Who decides how much security risk to take for a specific system?

Security & GRC

Chief Information Security Officer31%

Chief Information Officer34%

Chief Risk Officer14%

Chief Executive Officer6%

Board7%

System Owner4%

Others (Please specify)1%

1372 PARTICIPANTS

17.1k views4 Upvotes20 Comments

Sort by:

Director of IT in Healthcare and Biotecha year ago

Should have enable to select multiple choices on this one. System owner + CRO for us, + agreement from CEO.

Principle Consultant in IT Services2 years ago

This really depends on if the company is taking a look at risk at all. For smaller companies, I am pretty sure this is not even a discussion point.

Group CIO in Manufacturing4 years ago

CISO is responsible for risk assessment and posture of the system. Then there are factors like business priorities that need to be looked into before deciding on a system. So ultimately, it is for the CIO to weigh the risk vs the business need and take a final call.

Director of IT in Manufacturing4 years ago

We have a cyber council consisting of business line executives that determine the risk tolerance for cyber and weight in on cyber investments and results.

Associate Vice President, Information Technology & CISO in Education4 years ago

Combination of accountable data owner, system owner, and CIO.

Content you might like

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

When you’re working on budgeting alongside your CISO, do you ever find that one perspective tends to take precedence over the other? How do you approach finding a balance and making collaborative decisions together?

When did you notice AI becoming a higher priority than cybersecurity in your discussions with leaders (even board members), and what factors contributed to that shift?

Is NSX micro segmentation a requirement for your Datacenter

Yes70%

No30%

What terrifies you the most as an IT leader when an employee isn't properly deprovisioned systems access after offboarding?

The risk of leakage of sensitive data36%

The risk of a cybersecurity attack through an unmanaged account.52%

The risk of malicious data detection/theft10%

Other (comment below)

View Results

Who decides how much security risk to take for a specific system?

Sort by:

Content you might like

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

When you’re working on budgeting alongside your CISO, do you ever find that one perspective tends to take precedence over the other? How do you approach finding a balance and making collaborative decisions together?

When did you notice AI becoming a higher priority than cybersecurity in your discussions with leaders (even board members), and what factors contributed to that shift?

Is NSX micro segmentation a requirement for your Datacenter

What terrifies you the most as an IT leader when an employee isn't properly deprovisioned systems access after offboarding?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go