< ciso
brief />
Tag Banner

All news with #grc tag

125 articles · page 3 of 7

Discipline as the New Power Move in Cybersecurity Leadership

🧭 Under tight budgets, CISOs should shift from acquiring tools to allocating capital, prioritizing investments that maximize risk reduction per dollar. This requires renegotiating contracts, automating routine workflows, consolidating overlapping tools and reorganizing teams around value domains to free capacity for higher-impact initiatives. By quantifying trade-offs and presenting outcomes in financial terms, leaders earn faster trust from the board while maintaining security posture.
read more →

Reimagining the CISO Role as Enterprise Risk Grows

🔍 A majority of enterprise CISOs now report their roles are 'no longer fully manageable' as responsibilities expand without commensurate resources, the 2026 State of the CISO Benchmark Report found. Beyond traditional security functions, many CISOs oversee business risk, IT operations, third-party management, and emerging domains like AI governance, creating a mismatch between accountability and authority. Experts call for structural change: redesigning the role, distributing ownership, and granting board-level authority so CISOs act as risk executives rather than operational catch-alls. Without such shifts, organizations risk delayed initiatives, eroded resilience, and executive burnout.
read more →

Creating a Unified Risk Culture Across Business Domains

🛡️ The article argues organizations must stop managing risk in isolated silos and adopt a single, shared culture across cybersecurity, operations and strategy. It recommends the Organizational Risk Culture Standard (ORCS) and four practical pillars: integrated governance, unified risk intelligence, a common risk appetite and continuous learning. Implementation starts with cross‑functional committees, a common taxonomy, targeted pilots (for example, ransomware response) and risk platforms that give everyone the same view. The goal is faster detection, coordinated response and trust that converts resilience into competitive advantage.
read more →

Why Certification Is a Strategic Control for CISOs

🔒 Certification has shifted from a compliance checkbox to a practical control CISOs use to demonstrate how security is designed, governed, and sustained. Fortinet frames credible certification programs as evidence that processes such as vulnerability handling, lifecycle management, and secure development are enforced and repeatable, not ad hoc. The company highlights more than 130 active certifications and its recent IEC 62443-4-1 Maturity Level 2 achievement, and points stakeholders to the Fortinet Trust Portal for transparent, verifiable documentation.
read more →

Language of Risk: Key Cybersecurity Terms for Boards

🔐 Boards and CISOs must share precise terminology to make security decisions aligned with business risk. The article warns that identical words mean different things to security teams and executives, creating confusion around budgets, responsibilities, and resilience. It explains key distinctions—cyber‑risk vs IT risk, compliance vs security—and clarifies operational pairs like incident response, disaster recovery, and business continuity.
read more →

CISOs: Move Beyond Compliance to Anticipate Risk in 2026

🔒 CISOs entering 2026 should treat compliance as a baseline, not a destination. While frameworks like HIPAA, SOC 2 and ISO 27001 provide essential controls, relying solely on checklists breeds complacency and misses evolving threats such as AI-enabled attacks, third-party failures and future quantum risks. Adopt longer time horizons, scenario-based risk assessments and financial impact modelling to align security with business priorities and secure board support.
read more →

How CISOs Lose Their Jobs: Ten Mistakes and Fixes Now

🔒 The CISO role is increasingly precarious: average tenure is 39 months and 2025 turnover climbed to 15%. The article identifies ten common career-ending mistakes — from failing to prevent or manage major breaches and poor communication with the board to inadequate compliance, weak credential controls, burnout, and resistance to change — and offers concrete mitigations. Recommended actions include a documented incident response program, business-focused risk reporting, robust governance that maps controls to regulations, and a risk-based budgeting approach. It also highlights foundational fixes such as enterprise password management (for example, Passwork) to close credential gaps, build audit trails, and demonstrate due diligence to executives and regulators.
read more →

Meeting Cybersecurity Regulations: Practical Compliance Steps

🔒 Cybersecurity regulatory obligations vary by company size, industry and geography, and meeting them is increasingly a business prerequisite. Leaders should treat compliance frameworks such as NIS-2, ISO and NIST as structured methodologies — not end goals — while recognizing that compliance is not the same as security. CISOs must partner with legal, privacy and audit teams, prioritize risk-based decisions, and use tools like GRC, SIEM and continuous monitoring to demonstrate and maintain compliance.
read more →

Building Board Trust Through Evidence-Based Cybersecurity

🔎 Cybersecurity is now a boardroom concern, but meaningful dialogue often breaks down when technical reports and compliance attestations fail to translate into business outcomes. CISOs should shift from activity lists to presenting continuous, tamper-resistant evidence that validates controls, backups, and insurance will work when needed. Automating evidence collection and sanitizing operational telemetry removes subjectivity from dashboards and enables clear decisions about mitigation or formal risk acceptance. That clarity fosters trust, improves governance, and reframes cybersecurity as a driver of business resilience.
read more →

When CISOs Should Stay or Walk Away from Roles: Flags

⚠️ Even experienced CISOs can hit insurmountable roadblocks when leadership offers only lip service, denies resources, or blocks board access. The article identifies common red flags—playacting, cognitive disconnect between executives and security teams, and ethical pressure to conceal breaches—that should prompt serious consideration of leaving. It contrasts those with green flags such as demonstrable executive support, collaborative incident playbooks, and a commitment to transparency. Many leaders now pursue fractional roles or secure indemnity and legal counsel when organizational alignment is absent.
read more →

