Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved. It has been polluted for decades by arbitrary and simplistic views on “separation of duties” and alleged “conflicts of interest”. But those views often come from sectors of the corporate spectrum with a fairly theoretical idea on how an organisation should operate, and rarely reflect the reality of how large organisations function.
There seems to be confusion in corporate America about whether or not to delete data. On one hand, there are legal departments that advise keeping everything forever, and on the other are those that recommend deleting everything as a matter of policy as soon as possible — whacking away at files and folders on your file servers like a drunk landscaper whirling a weed whacker around your yard. Meanwhile, IT is stuck in the middle trying to develop and engineer systems to enforce ever-changing data retention policies.
New Book and Must-Read from JC Gaillard > How to Transform Cyber Security > This is a compilation of the best cyber security management, organisation and governance articles published on the Corix Partners blog between 2015 and 2017. They offer a truly alternative view on how to organise and manage security in large firms, inspired by the direct field experience of their author JC Gaillard, former CISO and leading consultant and expert on the topic. 35 easy to read, bitesize articles which cover all key managerial aspects around information security, from the reporting line of the CISO to the role of the Board, and how to make it work in real life.
The role of the CISO and their reporting line seems to be a continuing topic of discussion amongst cyber security professionals. Something that is increasingly a major source of concern in a world that is more and more “hyper connected” and where data is the real “fuel” the business needs to burn on its journey towards digital transformation. Often at the top is a Group CISO, but what could be their role in such context? And how to make it work?
Keep appointing pure technologists in CISO roles and you’ll never win The Wannacry ransomware attack that affected so many large...
There are many risk management methodologies in existence but it is not uncommon to come across large firms still following today simplistic, dysfunctional or flawed practices, in particular around operational risk management.
The main issue with many of those approaches is that they are plagued by a fundamental theoretical issue, which goes far beyond semantics: There is an abyss between managing “Risk” (broadly defined as “the impact of uncertainty on objectives”) and managing “risks” (events or scenarios that might have an undesirable outcome).