< ciso
brief />
Tag Banner

All news with #grc tag

125 articles · page 4 of 7

Organizational Risk Culture Standard for Cybersecurity

🛡️ The Organizational Risk Culture Standard (ORCS) provides a practical framework to turn cyber intentions into daily behavior that reduces silence, speeds detection and improves decision-making. It stresses that most cyber failures stem from cultural drift—not code—especially in VUCAD (volatile, uncertain, complex, ambiguous, digitized) environments. The article translates ORCS into ten actionable dimensions, outlines a five‑level maturity path and prescribes measurable KCIs and a first 90‑day plan leaders can use to embed lasting habits.
read more →

Rise of the Chief Trust Officer: Where CISOs Fit In

🔒 The Chief Trust Officer (CTrO) marks a shift from defending systems to safeguarding corporate credibility, responding to eroded customer confidence after breaches and AI concerns. Early adopters such as Atlassian, Salesforce and SAP and analyst research from Forrester show the role consolidates privacy, security, compliance and ethics. Unlike a traditional CISO, the CTrO focuses on reputation, transparency and customer trust while partnering with security teams to operationalize measurable signals of trust. Success depends on board visibility, leadership backing and demonstrable behavior change.
read more →

Dismantling Defenses: Trump 2.0 Cyber Year Review Report

🔒 The Trump administration's second term enacted sweeping policy shifts that critics say have weakened the U.S. ability to address cybersecurity, privacy, and corruption risks. Changes include mass workforce cuts and reassignments at CISA, the dismissal of the Cyber Safety Review Board, and reduced enforcement by agencies such as the SEC and CFPB. The creation and apparent misuse of the Department of Government Efficiency (DOGE) raised serious data‑access and oversight concerns. New travel, vetting, and speech controls add further civil‑liberties implications.
read more →

CISOs’ Bucket List: Human-Led, AI-Powered Security

🔐 CISOs are rethinking how they spend reclaimed time, prioritizing innovation and transformation over constant firefighting. Leaders want to eliminate tactical debt—closing out lingering POAMs, patching unpatched systems and remediating misconfigurations—to free resources for strategic foresight. They plan to break down silos between AppSec, CloudSec and GRC with automation and AI, creating a unified view of risk and on-demand compliance evidence. Above all, CISOs aim to make security a human-led business enabler that empowers teams, reduces burnout and embeds privacy-by-design into engineering.
read more →

Liability Protection for CISOs Varies with Company Size

🔒 A recent RSAC survey found a large disparity in indemnification for security leaders: 88% of Fortune 1000 CISOs report legal indemnity, versus just 53% at organizations with 500+ employees. D&O insurance is the most common vehicle, and inclusion of CISOs in such policies is rising, with >50% reporting coverage in the 2025 IANS Research report. Experts warn that indemnification agreements, distinct from D&O, are the critical legal guarantee and that midmarket CISOs face meaningful personal, financial, and career risk without them.
read more →

ISACA Named Global CMMC Credentialing Authority by US DoD

🛡️ ISACA has been appointed by the US Department of Defense as the global credentialing authority for the CMMC program, responsible for training, examining and certifying assessors and instructors. The DoD's final CMMC rule published on 10 September 2025 and effective 10 November 2025 initiated a three-year rollout, requiring credentials across DoD suppliers by 2028. ISACA replaces The Cyber AB as the CAICO and expects the rules to affect over 200,000 contractors worldwide, including many in Europe.
read more →

AWS Marketplace: Mandatory POs and Custom Messaging

🔒 Administrators can now require buyers to provide purchase orders when subscribing to products through AWS Marketplace, with requirements enforceable for both public and private offers and across multiple pricing models. Administrators may also add a custom message on the procurement page to communicate policy guidance, approval steps, and support contacts. These capabilities integrate with Private Marketplace, enabling curated catalogs and centralized governance without blocking purchasing agility. The controls help finance, procurement, and software-asset teams improve cost allocation, ensure compliance at point of sale, and streamline procurement-to-pay.
read more →

Cybersecurity Is Not Underfunded, It Is Undermanaged

🔍 Many cybersecurity budget debates focus on ROI and risk models, but the author argues the real issue is execution and leadership rather than absolute funding. He explains that cognitive biases and reactive spending after incidents or audits trigger investment, while chronic execution failures and corporate short-termism stall long-term programs. The first 100 days for a CISO are crucial: listening, building trust and co-creating a business-aligned narrative turn available funds into durable security outcomes.
read more →

CISA Releases Cross-Sector Cybersecurity Goals 2.0 Update

🛡️ CISA released Cross-Sector Cybersecurity Performance Goals (CPG 2.0) providing measurable actions for critical infrastructure owners and operators to achieve a foundational cybersecurity baseline. The update aligns with the latest NIST Cybersecurity Framework revisions and incorporates lessons learned from recent incidents and threats. CPG 2.0 introduces a governance-focused component that emphasizes accountability, risk management, and the integration of cybersecurity into day-to-day operations. The goals are streamlined and outcome-driven to guide investment, benchmark progress, and reduce risk in measurable ways.
read more →

How CISOs Justify Security Investments to the Board

🔒 CISOs must position security investments as strategic enablers that directly support corporate objectives rather than as purely technical upgrades. Presentations should connect proposed solutions to outcomes like entering new markets, protecting margins, ensuring compliance, and improving resilience. Use concrete scenarios, cost models, and recovery timelines to show how investments reduce probability and impact of incidents while improving operational stability. Tailor messaging to the board’s maturity and speak in terms of risk, return, and shareholder value.
read more →

