Peer-Driven Insights

Security & GRC

About this topic

Information Security is the practice of protecting digital and physical information assets and systems from unauthorized access, modification and destruction. Governance, risk and compliance (GRC) encompasses the strategies and processes used to ensure regulatory compliance, assess risk and align operations with business goals.

Featured One-Minute Insights

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?

How are U.S. CISOs Addressing Liability Risk?

Active Ambassadors in This Topic

Chris Oehlerking

Honeywell

Manufacturing, 1k - 5k

Clifton Persaud

ISACA

Education, 10k+

Rajnish Malhotra

Emergent Biosolutions

Healthcare and Biotech, 1k - 5k

View All Community Ambassadors

Community Posts

Which cybersecurity metrics do you currently use with your board?

Read More Comments

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

SIEM Vendors - Have you used or evaluated?

Exabeam9%

Alienvault23%

Sophos22%

LinkAmerica3%

Splunk31%

Other10%

View Results

Based on your past experiences with starting a new position, what sorts of quick wins tend to have the greatest impact in terms of building up your credibility with stakeholders?

Read More Comments

We are considering a scanning solution for detecting Personal Information (PI) in our data assets, mainly AWS S3, DynamoDB, Salesforce, etc. We need the solution to detect PI, identify the type (e.g., infotype), and optionally map it to our own PI categories. We are currently considering BigID. Do you have experience with this tool or any other tools that can help us scan across different data platforms and technologies?

Read More Comments

How do you deal with a mismatch of risk appetites with the board? What are some ways to increase, or temper, the board’s risk appetite if necessary?

Read More Comments

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Read More Comments

What are the minimum AI Capabilities of any healthcare organization? These are categories that should be in every enterprise or commercial organizations that develop AI code or Models.

How many direct reports away from the CEO is the senior-most security executive?

Direct report11%

126%

232%

318%

48%

>51%

View Results

When migrating to the cloud, what's the top security issue that concerns you?

Data security45%

Shared resources/services43%

Compliance10%

Other: please specify.1%

View Results

Request for Review – DORA Logging, Monitoring, and ICT Incident Reporting:

I’m seeking your input on the EU Digital Operational Resilience Act (DORA), specifically around logging, monitoring, and ICT incident reporting requirements.

DORA mandates financial entities to log all relevant ICT events, including user activity and system and security events, typically via centralized platforms like SIEM. Real-time monitoring must be in place to detect anomalies, threats, or system failures, supported by automated alerts and clear escalation protocols.

Incidents must be classified based on severity and impact. Major incidents must be reported to regulators within four hours of classification; significant incidents within 48 hours. Entities must also submit intermediate progress and final reports detailing root cause and remediation. Where appropriate, impacted clients and stakeholders should be notified.

DORA emphasizes proactive ICT risk management, EU-wide regulatory harmonization, and board-level accountability. Compliance requires mature governance frameworks and supporting technologies for detection, reporting, and response.

Could you confirm if this summary aligns with your understanding of DORA’s requirements and share any insight on market best practices or tooling trends?

Read More Comments

What do you think the CMMC (Cybersecurity Maturity Model Certification) will actually address?

Read More Comments

When it comes to security vendor contract renegotiation, what sort of tactics have been most reliably effective for your org?

Are you already moving to quantum safe cryptography or planning to allocate budget to do so in the next year?

Read More Comments

Any benchmarking feedback would be helpful as well, but what resources or best practices would you direct me to in regards to implementing policies around revocation of computer access for employees on extended leave, other than PTO (e.g., when and to what extent to revoke access, for what types of leave, suggested timeframes, etc.).