This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness. 1) No CISO Left Behind Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors. Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal bran...
My random musings about IT Security whenever I have time to think