Peer-Driven Insights

Security Frameworks (NIST, CIS, CSF)

Community Posts

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

What frameworks are you using for AI risk management?

We have a new GRC tool and we're selecting frameworks like NYDFS, SOC2, NIST CSF, COSO, etc. We have financial, IT, and operational controls. What frameworks are other companies implementing with their GRC tools to map operational controls?

What platform are you using for GRC?

Drata5%

Vanta21%

Secureframe17%

KnowBe415%

Ostendio7%

AuditBoard4%

Something else -- I'll tell you in the comments6%

We’re not using a GRC platform22%

View Results

Our organization is embarking on ISO certification for security and privacy in the cloud. We are looking for best practices to implement ISO whilst being mindful of the rigor needed to manage with multiple standards. From our initial review we were informed of BSI's PAS 99 and wanted to understand: 1. Pros and Cons 2. Adoption i.e. has it been widely adopted across business landscape, specifically in the insurance sector embarking on ISO certifications? 3. Are there alternatives or best practice recommendations when embarking on cloud ISO security and privacy certifications? Also, we understood that the current certification I.e. ISO/IEC 27017:2015 looks to be replaced by ISO/IEC DIS 27017 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for cloud services. Do you recommend waiting for the revision in its current stage or progress with the incumbent certification and have a subsequent review once the new version is published?

Is the NIST indicator of one company comparable to the NIST indicator of another company in a different industry?

What is the top data governance issue?

Limited resources11%

Siloed data40%

Lack of leadership23%

Poor data quality & context18%

Lack of data control5%

Other (please explain in the comments)

View Results

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

Read More Comments

We are in the process of building a secure network reference architecture for member firms as guidance. Are there any good examples I can use?

Read More Comments

Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

Read More Comments

How do you implement cryptography for top secret information exchange foreseeing a post quantum scenario soon and what types of algorithms do you use? What about network security, are VPN keys are more secure?

Read More Comments

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Read More Comments

If you’ve used the NIST incident response plan as a template, what elements required the most customization to suit your org?

NIST cybersecurity framework 2.0 was just released – what do you think of the update so far?

Read More Comments

What is the most important role of corporate culture in addressing the psychological impact of digital security?

Corporate culture has no influence on digital security.15%

Prioritizing digital security above other aspects in corporate culture.50%

Creating a work environment that supports mental well-being.18%

All of the above.16%

Your own perspective (Comment).1%

View Results

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Read More Comments

Community Posts

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

What frameworks are you using for AI risk management?

We have a new GRC tool and we're selecting frameworks like NYDFS, SOC2, NIST CSF, COSO, etc. We have financial, IT, and operational controls. What frameworks are other companies implementing with their GRC tools to map operational controls?

What platform are you using for GRC?

Is the NIST indicator of one company comparable to the NIST indicator of another company in a different industry?

What is the top data governance issue?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

We are in the process of building a secure network reference architecture for member firms as guidance. Are there any good examples I can use?

Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

How do you implement cryptography for top secret information exchange foreseeing a post quantum scenario soon and what types of algorithms do you use? What about network security, are VPN keys are more secure?

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

If you’ve used the NIST incident response plan as a template, what elements required the most customization to suit your org?

NIST cybersecurity framework 2.0 was just released – what do you think of the update so far?

What is the most important role of corporate culture in addressing the psychological impact of digital security?

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Community Posts

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

What frameworks are you using for AI risk management?

We have a new GRC tool and we're selecting frameworks like NYDFS, SOC2, NIST CSF, COSO, etc. We have financial, IT, and operational controls. What frameworks are other companies implementing with their GRC tools to map operational controls?

What platform are you using for GRC?

Is the NIST indicator of one company comparable to the NIST indicator of another company in a different industry?

What is the top data governance issue?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

We are in the process of building a secure network reference architecture for member firms as guidance. Are there any good examples I can use?

Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

How do you implement cryptography for top secret information exchange foreseeing a post quantum scenario soon and what types of algorithms do you use? What about network security, are VPN keys are more secure?

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

If you’ve used the NIST incident response plan as a template, what elements required the most customization to suit your org?

NIST cybersecurity framework 2.0 was just released – what do you think of the update so far?

What is the most important role of corporate culture in addressing the psychological impact of digital security?

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?