When responsible disclosure becomes unpaid labor: governance

🔒 Responsible disclosure expects timely, respectful responses, but many researchers now face months-long silence, disputed severity, or shifting scope that turn cooperative reports into unpaid, uncertain work. When maintainers lack resources or formal processes, reporters are pushed into a gray zone of public disclosure, legal escalation, or ethically ambiguous actions. CISOs should treat disclosure as an operational function: set SLAs, clarify triage criteria, offer non-cash recognition, and fund critical open-source dependencies to reduce adversarial outcomes. These steps help preserve trust, lower regulatory and reputational risk, and improve patching outcomes.
read more →

13 Questions to Vet IT Vendors and Reduce Third-Party Risk

🔐 As enterprises outsource more IT and adopt third-party SaaS, recent high-profile breaches show attackers are exploiting vendor trust pathways like help desks, OAuth tokens, and permissive integrations. CSOs should treat vendor selection as continuous risk management and demand strong attestations (e.g., SOC 2 Type II, ISO/IEC 27001), inventories of OAuth/API relationships, and evidence of actual workflow execution. The article lists 13 targeted questions covering controls, notification commitments, testing cadence, isolation measures, and insurance to reduce supply-chain risk.
read more →

Third-Party Risk Management to Prevent Compliance Failures

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.
read more →

UK Concerns: Cyber Breaches, Compliance, Reputation

🔒 A Nardello & Co. survey of 250 senior leaders at UK enterprises (turnover ≥£250m) finds cyber-related breaches are the top risk for 2026: 58% ranked them highest and around three-quarters doubt their ability to manage such incidents. About 20% reported a breach in the past two years. Compliance (37%) and financial crime (30%) are rising concerns amid stronger enforcement, including the UK's new Failure to Prevent Fraud offense. The report also flags readiness gaps: only 44% conduct pre‑hire screening, 48% provide anonymous whistleblowing and 59% deliver regular compliance training.
read more →

CISO Role Reaches Inflection Point in Organizational Rank

🔒 IANS' 2026 State of the CISO Report, drawn from interviews with 662 North American CISOs, shows the role shifting toward the executive suite: 46% now hold executive titles while 27% are VPs and 27% directors. Over half report that their remit has expanded to include SecOps, security architecture, GRC, app security, IAM and supplier risk. Despite greater boardroom influence and wider accountability, 52% say their scope is no longer fully manageable, risking delayed strategy and reactive security.
read more →

Privacy Teams Shrink as Stress and Funding Fall Short

📉 ISACA's State of Privacy 2026 report reveals privacy teams are shrinking and underfunded despite mounting regulatory and technological pressures. The median privacy staff size fell to five from eight year-over-year, and technical privacy roles are notably understaffed while demand for those skills rises. Respondents report increased stress—35% say their role is 'significantly more stressful' and 30% 'slightly more stressful'—attributed to rapid tech evolution, compliance complexity and resource shortages. To close skill gaps, organizations are training interested non-privacy staff and increasing reliance on contractors, consultants and planned AI tools for privacy tasks.
read more →

State and Local Cybersecurity: Framework in Place to Act

🛡️ The White House’s March 2025 Executive Order and Congress’s State and Local Cybersecurity Grant Program (SLCGP) together create a framework for strengthening defenses at state, local and tribal levels. The proposed PILLAR Act would extend and reinforce funding, oversight and scope. Success requires restoring disbursements, aligning with NIST standards, and building local capacity through partnerships and workforce development.
read more →

Congressional Delays Weaken U.S. Cybersecurity Posture

⚠️ The White House renominated seasoned Coast Guard and Energy Department cyber official Sean Plankey to lead CISA, a step that eases an urgent leadership gap but does not resolve broader legislative gridlock. Experts cite both executive deprioritization and congressional dysfunction—blocked confirmations, holds, and delayed reports—as drivers of a hollowed-out agency. Quick Senate confirmation, reauthorization of CISA 2015, and restored grant funding are needed to begin rebuilding capacity.
read more →

Cybersecurity Isn't Underfunded — It's Poorly Executed

🔒 Boards increasingly accept cyber risk, yet funding rarely follows purely rational ROI debates. The author contends that budget availability is often reactive — unlocked by imminent regulatory reviews, adverse audits or recent incidents — rather than the result of careful risk quantification. The core obstacles, he argues, are chronic execution failures, governance and cultural misalignment. CISOs should focus on building trust and strategic influence during the first hundred days to convert goodwill into lasting programs.
read more →

UK Launches Government Cyber Unit and Ambassador Scheme

🔐 The UK government has launched a Government Cyber Unit and a Software Security Ambassador Scheme under a £210m Cyber Action Plan to boost public sector resilience. The unit, led by the Government Chief Information Security Officer within the Department for Science, Innovation and Technology, will coordinate risk management and incident response across departments. The ambassador scheme promotes the voluntary Software Security Code of Practice and has drawn participants such as Cisco and Santander. While welcomed by many, some experts warn the funding may be insufficient to address the scale of threats exposed by recent 2025 incidents.
read more →