Peer-Driven Insights

Security & GRC

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Active Ambassadors in This Topic

Rathik Pathak

Rathik Pathak

JM Financial Services Ltd

Travel and Hospitality, 1k - 5k

India
View All Community Ambassadors

Community Posts

What steps do you typically take when you notice a security team member becoming less and less engaged? How do you approach them to diagnose/address the issue?

Read More Comments

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

What do you do to recover quickly from early missteps in a new role? How can you keep initial mistakes from coloring perceptions when you’re still trying to establish your reputation at a new organization?

Read More Comments

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Is the edge of your enterprise secure?

Yes75%

No10%

Working on it13%

View Results

Which teams have a role in deciding which compliance technology to purchase?

Security45%

IT80%

Legal42%

Compliance (We have a dedicated leader)24%

Other1%

View Results

Which cybersecurity metrics do you currently use with your board?

Read More Comments

What is your top concern around low-code/no-code tools?

Lack of visibility16%

No data oversight39%

Unknown code and security controls34%

Risk of data exposure7%

Other2%

View Results

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Read More Comments

How often are you dealing with issues of cybersecurity? How do you frame your role in cybersecurity compared to that of a CISO?

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

Based on your past experiences with starting a new position, what sorts of quick wins tend to have the greatest impact in terms of building up your credibility with stakeholders?

Read More Comments

We are considering a scanning solution for detecting Personal Information (PI) in our data assets, mainly AWS S3, DynamoDB, Salesforce, etc. We need the solution to detect PI, identify the type (e.g., infotype), and optionally map it to our own PI categories. We are currently considering BigID. Do you have experience with this tool or any other tools that can help us scan across different data platforms and technologies?

Read More Comments

How do you deal with a mismatch of risk appetites with the board? What are some ways to increase, or temper, the board’s risk appetite if necessary?

Read More Comments

What are the minimum AI Capabilities of any healthcare organization? These are categories that should be in every enterprise or commercial organizations that develop AI code or Models.

Request for Review – DORA Logging, Monitoring, and ICT Incident Reporting: 

I’m seeking your input on the EU Digital Operational Resilience Act (DORA), specifically around logging, monitoring, and ICT incident reporting requirements.

DORA mandates financial entities to log all relevant ICT events, including user activity and system and security events, typically via centralized platforms like SIEM. Real-time monitoring must be in place to detect anomalies, threats, or system failures, supported by automated alerts and clear escalation protocols.

Incidents must be classified based on severity and impact. Major incidents must be reported to regulators within four hours of classification; significant incidents within 48 hours. Entities must also submit intermediate progress and final reports detailing root cause and remediation. Where appropriate, impacted clients and stakeholders should be notified.

DORA emphasizes proactive ICT risk management, EU-wide regulatory harmonization, and board-level accountability. Compliance requires mature governance frameworks and supporting technologies for detection, reporting, and response.

Could you confirm if this summary aligns with your understanding of DORA’s requirements and share any insight on market best practices or tooling trends?

Read More Comments