Organisations need to rise to the occasion to protect their crown jewels, and this responsibility lies with the CISO to drive initiatives that will protect their organisation’s information systems, raise the information security awareness of the employees and ultimately protect the company and its resources from evolving cyber risks.
In this survey, we take a closer look at the role of the CISO and more specifically at the following aspects:
Lastly, based on our experience and best practice, we offer recommendations that would improve the overall experience of the CISO/ISO function in organisations.
The companies that responded to this edition of our "Out of the shadows: CISO in the spotlight" survey, are based in Luxembourg and hence, represent the Luxembourg business landscape.
A total of 45 companies participated, out of which 53% are medium sized enterprises with less than 1000 employees. The majority (42%) of the respondent companies operate in the financial services sector. Other key business sectors such as the insurance, healthcare and public sectors are equally represented.
Company size
Business sectors
Obtain management's support by providing more adequate budget, resources and time; and ensure they place top corporate priority on Information security.
This can be done by increasing your influence through active participation in corporate committees and by setting up a direct reporting line with the management.
Align your Information Security strategy with the organisation’s strategy in order to ensure management support.
This can be achieved through the promotion of Information Security within the company by elevating it as a market differentiator place.
Establish a reporting line with the Risk management function rather than IT management line in order to ensure independence in case of impactful decisions.
This can be reached by sensitising your management on Information Security and its objection with IT interests.
Place huge focus on third party risks and suppliers’ security management. Most recent Information Security incidents come from third parties and are usually the result of a poorly managed third-party security.
Several questionnaires document points to consider while contracting with suppliers (ISAE, SOC).
Set up a strong response to (ISAE, SOC). increasing threats, especially related to social engineering and ransomware.
This can be done through employees’ awareness and training on such risks and teaching on how to react.
Ensure a long-term information security strategy aligned with market best practices.
This is usually achieved by setting up a continuous improvement programme. International Standards provide clear guidance on the path to follow.