Balancing Cost and Cyber Resilience in Procurement Strategies

🔒 Procurement teams frequently chase short‑term savings, consolidating suppliers and selecting the lowest‑cost vendors, which can create systemic cyber fragility. The article warns that cost-focused procurement often overlooks vendor security posture and incident readiness, leading to outsized losses in breaches, ransomware or supply disruptions. It recommends cyber due diligence, risk-tiering, minimum baselines (e.g., MFA, encryption, patching), resilience KPIs (MTTD, MTTR, RTO) and cross-functional governance to align cost with resilience. Strategic partnerships, scenario testing and cultural change convert procurement from bargain hunters into resilience builders.
read more →

Getting to Yes: Trust-First Sales Guide for MSPs and MSSPs

🔐 The Getting to Yes anti-sales guide helps MSPs and MSSPs reframe cybersecurity conversations from fear-based pitches into collaborative business partnerships. It catalogs common objections—cost, perceived protection, small size, complexity, and time—and provides empathetic, evidence-driven responses that tie security to uptime, revenue, reputation, and compliance. The guide introduces a trust-first framework (Empathy, Education, Evidence) and explains how automation, fast assessments, posture dashboards, and measurable milestones make value visible and scalable.
read more →

12 Signs the CISO-CIO Relationship Is Broken: Causes & Fixes

🔒 Gartner and industry advisors outline a dozen signs that the CISO–CIO relationship is strained, from overridden recommendations and withheld information to board messaging conflicts and late security involvement in IT initiatives. These dysfunctions lead to misaligned priorities, duplicated technology purchases, and increased security gaps. The piece highlights contributing factors such as competing incentives and differing metrics, and prescribes practical fixes like regular one-on-ones, clarified responsibilities, alignment on enterprise risk and strategy, and a business-enablement approach that offers trade-offs and multiple solutions.
read more →

UK Lawmakers Urge Legal Shift on Economic Cybersecurity

🔒 The House of Commons Business and Trade Committee has urged the UK government to enshrine a new approach to economic security in law, warning that cyber and other threats increasingly imperil the nation's open economy. The committee's report, Toward a new doctrine for economic security, stresses that economic security cannot be achieved without cybersecurity and highlights attacks on critical national infrastructure and private firms. Key recommendations include making the voluntary Software Security Code of Practice mandatory, introducing tax relief for IT services that enhance operational resilience, and consulting on a mandatory cyber-incident reporting regime.
read more →

Seven Signs Your Cybersecurity Framework Needs Overhaul

🛡️ Organizations should rebuild security frameworks when they fail to sense environmental change, respond effectively to incidents, or support proactive risk management. Experts recommend a dynamic sensing-and-response capability, routine reviews (biannual heavy reviews with interim cursory checks), and deliberate integration of NIST baselines with industry-specific controls. Key warning signs include any breach, chronic alert overload, negative KRIs/KPIs, endpoint and AI gaps, and a compliance-only posture that ignores business risk. Rebuilds are also warranted after major business or regulatory shifts or when incremental fixes no longer suffice.
read more →

What Keeps CISOs Awake - Zurich's Approach to Resilience

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.
read more →

GenAI GRC: Moving Supply Chain Risk to the Boardroom

🔒 Chief information security officers face a new class of supply-chain risk driven by generative AI. Traditional GRC — quarterly questionnaires and compliance reports — now lags threats like shadow AI and model drift, which are invisible to periodic audits. The author recommends a GenAI-powered GRC: contextual intelligence, continuous monitoring via a digital trust ledger, and automated regulatory synthesis to convert technical exposure into board-ready resilience metrics.
read more →

3 Ways CISOs Can Win Over Their Boards This Budget Season

🔒 As CISOs finalize next year’s cybersecurity budgets, winning board approval requires translating technical needs into business value. First, quantify risk in financial terms—estimate value at risk across worst-, best- and most‑likely scenarios, using industry reports, internal experts and vendor assessments to model direct losses, business interruption and reputational impact. Second, go beyond compliance: reserve budget for emerging threats (generative AI, quantum, third‑party risk) and repurpose existing line items such as Data Security Posture Management, SASE and GRC hours to limit net new spend. Third, know thy board and tailor your message—use dollars-and-cents for finance‑focused directors and vivid attack narratives for others, while maintaining regular engagement year-round.
read more →

An Open Letter to Cybersecurity Vendors and Investors

🔊 The cybersecurity market is awash in noise: vendors and investors chase flashy pitches while the long-standing vulnerabilities that cause real breaches remain neglected. The author argues CISOs don’t buy technology so much as they buy reduced risk and confidence, so purchases must fit roadmaps, integrate cleanly, and be sustainable. He prioritizes visibility, identity, automation that empowers people, and tools that reinforce fundamentals like patching and segmentation. Hype, overlapping products, and complexity are rejected in favor of practical reliability.
read more →

Why Chief Trust Officers Are Emerging and How CISOs Fit

🤝 Organizations are creating a chief trust officer (CTrO) to elevate trust as a business differentiator, responding to breaches, product-safety worries and AI-related uncertainty. The CTrO typically complements the CISO by focusing on reputation, ethics, transparency and customer confidence while CISOs retain technical controls, incident response and security operations. Leaders stress the role must produce measurable outcomes and avoid becoming mere 'trust theatre' by tracking signals such as customer sentiment, retention and external certifications.
read more →