All news with #grc tag

🛡️ The White House’s March 2025 Executive Order and Congress’s State and Local Cybersecurity Grant Program (SLCGP) together create a framework for strengthening defenses at state, local and tribal levels. The proposed PILLAR Act would extend and reinforce funding, oversight and scope. Success requires restoring disbursements, aligning with NIST standards, and building local capacity through partnerships and workforce development.

⚠️ The White House renominated seasoned Coast Guard and Energy Department cyber official Sean Plankey to lead CISA, a step that eases an urgent leadership gap but does not resolve broader legislative gridlock. Experts cite both executive deprioritization and congressional dysfunction—blocked confirmations, holds, and delayed reports—as drivers of a hollowed-out agency. Quick Senate confirmation, reauthorization of CISA 2015, and restored grant funding are needed to begin rebuilding capacity.

🔒 Boards increasingly accept cyber risk, yet funding rarely follows purely rational ROI debates. The author contends that budget availability is often reactive — unlocked by imminent regulatory reviews, adverse audits or recent incidents — rather than the result of careful risk quantification. The core obstacles, he argues, are chronic execution failures, governance and cultural misalignment. CISOs should focus on building trust and strategic influence during the first hundred days to convert goodwill into lasting programs.

🔐 The UK government has launched a Government Cyber Unit and a Software Security Ambassador Scheme under a £210m Cyber Action Plan to boost public sector resilience. The unit, led by the Government Chief Information Security Officer within the Department for Science, Innovation and Technology, will coordinate risk management and incident response across departments. The ambassador scheme promotes the voluntary Software Security Code of Practice and has drawn participants such as Cisco and Santander. While welcomed by many, some experts warn the funding may be insufficient to address the scale of threats exposed by recent 2025 incidents.

🛡️ The Organizational Risk Culture Standard (ORCS) provides a practical framework to turn cyber intentions into daily behavior that reduces silence, speeds detection and improves decision-making. It stresses that most cyber failures stem from cultural drift—not code—especially in VUCAD (volatile, uncertain, complex, ambiguous, digitized) environments. The article translates ORCS into ten actionable dimensions, outlines a five‑level maturity path and prescribes measurable KCIs and a first 90‑day plan leaders can use to embed lasting habits.

🔒 The Chief Trust Officer (CTrO) marks a shift from defending systems to safeguarding corporate credibility, responding to eroded customer confidence after breaches and AI concerns. Early adopters such as Atlassian, Salesforce and SAP and analyst research from Forrester show the role consolidates privacy, security, compliance and ethics. Unlike a traditional CISO, the CTrO focuses on reputation, transparency and customer trust while partnering with security teams to operationalize measurable signals of trust. Success depends on board visibility, leadership backing and demonstrable behavior change.

🔒 The Trump administration's second term enacted sweeping policy shifts that critics say have weakened the U.S. ability to address cybersecurity, privacy, and corruption risks. Changes include mass workforce cuts and reassignments at CISA, the dismissal of the Cyber Safety Review Board, and reduced enforcement by agencies such as the SEC and CFPB. The creation and apparent misuse of the Department of Government Efficiency (DOGE) raised serious data‑access and oversight concerns. New travel, vetting, and speech controls add further civil‑liberties implications.

🔐 CISOs are rethinking how they spend reclaimed time, prioritizing innovation and transformation over constant firefighting. Leaders want to eliminate tactical debt—closing out lingering POAMs, patching unpatched systems and remediating misconfigurations—to free resources for strategic foresight. They plan to break down silos between AppSec, CloudSec and GRC with automation and AI, creating a unified view of risk and on-demand compliance evidence. Above all, CISOs aim to make security a human-led business enabler that empowers teams, reduces burnout and embeds privacy-by-design into engineering.

🔒 A recent RSAC survey found a large disparity in indemnification for security leaders: 88% of Fortune 1000 CISOs report legal indemnity, versus just 53% at organizations with 500+ employees. D&O insurance is the most common vehicle, and inclusion of CISOs in such policies is rising, with >50% reporting coverage in the 2025 IANS Research report. Experts warn that indemnification agreements, distinct from D&O, are the critical legal guarantee and that midmarket CISOs face meaningful personal, financial, and career risk without them.

🛡️ ISACA has been appointed by the US Department of Defense as the global credentialing authority for the CMMC program, responsible for training, examining and certifying assessors and instructors. The DoD's final CMMC rule published on 10 September 2025 and effective 10 November 2025 initiated a three-year rollout, requiring credentials across DoD suppliers by 2028. ISACA replaces The Cyber AB as the CAICO and expects the rules to affect over 200,000 contractors worldwide, including many in Europe.

🔒 Administrators can now require buyers to provide purchase orders when subscribing to products through AWS Marketplace, with requirements enforceable for both public and private offers and across multiple pricing models. Administrators may also add a custom message on the procurement page to communicate policy guidance, approval steps, and support contacts. These capabilities integrate with Private Marketplace, enabling curated catalogs and centralized governance without blocking purchasing agility. The controls help finance, procurement, and software-asset teams improve cost allocation, ensure compliance at point of sale, and streamline procurement-to-pay.

🔍 Many cybersecurity budget debates focus on ROI and risk models, but the author argues the real issue is execution and leadership rather than absolute funding. He explains that cognitive biases and reactive spending after incidents or audits trigger investment, while chronic execution failures and corporate short-termism stall long-term programs. The first 100 days for a CISO are crucial: listening, building trust and co-creating a business-aligned narrative turn available funds into durable security outcomes.

🛡️ CISA released Cross-Sector Cybersecurity Performance Goals (CPG 2.0) providing measurable actions for critical infrastructure owners and operators to achieve a foundational cybersecurity baseline. The update aligns with the latest NIST Cybersecurity Framework revisions and incorporates lessons learned from recent incidents and threats. CPG 2.0 introduces a governance-focused component that emphasizes accountability, risk management, and the integration of cybersecurity into day-to-day operations. The goals are streamlined and outcome-driven to guide investment, benchmark progress, and reduce risk in measurable ways.

🔒 CISOs must position security investments as strategic enablers that directly support corporate objectives rather than as purely technical upgrades. Presentations should connect proposed solutions to outcomes like entering new markets, protecting margins, ensuring compliance, and improving resilience. Use concrete scenarios, cost models, and recovery timelines to show how investments reduce probability and impact of incidents while improving operational stability. Tailor messaging to the board’s maturity and speak in terms of risk, return, and shareholder value.

🔒 Procurement teams frequently chase short‑term savings, consolidating suppliers and selecting the lowest‑cost vendors, which can create systemic cyber fragility. The article warns that cost-focused procurement often overlooks vendor security posture and incident readiness, leading to outsized losses in breaches, ransomware or supply disruptions. It recommends cyber due diligence, risk-tiering, minimum baselines (e.g., MFA, encryption, patching), resilience KPIs (MTTD, MTTR, RTO) and cross-functional governance to align cost with resilience. Strategic partnerships, scenario testing and cultural change convert procurement from bargain hunters into resilience builders.

🔐 The Getting to Yes anti-sales guide helps MSPs and MSSPs reframe cybersecurity conversations from fear-based pitches into collaborative business partnerships. It catalogs common objections—cost, perceived protection, small size, complexity, and time—and provides empathetic, evidence-driven responses that tie security to uptime, revenue, reputation, and compliance. The guide introduces a trust-first framework (Empathy, Education, Evidence) and explains how automation, fast assessments, posture dashboards, and measurable milestones make value visible and scalable.

🔒 Gartner and industry advisors outline a dozen signs that the CISO–CIO relationship is strained, from overridden recommendations and withheld information to board messaging conflicts and late security involvement in IT initiatives. These dysfunctions lead to misaligned priorities, duplicated technology purchases, and increased security gaps. The piece highlights contributing factors such as competing incentives and differing metrics, and prescribes practical fixes like regular one-on-ones, clarified responsibilities, alignment on enterprise risk and strategy, and a business-enablement approach that offers trade-offs and multiple solutions.

🔒 The House of Commons Business and Trade Committee has urged the UK government to enshrine a new approach to economic security in law, warning that cyber and other threats increasingly imperil the nation's open economy. The committee's report, Toward a new doctrine for economic security, stresses that economic security cannot be achieved without cybersecurity and highlights attacks on critical national infrastructure and private firms. Key recommendations include making the voluntary Software Security Code of Practice mandatory, introducing tax relief for IT services that enhance operational resilience, and consulting on a mandatory cyber-incident reporting regime.

🛡️ Organizations should rebuild security frameworks when they fail to sense environmental change, respond effectively to incidents, or support proactive risk management. Experts recommend a dynamic sensing-and-response capability, routine reviews (biannual heavy reviews with interim cursory checks), and deliberate integration of NIST baselines with industry-specific controls. Key warning signs include any breach, chronic alert overload, negative KRIs/KPIs, endpoint and AI gaps, and a compliance-only posture that ignores business risk. Rebuilds are also warranted after major business or regulatory shifts or when incremental fixes no longer suffice.

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.