How can infosec leaders/CISOs get their org to shift from a legacy security strategy that’s more compliance-focused to one that’s focused on risk reduction?

Security Strategy & RoadmapThird Party Risk Management (TPRM)
1.8k viewscircle icon3 Comments
Sort by:
Director of Cybersecurity Data and App Protection in Healthcare and Biotech2 years ago

Having managed a Red Team before, I think those activities can be a powerful way to show the gaps between security and compliance. Those types of findings are realistic and show real risks in the organization that must be remediated. It should be eye opening that a "compliant" organization is still vulnerable. Ideally those activities would provide motivation to build out further risk remediation program which would actually reduce risk through a risk register type of process.  

CISO in Healthcare and Biotech2 years ago

Shifting an organization from a compliance-focused security strategy to one focused on risk reduction requires a multifaceted approach. 

Educate and Communicate, Align with Business Objectives, Develop a Risk Management Framework, Implement Proactive Security Measures, Enhance Governance and Accountability, Foster a Security Culture, Engage with the Board and Senior Management, Optimize Budget Allocation, Leverage Technology and Automation, Continuous Improvement, Legal and Regulatory Alignment

Lightbulb on2
Head of Information Security in Services (non-Government)2 years ago

Having the right governance structures in place is important. We have a committee that's called the Protect Subcommittee that comprises the general counsel's office and leaders from our privacy and security practice groups. It helps us apply a business lens and risk focus to certain security decisions. At the end of the day, security and risk acceptance is a business decision, so I always try to emphasize that it's not my decision whether a risk is appropriate for the firm to accept or not, it's the business' decision.

Lightbulb on3

Content you might like

Are you using GitOps in your organization?

Yes, we are GitOps mature19%

Yes, in some instances46%

No, we don't have a use-case for it20%

No, it's too expensive or cumbersome5%

No, and I'm unfamiliar with the term "GitOps"7%

View Results

New NSA, CISA, and FBI guidance reveals 3 critical threats that can compromise AI systems:
1. Data Supply Chain Vulnerabilities – tampering or poisoning for as little as $60–$1,000
2. Maliciously Modified Data – adversarial poisoning and model inversion
3. Data Drift – natural evolution creates security blind spots

Where does your organization sit on the AI security maturity curve? Are you enhancing existing tools or implementing AI-specific platforms?

Read the full guidance: https://media.defense.gov/2025/May/22/2003720601/-1/-1/0/CSI_AI_DATA_SECURITY.PDF

Disesdi Susanna Cox outlines 3 critical threats:
1. Non-deterministic decisions – same prompt, different actions (e.g., unintended transfers).
2. Cascading failures – multi-step tasks = more attack surface.
3. Emergent behavior – guardrails can’t cover infinite edge cases; focus on blast radius and recovery.

3 Controls to Implement Now: 
• Map agent workflows to attack tactics (MITRE ATLAS)
• Weekly prompt-injection tests (OWASP + CSA)
• Least-privilege, expiring agent tokens (NIST AI RMF + CSA MAESTRO)

Which control or framework gives you the biggest headache, and how are you tackling it?

Full analysis: https://disesdi.substack.com/p/openai-just-dropped-their-agentic

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

Which digital contract lifecycle management tool is your organization leveraging?

Agiloft7%

Conga24%

DocuSign CLM (SpringCM)39%

Apttus5%

Ironclad3%

Coupa (Exari)4%

Other (discuss below)15%

View Results