The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Info Security Chiefs: Communications Is Key to Mitigate Risk 

Rolling Meadows, IL, USA (9 May 2017) — Recognizing that cyber security is not just an IT issue—but a critical business priority— requires enterprise-wide buy-in starting at the highest levels.


That was one of the key takeaways identified in the CISO Board Briefing 2017 from global business technology and cyber security association ISACA. Leading chief information security officers (CISOs) and those serving in related roles gathered at a series of CISO forums occurring in conjunction with ISACA’s recent CSX conferences in Las Vegas, London and Singapore.


The cyber security needs of an organization in the areas of governance, cloud security, annual priorities, the growing cyber skills gap, vendor risk management, and regulations and compliance were discussed as CISOs gathered to tackle issues and share experiences as leaders in their profession.


The most critical way to ensure those needs are met is “communication, communication, communication,” said TCW Group CISO Johnny Munger.


“While decisions are made in the boardroom, it takes a lot of effort (outside of the boardroom) to understand each board member’s perspective on cyber security, address their communication needs and convince them of necessary cyber security capabilities on an ongoing basis,” said Munger. “Boardroom meetings just formalize the decision, but are not enough to present and attempt to justify the buy-in required.”


Québec Ministry of Agriculture, Fisheries and Food CISO Michel Lambert, CISA, CISM, CRISC, CGEIT, CISO, served as the expert reviewer for the report and noted how vastly different CISO positions were depending on the organization.


“When a group of CISOs discusses reporting, you rapidly come to realize that there is not a unique global best practice,” Lambert said. “In fact, as indicated in ISACA’s CISO board briefing, the function, description and job duties of a CISO vary wildly. There is not one correct organizational map, not one universal title, and not even one universally applicable job description for the information security executive.”


Other notable insights from the forums include:



“The cyber security framework of an organization will depend heavily on the organization’s culture, the risk appetite, principles and goals. Of course, the role of the CISO is to build the governance framework, taking into consideration all those aspects and leveraging them to get the necessary buy-in. The cyber security governance has to be coupled with the business strategy.”


RIZWAN JAN CISO, Henry M. Jackson Foundation for the Advancementof Military Medicine.


Cloud Security

“Public cloud computing, to be successfully utilized, requires that enterprises, especially CISOs, understand how the business works. Understanding details of workflows and data movement will help assess the risks that need to be managed. Security controls and audit reports for nonrelevant aspects add little value towards protecting your enterprise.”

PHORAM MEHTA Head of Information Security-APAC, PayPal Pte Ltd.


Annual Priorities

CISOs’ current top priorities include “cyberthreat intelligence sharing, threat analysis, cyber security capability (leading indicator) and maturity (lagging indicator), new technologies (virtual reality), back to basics (firmware security, effective monitoring of new threats, etc.).”

LEONARD ONG Associate Director, IT Risk Management & Security, Asia Pacific & Japan, Merck & Co, Inc.


The Skills Gap

“If someone shows a gap in knowledge, skill or experience that is needed in the near future (for example, passing certifications exams), but, if that individual is loyal in attitude to the company, I would hire this applicant. To retain the right people, you need to make achievable goals for them, rotate responsibilities, encourage training, and stimulate them.”

ALEXANDER KHOMKO Director of Information Security, JS Electronic Moscow


Vendor Risk Management

“Vendor relationships change over time and so does the threat landscape based on the industry and geopolitical activities. However, most vendor risk management programs are still an annual exercise. One of the key challenges/priorities for us is to make the vendor risk life cycle a more dynamic and real-time process.”

PHORAM MEHTA Head of Information Security-APAC, PayPal Pte Ltd.


European Regulations and Compliance

“The main pain point of compliance is time. GDPR, Russia’s new regulation and China’s new privacy law all request [organizations] to be compliant in a relatively short period of time (EU GDPR being the most flexible one).”



The full report is available as a free download at For additional information on ISACA’s CSX conferences, visit:



ISACA ( helps professionals around the globe realize the positive potential of technology in an evolving digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive momentum for their organizations. Established in 1969, ISACA is a global association serving more than 500,000 engaged professionals in 188 countries. ISACA is the creator of the COBIT framework, which helps organizations effectively govern and manage their information and technology. Through its Cybersecurity Nexus (CSX), ISACA helps organizations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers.