What do you do when a business won't follow your cybersecurity recommendations?

969 views4 Comments

CTO in Software, 11 - 50 employees
You have to treat those situations with the same disposition a doctor would have. I've done over 200 assessments around the globe, often in organizations that are seen as mission-critical to the country they’re in. It’s often a massive enterprise that’s responsible for the country’s gross domestic product, so I don't take it personally when they take my report and put it on a shelf. I did everything I could; I learned about the system and its makeup. It’s just the nature of the beast. 

CISO in Software, 10,001+ employees
Recommendations should always have details on the risks or impact if the recommendation is not followed so everyone and businesses are aware of the potential implications based on their decisions
CISO in Education, 5,001 - 10,000 employees
You can lead a horse to water but you can’t make ‘‘em drink!
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
You are there to advise the business on cyber risks.  If the business understands the potential impact of the risk to the business, you've done your job.  Do document your recommendations and their responses for your record.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
38.5k views128 Upvotes316 Comments

We provide company-wide training57%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%




API Gateways26%


Flexible Infrastructure19%

Digital Decoupling10%

Total Replacement6%

Other (please comment below)2%


2.2k views3 Upvotes1 Comment

Director of IT in Education, 5,001 - 10,000 employees
This question requires a long explanation, but in a nutshell, implemented in the Risk Management Framework (NIST RMF). It is a layered protection in every step of the RMF.
Read More Comments
4.9k views4 Upvotes15 Comments