Who should primarily own cyber risk?

Risk Management Governance, Risk & Compliance

Board9%

CEO32%

CISO/CSO49%

Chief risk officer (CRO)4%

Let me see the results3%

Other (comment below with your alternative)1%

355 PARTICIPANTS

3.2k views2 Comments

Sort by:

Director of Information Security in Finance (non-banking)5 months ago

It is essential that every Business Unit has full control over the infrastructure it is dependent on. The responsible manager of the business process owns all the risks the process has internally from a business and operational perspective. (Follow NIS2 or DORA e.g.)
The be able to do so, the following requirements need to be fulfilled:
1.) The full dependency tree from the process to all deliverables, internally and externally
2.) Derive all requirements from top down
3.) The ability to aggregate operational risk from bottom up

Risk management runs the framework and processes how risks are measured and reported and governance sets the frame for decision making regarding risks.

Director of IT in Energy and Utilitiesa year ago

The owner of the cyber risk depends on what it is.

One example: If the cyber risk is due to technology obsolescence, then the officer of the company whose function owns such system is the primary owner of the cyber risk with the CIO and CISO being informed. As an example, if the obsolete system is an HR application. The assumption is that HR is paying for having the system around and ensuring that technology investments are made in this HR system. If the system continues to be obsolete, the HR leader owns all risks associated with that system, including cyber risks.

Another example: If the cyber risk is due to phishing, such risk would be owned by the CISO/CSO. It is the CISO/CSO's remit to put preventive and reactive measures in place around phishing for the organization. This could mean phishing tests, spam filters, intrusion detection, intrusion prevention etc.

Content you might like

What are the fundamental leadership capabilities that are needed for an era of exponential technology and AI innovation?

I'm interested in understanding how your organizations estimate the complexity of digital initiatives, particularly as a basis for applying appropriate project management governance. In other words, how do you assess initiative complexity in order to determine the level or type of governance needed?

As technology leaders, where are you seeing the most challenges or gaps?

Executive Support10%

Projects vs. Operations68%

Building a culture of Security15%

Team Completeness5%

View Results

Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:

1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?

2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?

3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?

4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?

5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?

6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results

Who should primarily own cyber risk?

Sort by:

Content you might like

What are the fundamental leadership capabilities that are needed for an era of exponential technology and AI innovation?

I'm interested in understanding how your organizations estimate the complexity of digital initiatives, particularly as a basis for applying appropriate project management governance. In other words, how do you assess initiative complexity in order to determine the level or type of governance needed?

As technology leaders, where are you seeing the most challenges or gaps?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

Building Inclusion into DEI strategy: Insights from HR Leaders

How Do Cybersecurity Leaders Address Employee Burnout?

Building an Effective Executive Succession Plan

Software Engineering Teams Plan to Scale Up Productivity

Take Your Insights On-the-Go