What do you do when a business won't follow your cybersecurity recommendations?

Outsourcing & Managed Services Security Strategy & Roadmap

982 views3 Comments

Sort by:

Director of Information Security in Energy and Utilities3 years ago

You are there to advise the business on cyber risks. If the business understands the potential impact of the risk to the business, you've done your job. Do document your recommendations and their responses for your record.

CISO in Software3 years ago

Recommendations should always have details on the risks or impact if the recommendation is not followed so everyone and businesses are aware of the potential implications based on their decisions

CTO in Software3 years ago

You have to treat those situations with the same disposition a doctor would have. I've done over 200 assessments around the globe, often in organizations that are seen as mission-critical to the country they’re in. It’s often a massive enterprise that’s responsible for the country’s gross domestic product, so I don't take it personally when they take my report and put it on a shelf. I did everything I could; I learned about the system and its makeup. It’s just the nature of the beast.

Content you might like

Have you found privileged access management more difficult than identity access management?

Much more difficult2%

Somewhat more difficult42%

Slightly more difficult22%

No difference17%

Slightly less difficult13%

Somewhat less difficult1%

Much less difficult

Unsure

View Results

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

Looking to benchmark. If you are in-process of pursuing the ISO 42001 or have obtained it, how have you measured the business value?

With Gartner highlighting the urgency of post-quantum cryptography (PQC), I would like to know if there are other members of the group already involved in the discussion or in the planning to face the threat of attacks like 'harvest-now, decrypt-later'?

Have you found using static application security testing (SAST) and dynamic application security testing (DAST) effective for improving app security?

Very effective8%

Moderately effective70%

Moderately ineffective13%

Very ineffective4%

Unsure2%

View Results

What do you do when a business won't follow your cybersecurity recommendations?

Sort by:

Content you might like

Have you found privileged access management more difficult than identity access management?

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

Looking to benchmark. If you are in-process of pursuing the ISO 42001 or have obtained it, how have you measured the business value?

With Gartner highlighting the urgency of post-quantum cryptography (PQC), I would like to know if there are other members of the group already involved in the discussion or in the planning to face the threat of attacks like 'harvest-now, decrypt-later'?

Have you found using static application security testing (SAST) and dynamic application security testing (DAST) effective for improving app security?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

2024 Product Management Priorities and Challenges

Data-Driven Customer Experience: Uniting D&A and CX Teams

Navigating Economic Uncertainty in 2024: IT Leader Perspectives

Take Your Insights On-the-Go