Who decides how much security risk to take for a specific system?

Security & GRC

Chief Information Security Officer31%

Chief Information Officer35%

Chief Risk Officer13%

Chief Executive Officer6%

Board6%

System Owner5%

Others (Please specify)1%

1357 PARTICIPANTS
17.1k viewscircle icon4 Upvotescircle icon20 Comments
Sort by:
Director of IT in Healthcare and Biotech2 years ago

Should have enable to select multiple choices on this one. System owner + CRO for us, + agreement from CEO.

Principle Consultant in IT Services2 years ago

This really depends on if the company is taking a look at risk at all. For smaller companies, I am pretty sure this is not even a discussion point.

Group CIO in Manufacturing4 years ago

CISO is responsible for risk assessment and posture of the system. Then there are factors like business priorities that need to be looked into before deciding on a system. So ultimately, it is for the CIO to weigh the risk vs the business need and take a final call.

Lightbulb on3
Director of IT in Manufacturing4 years ago

We have a cyber council consisting of business line executives that determine the risk tolerance for cyber and weight in on cyber investments and results.

Lightbulb on1
Associate Vice President, Information Technology & CISO in Education4 years ago

Combination of accountable data owner, system owner, and CIO.

Lightbulb on2

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Read More Comments

What's your experience with SAP ERP on Prem security testing? What kind of engagement did you choose for your SAP landscape—was it a deep-dive technical System Audit, a full-scope Red Team scenario, or something in between? What was the 'why' behind your decision, and what were your key takeaways?

Read More Comments

Blackhat EU is coming up -- are you going?

Yes51%

No42%

Undecided6%

View Results

Highlights from https://www.gatestoneinstitute.org/15230/china-adopts-malicious-cybersecurity-rules

After all these "cybersecurity" rules are in place, no foreign company may encrypt data so that it cannot be read by the Chinese central government and the Communist Party of China. In other words, businesses will be required to turn over encryption keys.

Companies will also be prohibited from employing virtual private networks to keep data secret, and some believe they will no longer be allowed to use private servers.

http://www.xinhuanet.com/english/2019-10/26/c_138505655.htm

Not concerned with this news14%

Very concerned with this news53%

We dont have data in China26%

We dont have operations in China6%

View Results