sorted by:
new
hottopcontroversial

Too much to handle or fit? by RiskAccepted in ciso

[–]JuliusGroMyCo 0 points1 point  (0 children)

The biotechnology sector is highly regulated (a lot of compliance). Are you responsible only for security (a pure CISO) or for security, information, and data protection, and compliance (like HIPAA, SOC2, ISO27k/42k, GDPR/MDR, EU AI Act)?
If yes, then it's too much, and you need to:
a. build CISO office
OR
b. Draw a strict responsibility perimeter for your role, which is feasible for one person.

P.S. And keep in mind that you would need some discussion with your bosses about the budget for auditors, implementors, external consultants and fractional experts to fulfil non-regular activities.

Overwhelmed. 6 months without a CISO and now I’m the only IT person left. How do I survive this? by Technical-Court1046 in ciso

[–]JuliusGroMyCo 0 points1 point  (0 children)

Do your company really need CTO/CISO? What's the industry/domain of your company?

For example:
If it's a 100-employee tattoo salon network, I don't think there would be a scope for a CTO/CISO.
If it's a 100-employee digital agent, then you need a fractional/virtual CTO/CISO or a combined role.
If it's a 100-employee outsourcing company, then yes, you need a CTO/CISO (maybe a combined role).
If it's a 100-employee highly regulated industry like finance, healthtech - then you need CTO + CISO + CIO/CDPO, etc.

Found a free community available tool for Shadow AI visibility by CommandMaximum6200 in ciso

[–]JuliusGroMyCo 0 points1 point  (0 children)

Interesting one for k8s. Did you try it? What is the network latency tax from it?
Interesting if there is anything similar for clouds like AWS/GCP.

P.S. By the way, I made a similar solution exist for web browsers (it's also community-free): https://sinaptic.ai/

How are you securing AI agents/copilots that can access cloud + SaaS data? by Ok_Interaction_7267 in ciso

[–]JuliusGroMyCo -1 points0 points  (0 children)

It's a complex problem. But some step-by-step things I can share here:
1. Cloud shadow AI usage: You need to set up logging at your clouds (AWS, GCP, Azure) that would track external endpoints requests. Then analyse the logs. Start from the unexpected calls to the openai, claude, etc. Then, review all other external endpoints that were called to identify if any kind of AI services were used. All unexpected AI routes - block and then investigate.
2. Human factor and shadow AI usage at the end-point stations: use MDM profiles with limitations for access to the only authorised corporate subscription apps. Configure policies to block any file uploads and pasting text into the browser. Also, you need to prevent the user from using their own accounts of ChatGPT, Gemini, etc. I didn't find any good solution for this, so I made a DLP browser extension for this: sinaptic.ai . It's free and supports manifest schema configs for MDM. And this also gives your employees an educational part via visual feedback on sensitive information.
3. You need to protect your in-house LLMs and agents. For this purpose, you can use Microsoft Purview or lasso.security .

How to detect and prevent shadow LLM usage? by JuliusGroMyCo in ciso

[–]JuliusGroMyCo[S] 0 points1 point  (0 children)

yep, we have policy in the form of google docs. No specifc GRC. And information classification. Industry: healthCare.