Who decides how much security risk to take for a specific system?

Security & GRC

Chief Information Security Officer32%

Chief Information Officer36%

Chief Risk Officer14%

Chief Executive Officer6%

Board3%

System Owner5%

Others (Please specify)1%

1368 PARTICIPANTS
17.1k viewscircle icon4 Upvotescircle icon20 Comments
Sort by:
Director of IT in Healthcare and Biotecha year ago

Should have enable to select multiple choices on this one. System owner + CRO for us, + agreement from CEO.

Principle Consultant in IT Services2 years ago

This really depends on if the company is taking a look at risk at all. For smaller companies, I am pretty sure this is not even a discussion point.

Group CIO in Manufacturing4 years ago

CISO is responsible for risk assessment and posture of the system. Then there are factors like business priorities that need to be looked into before deciding on a system. So ultimately, it is for the CIO to weigh the risk vs the business need and take a final call.

Lightbulb on3
Director of IT in Manufacturing4 years ago

We have a cyber council consisting of business line executives that determine the risk tolerance for cyber and weight in on cyber investments and results.

Lightbulb on1
Associate Vice President, Information Technology & CISO in Education4 years ago

Combination of accountable data owner, system owner, and CIO.

Lightbulb on2

Content you might like

Which cybersecurity metrics do you currently use with your board?

Read More Comments

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

What are the biggest technical challenges preventing organizations from being able to use their existing data to enable digital transformation?

Finding data and putting it to good use13%

Controlling the security and privacy of data45%

Understanding how data is currently being used20%

All of the above19%

None of the above1%

View Results

We are considering a scanning solution for detecting Personal Information (PI) in our data assets, mainly AWS S3, DynamoDB, Salesforce, etc. We need the solution to detect PI, identify the type (e.g., infotype), and optionally map it to our own PI categories. We are currently considering BigID. Do you have experience with this tool or any other tools that can help us scan across different data platforms and technologies?

Read More Comments

Has cryptocurrency helped to facilitate the ransomware market?

Yes80%

No15%

Unsure4%

View Results