Occasionally, we will publish reports which come from internal research or from the CISO Lens community. These reports are shared here with the intention of providing decision support. These reports are provided free, and no registration is required.
Standardised Executive Reporting - an industry report from the CISO Lens community (June 2022)
This report has its roots in innumerable conversations within the CISO Lens community, over many years. In 2021, one of our former members took up the challenge and produced this report.
The problem we set out to address: Board members see cyber security and risk management presented to them in many ways.
The more boards they sit on, the more ways they see cyber security management presented.
We wanted to create a common understanding across multiple organisations. That meant creating a series of templates to help structure cyber security reporting.
We have published this report with the following intentions:
For CISOs in newly created roles, to offer them a starting point that would come from the same principles as their peers.
For executives in organisations that do not have a CISO, to offer a starting point and help them see how dedicated internal security executives view the process of reporting on cyber security.
For board members, to offer them an insight into cyber security reporting issues that are common across many organisations.
Please note, this report is offered as a starting point, and you are free to use as much, or as little, as you like. Most importantly, this report should be viewed through the nuances of your organisation and the environment it operates in.
Our thanks to Andy Chauhan for creating this series of templates.
White Paper: A pragmatic approach to Cyber Insurance in 2022 (May 2022)
We argue that the ideal position is to self-insure as much as possible, by consciously committing to a strategy of prevention and resilience in a manner commensurate with the risks your company faces.
The journey toward genuine self-insurance is the path toward operational maturity and better risk management. By genuine self-insurance, we mean; informed, conscious, accompanied by a strategy of prevention and resilience and, potentially, even reserving funds in a Captive Insurance Company for a future rainy day.
As we wait and see how the viability of the cyber insurance market plays out in the coming years, it may make sense to have a policy as your last line defence, in case the absolute worst happens. But relying on cyber insurance is not pragmatic.