SlideShare a Scribd company logo

To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators

E
Elizabeth Dimit

Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.

Software
1 of 5
Download to read offline
To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators by Andrew Migliore on July 25, 2019    CISOs face pressure on all sides. From their tenuous position in the company org chart, they're tasked with managing external and internal risk to their company's sensitive data. And when a privacy or security incident does strike, often they're the ones who take the blame. Yet as threats expand and regulations tighten, a CISO's role as enterprise risk manager has never been more vital. As Leonard Kleinman, a member of the Forbes Technology Council, succinctly wrote, "The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies... They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/ hunter-style approach." Know thy risk Privacy incident response is a critical component when it comes to identifying and quantifying full-picture, organization-wide risk. With the data gathered from privacy incidents—things like root cause, incident volume by line of business or department, category (paper vs. electronic), response timeframes, remediation efforts, etc.—CISOs can examine and analyze the nature of privacy incidents over time to understand where the true risks lie. They can thus be more strategic in their approach to managing risk for the whole enterprise.
To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM]   Incident response is not just the CISO's job, however. To accurately identify, mitigate, and reduce risks across an organization—be they electronic or paper, malicious or non-malicious—key departments must share the burden of privacy incident response and privacy by design. Collaboration is key, as privacy, security, legal, and product teams effectively work together. Incident responders, unite! To ensure collaboration, team members should understand each other's own roles, responsibilities, and motivations: Each of these perspectives together rounds out a full view of privacy incident response. Understanding legal risks, implementing privacy policies and procedures, safeguarding data, and applying the appropriate controls for that data throughout the organization and within the company's products and services—each is a critical aspect of a strong incident response program. There are simply far too many risk vectors that exist for a single department or person to manage an organization's privacy incident response program on their own. Costly delays in incident     Security approaches incident response from a tactical standpoint, safeguarding data and ensuring the availability of systems to prevent—or mitigate—improper disclosures or downtimes. Privacy focuses on the personal impacts of incident response—how the disclosure relates to people and the risk of harm to the impacted individual. The privacy team also considers what regulatory and contractual notification requirements are in scope. Legal is integral in understanding the regulatory landscape, setting company policies, and ensuring business practices—such as third-party vendor agreements or business associate agreements—are properly set up. Product determines if and/or how the company's products or services may have been a factor in an incident—and what remediation may be required to address the problem. They are also critical when creating new features or services by following the Privacy by Design framework. In this framework, the product team collaborates with security, privacy, and legal teams to proactively factor in privacy throughout the whole engineering process. 
To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] response The BakerHostetler 2019 Data Security Incident Response Report shows a rather depressing average incident response timeline, from the day the event took place to notification being provided:  This is troubling for a couple of reasons. First, data breach notification timeline requirements are shrinking—many U.S. states require 30 days or less, and in the case of the EU GDPR, there are only 72 hours to notify the lead supervisory authority. Delays at each step of the incident response process could mean missing regulatory compliance deadlines. This is a huge risk. Second, research has shown that the longer the time to breach discovery, the more severe the impact. Organizations participating in the 2018 IBM Cost of a Data Breach Study experienced increases in both the time to identify and to contain a breach. According to the report: "We attribute increases in this year's time to identify and time to contain to the increasing severity of criminal and malicious attacks experienced by a majority of companies in our sample." The longer a potential breach goes undiscovered, be it a cyber-attack or a misdirected paper fax, the greater the risk of harm to both a company and its customers. Timely risk identification and mitigation are essential. To ensure this timeliness, CISOs should continually measure their organization's Mean Time to Privacy Response (MTTPR). Invest in collaboration As the BakerHostetler study shows all too plainly, many companies operate in departmental silos. CISOs have no way of identifying privacy incidents that may not include electronic data. Privacy leaders often have no insight into the status of security incidents that require a multifactor privacy risk assessment to determine the risk of harm, as the security team is focused on recovery and availability. Occurrence to discovery: 66 days Discovery to containment: 8 days Discovery to notification: 56 days
To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] Topics: Incident Response Management Fortune 100 companies and organizations subject to data privacy regulations in industries such as finance, insurance, healthcare and beyond rely on RADAR for an efficient and consistent process for incident response.   SOLUTION How it works Features GDPR Compare your Options RESOURCES Videos Webinars Whitepapers & Research Case Studies Guides Product Info ABOUT Leadership Customers Partners & Integrations Careers CONTACT Events   For true collaboration to happen, organizations need an automated way to respond to privacy and security incidents—one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards metrics and real-time reporting for organization-wide visibility. To achieve true success as an enterprise risk manager, CISOs need to collaborate with their peers across their organization. Only then will they obtain a 360-degree view of the threats facing their organization. Privacy incident response automation can help. The CISO's Secret Tool for Reducing Enterprise Risk Download the whitepaper
To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] Blog Login Request a Demo © 2019 RADAR PRIVACY COOKIE NOTICE TERMS  LOGIN

