IBM - From Checkboxes to Frameworks CISO Insights on Moving From Compliance to Risk-Based Cybersecurity Programs
Cybersecurity risk is a first-class threat to organizations of all sizes. Managing it is now a top C-suite priority, and funding for security efforts is increasing to reflect its importance. However, the growing number of public breaches occurring despite this increased visibility has led many Chief Information Security Officers (CISOs) and other high-level security leaders to examine their underlying motivations and assumptions. There’s a new effort by security leaders to look for fundamental ways to influence and improve both their own programs as well as best practices in effectively defining and applying risk management.
This IBM Center for Applied Insights report, based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by Southern Methodist University, outlines how CISOs are stepping up cybersecurity efforts to focus on addressing one of the most prevalent underlying issues globally—a programmatic focus on compliance instead of risk-based business outcomes. In short, CISOs now know that simply being compliant isn’t acceptable for a well governed organization.
How do I transform a compliance based security program into one focused on risk?
How can I best communicate risk to the organization and manage expectations?
Do I have the skills, resources and tools to implement the right controls for success?
To address these questions, CISOs are adopting more sophisticated approaches to determine threats and to prioritize and fund security initiatives. Increasingly, security leaders are using custom frameworks as a strategic tool to transform their organizations into ones focused on real cybersecurity risk.