Enlarge / The White House is kicking its information security team to the curb. An internal White House memo published today by Axios reveals that recent changes to the information operations and security organizations there have left the security team in tumult, with many members headed for the door. And the chief of the White […]
White House kicks infosec team to curb in IT office shakeup Read More »
The situation the new CISO finds on arrival is often different to what they were expecting, but who’s to blame? A painfully recurrent complaint among Chief Information Security Officers (CISO) is the disconnect between what they were promised during the recruitment process, and the actual situation they find upon starting the job. Indeed, it is
The First 100 Days of the New CISO: Expectations vs. Reality Read More »
“Every Enterprise has the security it deserves,” says Oracle Chief Information Officer Mark Sunday. “It begins at the very top. It truly begins with the board, CEO, and the Executive Committee to set the culture and to ensure that the people, process, technology, and the governance processes are in place to ensure the security of
Every Enterprise Has the Security it Deserves Read More »
Constant firefighting downgrades the role and the CISO must fight to avoid its gravitational pull With regards to many other C-level roles, the Chief Information Security Officer (CISO) position is a fairly recent creation for many organisations. Although it started to emerge over 15 years ago, it has been spurred further recently by growing concerns
How to Avoid the “Curse of Firefighting”? Read More »
jaydeep_ / Pixabay As a security consultant, the very first responsibility that I take on with a client is to ensure that members of the leadership team understand their role in security. Something that is not at all uncommon is for folks to have made mental check marks by the topic of security because there
Security by Design – Security Culture Read More »
A “people” perspective on GRC models It is no big secret that the “Three Lines of Defence” model underpinning many GRC practices in large firms is poorly understood and poorly applied at grass-root levels. Anecdotal evidence we observe in the field every day suggests that many organisations operate it in a variety of hybrid fashions
The “Three Lines of Defense” Model Only Works On Trust Read More »
The keys to a successful second line of defence There are many risk management methodologies in existence but it is not uncommon to come across large firms still following today simplistic, dysfunctional or flawed practices, in particular around operational risk management. The main issue with many of those approaches is that they are plagued by
Managing Risk or managing risks? Read More »
Keep appointing pure technologists in CISO roles and you’ll never win The Wannacry ransomware attack that affected so many large firms in May 2017 led to a number of animated discussions amongst InfoSec communities. The corrective patch (fixing the vulnerability targeted by the malware) was out since March for supported systems and many firms were
The CISO and the Business Read More »