Recommended

Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
Ramón Gómez de Olea y Bustinza
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
Marko Suswanto
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 

Recommended

Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
Ramón Gómez de Olea y Bustinza
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
Marko Suswanto
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 
Websense
WebsenseWebsense
Websense
CMR WORLD TECH
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
Colleen Beck-Domanico
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
CIOReview
CIOReviewCIOReview
CIOReview
Teri Cotton Santos, JD
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
Tripwire
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
James Fisher
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
The Economist Media Businesses
 
Research Paper
Research PaperResearch Paper
Research Paper
Brian Kasha
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
Cheffley White
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
Yigal Behar
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
FERMA
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
FERMA
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
Joseph DeFever
 

More Related Content

What's hot

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
James Fisher
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
Yigal Behar
 

What's hot (19)

Websense
WebsenseWebsense
Websense
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
CIOReview
CIOReviewCIOReview
CIOReview
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 

Similar to To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators

We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
galagirishp
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
Daren Dunkel
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 

Similar to To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators (20)

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 

More from Elizabeth Dimit

More from Elizabeth Dimit (11)

An HR’s Guide to Identity & Privacy Benefits for Employees of All Ages
An HR’s Guide to Identity & Privacy Benefits for Employees of All AgesAn HR’s Guide to Identity & Privacy Benefits for Employees of All Ages
An HR’s Guide to Identity & Privacy Benefits for Employees of All Ages
 
The Digital Identity Network -- A Holistic Approach to Managing Risk in a Glo...
The Digital Identity Network -- A Holistic Approach to Managing Risk in a Glo...The Digital Identity Network -- A Holistic Approach to Managing Risk in a Glo...
The Digital Identity Network -- A Holistic Approach to Managing Risk in a Glo...
 
HR’s Guide to Identity and Privacy Benefits for Employees of All Ages
HR’s Guide to Identity and Privacy Benefits for Employees of All AgesHR’s Guide to Identity and Privacy Benefits for Employees of All Ages
HR’s Guide to Identity and Privacy Benefits for Employees of All Ages
 
ESET Case Study
ESET Case StudyESET Case Study
ESET Case Study
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
The Coffee Shop POS Buyer's Guide
The Coffee Shop POS Buyer's GuideThe Coffee Shop POS Buyer's Guide
The Coffee Shop POS Buyer's Guide
 
How to Remedy the Dangers of Prescription Fraud, Waste, and Abuse
How to Remedy the Dangers of Prescription Fraud, Waste, and AbuseHow to Remedy the Dangers of Prescription Fraud, Waste, and Abuse
How to Remedy the Dangers of Prescription Fraud, Waste, and Abuse
 
A Nation in Crisis: Causes and Effects of the Ongoing Opioid Epidemic
A Nation in Crisis: Causes and Effects of the Ongoing Opioid EpidemicA Nation in Crisis: Causes and Effects of the Ongoing Opioid Epidemic
A Nation in Crisis: Causes and Effects of the Ongoing Opioid Epidemic
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
How a Top Health Insurer Manages Hundreds of Incidents Every Quarter
How a Top Health Insurer Manages Hundreds of Incidents Every QuarterHow a Top Health Insurer Manages Hundreds of Incidents Every Quarter
How a Top Health Insurer Manages Hundreds of Incidents Every Quarter
 
Your Employees at Risk: The New, Dangerous Realities of Identity Theft
Your Employees at Risk: The New, Dangerous Realities of Identity TheftYour Employees at Risk: The New, Dangerous Realities of Identity Theft
Your Employees at Risk: The New, Dangerous Realities of Identity Theft
 

Recently uploaded

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Recently uploaded (20)

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid EnvironmentsWSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid Environments
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 

