Occasionally, we will publish reports which come from internal research or from the CISO Lens community. These reports are shared here with the intention of providing decision support. These reports are provided free, and no registration is required. They are provided 'as is'. If you use them, please give credit to the authors.

Incident Response Template - November 2022

Nadia Yousef, our New Zealand Country Manager, created this template and we're publishing it in the hope that it will help someone through having a bad day and prevent it from being a worse day.

This template stems from Nadia's extensive (and intensive) experience with CERT NZ, the dozens of interviews Nadia has conducted this year on the subject of incident response, as well as numerous pencil reviews of the incident response plans of CISO Lens members.

CISO Lens - Incident Response Template - November 2022.pdf

Cloud Governance Framework - an industry report from the CISO Lens community (August 2022)

Cloud Governance Framework - Public - August 2022.pdf

Standardised Executive Reporting - an industry report from the CISO Lens community (June 2022)

Reporting templates

This report has its roots in innumerable conversations within the CISO Lens community, over many years. In 2021, one of our former members took up the challenge and produced this report.

The problem we set out to address: Board members see cyber security and risk management presented to them in many ways.

The more boards they sit on, the more ways they see cyber security management presented.

We wanted to create a common understanding across multiple organisations. That meant creating a series of templates to help structure cyber security reporting.

We have published this report with the following intentions:

  1. For CISOs in newly created roles, to offer them a starting point that would come from the same principles as their peers.

  2. For executives in organisations that do not have a CISO, to offer a starting point and help them see how dedicated internal security executives view the process of reporting on cyber security.

  3. For board members, to offer them an insight into cyber security reporting issues that are common across many organisations.

Please note, this report is offered as a starting point, and you are free to use as much, or as little, as you like. Most importantly, this report should be viewed through the nuances of your organisation and the environment it operates in.

Our thanks to Andy Chauhan for creating this series of templates.

Standardised Executive Reporting - PUBLIC - 2022.pdf

White Paper: A pragmatic approach to Cyber Insurance in 2022 (May 2022)

We argue that the ideal position is to self-insure as much as possible, by consciously committing to a strategy of prevention and resilience in a manner commensurate with the risks your company faces.

The journey toward genuine self-insurance is the path toward operational maturity and better risk management. By genuine self-insurance, we mean; informed, conscious, accompanied by a strategy of prevention and resilience and, potentially, even reserving funds in a Captive Insurance Company for a future rainy day.

As we wait and see how the viability of the cyber insurance market plays out in the coming years, it may make sense to have a policy as your last line defence, in case the absolute worst happens. But relying on cyber insurance is not pragmatic.

The hard truth is that being able to make an insurance claim is a Pyrrhic victory. Your life, and the lives of your staff, your customers, and the myriad of stakeholders in the complex ecosystem that your company receives value from, and delivers value to, would all be easier if the incident that you could make a claim for was, instead, avoided in the first place.

White Paper - A pragmatic approach to Cyber Insurance in 2022.pdf