approval? Does it really provide any safeties? Are you worried about errors, design flaws, or malicious additions? But process control design is HARD, and the first steps on that path is usually mining your processes to understand what is really happening, and not just what you tell your auditors is happening.
Here are 5 ways CISOs should rethink security governance to reduce liability: 📃 Increase focus on documentation and records 🤖 Default, automated reporting 👀 Closer scrutiny of external communications and disclosure for potential conflicts ➡ Shift towards earlier disclosure 🔍 Implement programmatic monitoring of security governance processes Recent high-profile cases against CISOs indicate a shift for the role; the new possibility they could be considered personally liable for security incidents or responses to them. Let's dig into ways CISO can prepare - and protect ⬇ #securitygovernance #CISO #secops #cybersecurity
How CISOs Should Change Security Governance to Reduce Liability | Gutsy
gutsy.com
To view or add a comment, sign in
-
Across the United States, state agencies are grappling with significant security, risk, and identity skill shortages, making it challenging to adequately meet the rigorous demands of today's security, risk, and compliance landscapes. Templar Shield's cutting-edge program allows U.S. State agencies the option of bundling their ServiceNow platform costs, supported by the Unified Compliance Framework, all in one. Read the entire Press Release https://hubs.la/Q02h4s3N0 Dorian Cougias, CEO of Unified Compliance, stated, "At UnifiedCompliance.com, we understand the intricate challenges that U.S. State agencies face in navigating the complex web of compliance and regulatory requirements. Our partnership with Templar Shield is a strategic alignment that brings immense value to these agencies.” Click the pic and read the press release #complianceprofessionals #complianceofficers #ESG #riskmanagement #Unifiedcompliance #regulatorycompliance #complianceregulations
Templar Shield Launches Innovative IRM as a Service in Partnership with ServiceNow for US State Agencies!
prweb.com
To view or add a comment, sign in
-
Experienced, Strategic Leader | Fraud, Payments, & Data Analytics Expert | Product Strategy Specialist
Fraud prevention should not be thought of as a solo act – to ensure sustained success, it should be considered a symphony that requires collaboration across every department in your organization. As fraud leaders, our responsibility extends beyond mastering the intricacies of fraud detection; it involves orchestrating harmony within the entire organization. 🤝 Partnering for Success: Understanding the fraud process is not just a job for the fraud team; it's a collective effort that requires the insights of every department. Finance, IT, customer support, legal teams, product, and many others play pivotal roles in fortifying the organization against fraudulent activities. Collaboration is not a luxury; it's a necessity. 🔍 Unraveling the Complexity: Combating fraud demands a comprehensive understanding of its nuances. By fostering collaboration, fraud leaders gain access to a diverse pool of knowledge. The collective intelligence of cross-functional teams allows for a more holistic approach to fraud prevention, uncovering blind spots and fortifying defenses. 👥 Building Advocates Across Functions: Fraud leaders are not just gatekeepers; they are educators and advocates. By cultivating advocates in other functions, we create a network of informed and vigilant allies. When individuals across the organization understand the impact of fraud and the crucial role they play in prevention, the entire organization becomes a united front against fraudulent activities. 🌐 Breaking Silos, Building Bridges: Breaking down departmental silos fosters a culture of open communication and shared responsibility. By forging strong connections with colleagues, fraud leaders can create an environment where information flows seamlessly, enabling swift responses to emerging threats. 📈 Quantifying Impact: Collaboration isn't just a feel-good concept – it yields tangible results. The synergy of cross-functional teams translates to a more robust fraud prevention strategy, reducing financial losses, safeguarding brand reputation, and enhancing overall organizational resilience. 👥 The Future of Fraud Prevention is Collaborative: In an era where cyber threats are more sophisticated than ever, collaboration isn't an option; it's a strategic imperative. As fraud leaders, let's champion the cause of cross-functional collaboration, ensuring that every member of the organization is not just a spectator but an active participant in the fight against fraud. Let's continue to work together to fortify organizations against the continuing challenge of fraud! #FraudPrevention #FraudManagement #Leadership #collaboration #Teamwork
To view or add a comment, sign in
37,430 followers