Reports
Occasionally, we will publish reports which come from internal research or from the CISO Lens community. These reports are shared here with the intention of providing decision support. These reports are provided free, and no registration is required. They are provided 'as is'. If you use them, please give credit to the authors.
White Paper: Security Operating Model - Design Considerations (May 2024)
This white paper is the result of interviews with Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and heads of security functions across multiple industries (covering Finance, Utilities, Retail and Technology) on their respective operating models. The topic under discussion was: What are the key considerations when designing an effective Security Operating Model (SOM).
This white paper will be of most interest to people accountable for leading, establishing, re-designing, or transforming a security function.
Through the course of this research, a framework of seven attributes were used to explore the security operating model for participants across multiple industries covering Finance, Utilities, Retail and Technology. The paper has also leveraged CISO Lens benchmarks and other global surveys carried out on reporting lines and security function structures.
This white paper explores: the definition of an operating model and provides a framework to evaluate and measuring the effectiveness of Security Operating Model.
White Paper: Measuring CERT effectiveness. What does good look like? (March 2023)
This white paper argues that: measuring the success of an agency tasked with responding to and preventing cyber security incidents is inherently challenging and two factors are critical.
Firstly, to ensure that the organisation works smoothly, and the work of ENISA will be useful toward this goal.
Secondly, maintaining a laser focus on who the CERT serves is critical. In our conclusion we offer a possible governance structure to support this focus.
This white paper will be of most interest to people accountable for establishing or leading CERTS.
Incident Response Template (November 2022)
Nadia Yousef, our New Zealand Country Manager, created this template and we're publishing it in the hope that it will help someone through having a bad day and prevent it from being a worse day.
This template stems from Nadia's extensive (and intensive) experience with CERT NZ, the dozens of interviews Nadia has conducted this year on the subject of incident response, as well as numerous pencil reviews of the incident response plans of CISO Lens members.
Cloud Governance Framework - an industry report from the CISO Lens community (August 2022)
By Ashutosh Kapse (CISO Lens alumnus) and Vasant Rao, this Cloud Governance Framework is designed to set the direction of cloud governance for the onboarding and on-going management of cloud technologies, services and solution at an Organisation. It is also designed to provide a set of principles, controls (risk commensurate), processes and guardrails (preventative / detective), based on the enterprise governance policy and regulatory requirements.
Standardised Executive Reporting - an industry report from the CISO Lens community (June 2022)
Reporting templates
This report has its roots in innumerable conversations within the CISO Lens community, over many years. In 2021, one of our former members took up the challenge and produced this report.
The problem we set out to address: Board members see cyber security and risk management presented to them in many ways.
The more boards they sit on, the more ways they see cyber security management presented.
We wanted to create a common understanding across multiple organisations. That meant creating a series of templates to help structure cyber security reporting.
We have published this report with the following intentions:
For CISOs in newly created roles, to offer them a starting point that would come from the same principles as their peers.
For executives in organisations that do not have a CISO, to offer a starting point and help them see how dedicated internal security executives view the process of reporting on cyber security.
For board members, to offer them an insight into cyber security reporting issues that are common across many organisations.
Please note, this report is offered as a starting point, and you are free to use as much, or as little, as you like. Most importantly, this report should be viewed through the nuances of your organisation and the environment it operates in.
Our thanks to Andy Chauhan for creating this series of templates.
White Paper: A pragmatic approach to Cyber Insurance in 2022 (May 2022)
We argue that the ideal position is to self-insure as much as possible, by consciously committing to a strategy of prevention and resilience in a manner commensurate with the risks your company faces.
The journey toward genuine self-insurance is the path toward operational maturity and better risk management. By genuine self-insurance, we mean; informed, conscious, accompanied by a strategy of prevention and resilience and, potentially, even reserving funds in a Captive Insurance Company for a future rainy day.
As we wait and see how the viability of the cyber insurance market plays out in the coming years, it may make sense to have a policy as your last line defence, in case the absolute worst happens. But relying on cyber insurance is not pragmatic.
The hard truth is that being able to make an insurance claim is a Pyrrhic victory. Your life, and the lives of your staff, your customers, and the myriad of stakeholders in the complex ecosystem that your company receives value from, and delivers value to, would all be easier if the incident that you could make a claim for was, instead, avoided in the first place.