< ciso
brief />
Tag Banner

All news with #grc tag

125 articles

CISO Playbook for Post‑Quantum Mandates and Migration

🔒 This guide explains regulatory timelines and a strategic playbook for CISOs and senior leaders to manage post-quantum cryptography (PQC) migrations across large organizations. It outlines the practical split between short‑lived protocol upgrades (like TLS) and long‑lived embedded devices, recommends centralized governance via a cryptography center of excellence, and emphasizes board-level framing, vendor engagement, and phased execution to meet compliance deadlines.
read more →

Top IT Security Certifications Driving Higher Pay

🔍 Foote Partners' 2Q 2026 report ranks the most valuable IT security certifications by average pay premium and recent market value increase. The article lists the top 13 credentials employers value now, describing each certification’s focus, prerequisites, exam length, and typical training and exam costs. It highlights portfolio certifications like GIAC’s GSE and GSP, vendor offerings from Microsoft and Check Point, and vendor-neutral options such as CCSK, ISACA’s CRISC and CISA, and ISC2’s CISSP and CSSLP. Practical, hands-on credentials like GX-CS and OffSec’s PEN-200/OSCP+ are also covered.
read more →

UK launches Cyber Resilience Pledge for businesses

🛡️ The UK government announced the Cyber Resilience Pledge, with over 60 businesses signing up after its unveiling at CYBERUK in April alongside a £90m support package. Signatories such as Microsoft UK, Marks & Spencer and Vodafone commit to board-level cyber accountability, NCSC training, Early Warning registration and risk-based Cyber Essentials adoption across supply chains. The scheme targets medium and large firms with the aim of driving baseline security improvements across suppliers.
read more →

The modern CISO is becoming the next CFO

🛡️ The role of the CISO is evolving from a technical operator into a broad, enterprise-level executive responsible for cyber resilience, regulatory compliance, AI governance and business risk. As cyber risk becomes business risk, organizations are expanding security leadership—adding deputy CISOs and specialized teams—while keeping centralized accountability. The author argues the CISO should report independently (e.g., to the CEO, COO or CRO) and that AI increases the need for clear human accountability.
read more →

Seven common cyber risk assessment mistakes to avoid

🔍 A cyber risk assessment should be a decision tool that ties technical findings to business impact, yet many organizations fall into common pitfalls. Experts warn against rote, checklist-driven assessments, sugarcoating results, narrow scoping, and overreliance on risk registers that mask assumptions. Other frequent missteps include failing to link risks to business outcomes, confusing compliance with true security, and neglecting the implications of new technologies like AI. The article outlines seven practical gotchas and recommends context-driven, continuous risk assessment involving business stakeholders to produce actionable, defensible insights.
read more →

FedRAMP 20x and the rise of GRC engineering

🔍 The author argues that much of traditional compliance has become theatrical—focused on curated, point-in-time evidence rather than continuous operational truth. FedRAMP 20x and the broader GRC engineering movement push assurance toward automation, machine-readable evidence and continuous telemetry, shifting audits from static snapshots to ongoing validation. The writer recounts their organization’s FedRAMP 20x pilot, describing early setbacks as iterative learning rather than failure.
read more →

MPs Warn UK Museums Face Cybersecurity Shortfalls

🛡️ Parliament’s Public Accounts Committee has criticised the Department for Culture, Media and Sport for a reactive approach to cybersecurity, leaving national galleries and museums exposed. The PAC highlighted incidents including a ransomware attack on the British Library and thefts from the British Museum as evidence of systemic failings. It calls on DCMS to set out concrete actions, share lessons across the sector, and address skills shortages and legacy technology.
read more →

Cybersecurity’s Shift From Protection to Survival

🔒 The piece argues that cybersecurity must move beyond a prevention-first mindset to a survival-focused discipline. It stresses that while traditional controls (MFA, patching, hardening) remain necessary, organizations need breach readiness: continuity, recoverability, tested incident response, and clear governance. Regulatory and market pressures (EU resilience laws, US disclosure and accountability) plus AI-driven acceleration make resilience an operational imperative.
read more →

Six CISO Strategies to Master Business Risk

🔐 Senior security leaders outline how CISOs must expand beyond technical risk to address business risk, aligning security with profitability, operations, and strategic objectives. They recommend partnering with business owners, mapping security to corporate OKRs, building relationships across functions, and running business-focused tabletop exercises. Formal education in governance and integrating cyber into enterprise risk management are stressed as critical steps to ensure cyber risks are evaluated alongside financial and operational risks.
read more →

FCC Proposal Would End Anonymous 'Burner' Phones

🛡️ The FCC has proposed a rule that would eliminate so-called burner phones by requiring telecom providers to collect and retain detailed personal information from virtually all phone customers. The rule would mandate submission of government-issued ID numbers, physical addresses, and additional data for business and foreign accounts, raising alarm among privacy and civil rights advocates. Supporters argue the changes target scammers and illicit activity, while critics warn of significant privacy, surveillance, and cybersecurity consequences if carriers must store this expanded dataset.
read more →

