Executive summary

For the CISO/DPO

With ever increasing focus on regulatory compliance, CISOs have a more strategic role to play in securing data

The all-important role of the CISO is a relatively recent development, but one which clearly shows that information security is a growing concern that needs consistent dedicated attention at the highest level. In fact, the importance of this role has only grown from being largely focused on management of security control technologies to a consultative risk management professional who is aware of business processes.

Over the recent years, the role of CISOs also includes more ‘strategic’ responsibilities such as formulating organizational goals especially when it increasingly covers secure dissemination of digital information within and across companies.

However, there is, increasingly, a third dimension to their invaluable presence in the organization – an eye on lurking risks. The recent Allianz Risk-Barometer shows cyber-attacks as the primary business threat. Global networks and trends, such as the Internet of Things, are definitely business enablers, but they also tend to put a company’s IP and sensitive data at risk.

As entities get increasingly interconnected due to IOT and M2M communication on a hitherto scale, the chances of a leak spreading among connected devices too are proportionately great. Insiders, especially those with malicious intent, have the easiest access to this data and without control the best chance to leak it – a fact CISOs should be aware of and put on top of their risk mitigation agenda. In fact, according to a study by the Ponemon Institute, 78% of employees pose critical threats to security. (1)

What must CISOs do?

When it comes to being the custodian of their enterprise’s data security, we are know for a fact that CISOs will leave no gap, however minuscule, open. But have they considered these?

  1. Does the CISO have a system in place that monitors what data is being downloaded by users?
  2. Does the CISO have a system that monitors machine-to-machine data flows?
  3. Do organizations have a setup that enables the CISO to set finely granular policies to block or data transfers?



[1] “Privileged User Abuse & The Insider Threat”, Ponemon Institute 2014.

Close your SAP data exports and meet the requirements of GDPR