To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators

  • 1. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators by Andrew Migliore on July 25, 2019    CISOs face pressure on all sides. From their tenuous position in the company org chart, they're tasked with managing external and internal risk to their company's sensitive data. And when a privacy or security incident does strike, often they're the ones who take the blame. Yet as threats expand and regulations tighten, a CISO's role as enterprise risk manager has never been more vital. As Leonard Kleinman, a member of the Forbes Technology Council, succinctly wrote, "The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies... They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/ hunter-style approach." Know thy risk Privacy incident response is a critical component when it comes to identifying and quantifying full-picture, organization-wide risk. With the data gathered from privacy incidents—things like root cause, incident volume by line of business or department, category (paper vs. electronic), response timeframes, remediation efforts, etc.—CISOs can examine and analyze the nature of privacy incidents over time to understand where the true risks lie. They can thus be more strategic in their approach to managing risk for the whole enterprise.
  • 2. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM]   Incident response is not just the CISO's job, however. To accurately identify, mitigate, and reduce risks across an organization—be they electronic or paper, malicious or non-malicious—key departments must share the burden of privacy incident response and privacy by design. Collaboration is key, as privacy, security, legal, and product teams effectively work together. Incident responders, unite! To ensure collaboration, team members should understand each other's own roles, responsibilities, and motivations: Each of these perspectives together rounds out a full view of privacy incident response. Understanding legal risks, implementing privacy policies and procedures, safeguarding data, and applying the appropriate controls for that data throughout the organization and within the company's products and services—each is a critical aspect of a strong incident response program. There are simply far too many risk vectors that exist for a single department or person to manage an organization's privacy incident response program on their own. Costly delays in incident     Security approaches incident response from a tactical standpoint, safeguarding data and ensuring the availability of systems to prevent—or mitigate—improper disclosures or downtimes. Privacy focuses on the personal impacts of incident response—how the disclosure relates to people and the risk of harm to the impacted individual. The privacy team also considers what regulatory and contractual notification requirements are in scope. Legal is integral in understanding the regulatory landscape, setting company policies, and ensuring business practices—such as third-party vendor agreements or business associate agreements—are properly set up. Product determines if and/or how the company's products or services may have been a factor in an incident—and what remediation may be required to address the problem. They are also critical when creating new features or services by following the Privacy by Design framework. In this framework, the product team collaborates with security, privacy, and legal teams to proactively factor in privacy throughout the whole engineering process. 
  • 3. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] response The BakerHostetler 2019 Data Security Incident Response Report shows a rather depressing average incident response timeline, from the day the event took place to notification being provided:  This is troubling for a couple of reasons. First, data breach notification timeline requirements are shrinking—many U.S. states require 30 days or less, and in the case of the EU GDPR, there are only 72 hours to notify the lead supervisory authority. Delays at each step of the incident response process could mean missing regulatory compliance deadlines. This is a huge risk. Second, research has shown that the longer the time to breach discovery, the more severe the impact. Organizations participating in the 2018 IBM Cost of a Data Breach Study experienced increases in both the time to identify and to contain a breach. According to the report: "We attribute increases in this year's time to identify and time to contain to the increasing severity of criminal and malicious attacks experienced by a majority of companies in our sample." The longer a potential breach goes undiscovered, be it a cyber-attack or a misdirected paper fax, the greater the risk of harm to both a company and its customers. Timely risk identification and mitigation are essential. To ensure this timeliness, CISOs should continually measure their organization's Mean Time to Privacy Response (MTTPR). Invest in collaboration As the BakerHostetler study shows all too plainly, many companies operate in departmental silos. CISOs have no way of identifying privacy incidents that may not include electronic data. Privacy leaders often have no insight into the status of security incidents that require a multifactor privacy risk assessment to determine the risk of harm, as the security team is focused on recovery and availability. Occurrence to discovery: 66 days Discovery to containment: 8 days Discovery to notification: 56 days
  • 4. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] Topics: Incident Response Management Fortune 100 companies and organizations subject to data privacy regulations in industries such as finance, insurance, healthcare and beyond rely on RADAR for an efficient and consistent process for incident response.   SOLUTION How it works Features GDPR Compare your Options RESOURCES Videos Webinars Whitepapers & Research Case Studies Guides Product Info ABOUT Leadership Customers Partners & Integrations Careers CONTACT Events   For true collaboration to happen, organizations need an automated way to respond to privacy and security incidents—one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards metrics and real-time reporting for organization-wide visibility. To achieve true success as an enterprise risk manager, CISOs need to collaborate with their peers across their organization. Only then will they obtain a 360-degree view of the threats facing their organization. Privacy incident response automation can help. The CISO's Secret Tool for Reducing Enterprise Risk Download the whitepaper
  • 5. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM] Blog Login Request a Demo © 2019 RADAR PRIVACY COOKIE NOTICE TERMS  LOGIN