UK filtering plan raises encryption and security concerns

🔒 UK Prime Minister Keir Starmer urged tech firms to implement device controls to block children from viewing or creating sexually explicit imagery, prompting CISOs to warn the plan could undermine enterprise encryption. Starmer gave companies three months to propose voluntary measures before pushing legislation; analysts caution on-device scanning is unlikely at scale and cloud processing would introduce new risks. Experts highlight logistical, performance, age-verification, and abuse risks that could create exploitable inspection vectors.
read more →

Quantifying Cyber Risk to Engage Boards Effectively

🔍 A panel at Infosecurity Europe 2026 advised that focusing on financial impact is an effective way to communicate cyber risk to boards. Using Cyber Risk Quantification (CRQ) and clear data helps translate technical threats into dollar values that executives understand. BP and NatWest speakers emphasized making outputs simple, trustworthy and aligned to board needs to secure support and decision-making.
read more →

Executives and CISOs Must Treat Cyber as Statecraft

🔒 Bharat Thakrar of ISACA’s London Chapter told Infosecurity Europe 2026 that cyber, AI and geopolitics are now inseparable and warned against treating security as merely an IT problem. He cited breaches like Sony Pictures (2014), Viasat (2022) and Stryker (2026) to show private firms can be legitimate geopolitical targets. Thakrar proposed the Cyber Geopolitical Preparedness and Response (CGPR) framework—assess exposure, evaluate readiness, plan response and continuous monitoring—and urged geopolitical stress‑tests, revamped HR vetting, tighter access controls and predefined executive authorities.
read more →

AWS Spring 2026 SOC Reports Cover 188 Services

🔒 Amazon Web Services (AWS) released Spring 2026 SOC 1, 2, and 3 reports covering 188 services for the period April 1, 2025–March 31, 2026, providing customers a full year of assurance. Customers can download SOC 1 and 2 reports via AWS Artifact, while the SOC 3 report is available on the AWS SOC Compliance Page and AWS Artifact. AWS also published the SOC report package in NIST OSCAL (JSON) format to support machine-readable, standards-based compliance automation. AWS encourages customers to review services in scope and contact their account teams with questions or feedback.
read more →

Six critical security gaps every CISO must address

🔒 CISOs admit many organizations remain underprotected, with surveys showing gaps in data protection, incident preparedness, and resourcing. As adversaries adopt automation and AI, security programs must close six core gaps: perception, speed versus attackers, business‑security alignment, skills, AI security, and legacy systems. Experts urge CISOs to shift toward resilience, accelerate operations with automation and CTEM, and invest in workforce and governance.
read more →

SEC 10-K Cybersecurity Trends and Governance 2025

📝 This article analyzes the new SEC 10-K cybersecurity disclosure section (1.C) across the top 200 S&P companies, summarizing governance, reporting lines, standards, and trends between 2024 and 2025. It highlights that the CISO remains the principal cybersecurity role, with the CIO commonly as the reporting executive and audit committees most frequently overseeing cyber risk. The piece also reviews common practices such as TPRM, proactive testing, human-centric training, AI risks, and the author’s AI-assisted data collection and analysis methods.
read more →

Why Organizations Need a Vulnerability Operations Center

🔎 A Vulnerability Operations Center (VOC) centralizes how organizations qualify, prioritize, and drive remediation to turn vulnerability findings into measurable risk reduction. Unlike legacy vulnerability management, which relies on periodic scans and severity scores, a VOC applies exposure management, governance, and cross‑team coordination to focus remediation on reachability, exploitability, and business impact. VOC teams track execution KPIs, enforce SLAs, and work alongside SOCs to shift organizations from reactive patching to continuous prevention.
read more →

How CISOs Can Prepare to Secure Board and Advisory Roles

🔒 Many CISOs are pursuing board and advisory roles to bridge gaps between security teams and directors, improve communication, and shape product roadmaps. Leaders such as ISACA vice chair Jamie Norton, Accenture’s Mitra Minai, and Nathan Morelli describe governance learning, vendor advisory seats, and targeted certifications as common pathways. The article emphasizes governance capability, strategic language, and the significant time commitment these roles demand.
read more →

Patching SLAs Should Be the Minimum, Not the Strategy

🔒 The author warns that relying on patching SLAs creates a misleading dashboard: SLAs show ticketing discipline, not true exposure. Easy, agent-patchable items keep scores green while legacy systems and architectural flaws remain in exception queues. Drawing on experience as a CISO and industry reports, the piece promotes cyber risk quantification to express exposures in dollars. It recommends treating SLAs as a floor, tightening exception hygiene, and funding remediation.
read more →

Aligning Cyber Risk Communication with Boardroom Psychology

🔍 Security leaders must translate technical risk into clear business decisions to gain board support. Boards want concise, data-driven briefings that link exposures to financial impact, operational disruption and regulatory consequences rather than technical status updates. The most effective conversations prioritize a few high-impact issues, explain trade-offs and show exactly where resources will measurably reduce loss.
read more →