r/ciso

▲ 27 r/ciso

Compliance is not security

Heard a worker go on a rant about “compliance is not security”, “checking the box”, “security theater” rant the other day.

It got me thinking… if compliance isn’t security, then what is?

The green dashboards that turn out to be wrong? The pentests that mostly find the stuff you’d have caught yourself if you’d kept your environment patched, updated, and configured? The tools you bought and never confirmed still work?

Feels like half the things we hold up as “real security” only look impressive because the basic compliance work wasn’t done in the first place.

Curious where people actually land on these phrases.

And a real question: is there a difference between an annual compliance audit and continuously checking that your environment actually stays secure all year long? I feel like the second part is where security should actually live. 😅

reddit.com
u/NegotiationFirst131 — 4 days ago
▲ 3 r/ciso

Curiosity

How are companies from big to small managing and tracking the use of AI.

Do you think written policies is good enough now to enforce how AI should be used.

I've always thought once and employee disregards our policy then realistically the company stops being GDPR compliant etc.

It's something I thought about and I was like hmm. I mean I know this a problem but I just choose to ignore it.

Just wanted to hear eveyones thoughts on this ?

reddit.com
u/Frequent-Amount-6062 — 4 days ago
▲ 4 r/ciso+2 crossposts

How to stop non-tech employees sharing sensitive data with AI models?

Employees belonging to legal, and Finance are not technically advanced and are prone to share sensitive and client related data AI models.

Employees are given access to ChatGPT and Claude but they are sharing sensitive information, emails and files to AI for quick help. We don't have any audit and usage patterns for the employees. How to track the usage of AI models from such employees.

reddit.com
u/ra2vi3 — 9 days ago
▲ 12 r/ciso

Tools for accepting risk

I lead security, sitting under the CTO whom knows very little about security. It’s a setup many have faced. Incredible resistance to logical and established practices. Refusal to accept risk as present. Down right combative behavior when trying to highlight or review said risk.

This isn’t a new problem, it’s not a problem I haven’t faced before in my career, but this one feels a little different especially in the AI age. 20+ aayears in the industry with nearly 10 leading in security and operations.

What tools/tactics do you all use to CYA in these situations? I’m the only security minded person in management and leadership across a 100 person org and it feels hopeless at times I’m also the person who has to stamp my name on basically every security and compliance item that touches tech. It’s got me extremely nervous.

reddit.com
u/Zealousideal_Tea362 — 9 days ago
▲ 7 r/ciso+3 crossposts

Backend Engineers: How do fintechs practically implement DPDP Rule 6 security safeguards?

Hi everyone,

I'm working on the compliance framework for an Indian fintech (Lending Service Provider) and would like to understand how the security safeguards under Rule 6 of the DPDP Rules, 2025 are implemented in practice.

The Rule mentions encryption, masking/obfuscation, access controls, audit logs, monitoring, backups and other technical and organisational measures, but I'd like to understand how engineering teams actually build these systems.

Some questions:

1.How do Fintech typically protect sensitive data such as PAN, Aadhaar and KYC documents?

  1. Is data generally encrypted both at rest and in transit? How is key management usually handled?

  2. How are access controls implemented? Do you use Role-Based Access Control (RBAC) or something more granular?

  3. What kinds of logs are maintained for security and audit purposes? Are they application logs, database logs, audit trails or something else?

5.Do Indian fintechs commonly obtain ISO/IEC 27001 certification, or do many startups simply implement equivalent security controls without formal certification?

I'm looking for practical implementation insights from backend, security or DevSecOps engineers rather than legal interpretations.

reddit.com
u/InfamousDistrict5362 — 7 days ago
▲ 13 r/ciso

Board positioning of frontier AI models

Hi all, my board is concerned about frontier AI (I think largely due to Mythos mainstem news) and our approach

My main take at the moment is this is a change in economics not a fundamental change to attack models.

I'm expecting more frequent, and probably larger, patch cycles - and probably some more intelligent automate steps after a foothold (probably driven by an open weight model rather than anthropic or openAI models) - but there doesn't yet look to be much of a change in detection evasion or obfuscation.

I'm expecting the threat change to in house developed apps to be relatively modest - at least short term - as the development of exploits still seems heavily keyed to access to source code. Likely we'll want to more heavily apply intelligent automated testing at each build cycle - but again this is likely a change in frequency and cost base not a new control.

The feedback I'm getting from the NEDs is this feels a bit under weight and they are hearing much starker messages from other CISOs.

Am I missing something? Is there any evidence based reason to see this as a change in model not just change in operational costs?

reddit.com
u/FreeRadical1998 — 10 days ago
▲ 26 r/ciso

What’s the most frustrating part of being a CISO?

Okay guys, I’m tired of seeing security budgets get cut. After an incident everyone suddenly understands the value of cybersecurity. A few months later the conversations about reducing spending start again. Meanwhile, expectations keep growing, and headcount stays the same.

What has been bugging you lately?

reddit.com
u/minfrihet — 12 days ago
▲ 16 r/ciso

How do you justify a SASE rollout to leadership that only knows VPN and firewalls?

 I’m running into a messaging gap with our leadership. They understand “VPN gets people in” and “firewall keeps bad traffic out,” but once I talk about SASE, cloud‑delivered security, ZTNA, or identity‑aware policy, it sounds to them like buzzword bingo. Internally, the pain is obvious: remote users bypassing protections, multiple policy sets depending on location, and way too much effort just to keep aging hardware and licenses aligned with how people actually work now. For anyone who’s convinced a conservative exec team to move toward SASE, what arguments actually resonated? Was it about operational savings, risk reduction, user experience, or something else entirely that finally made them say, “OK, we need to modernize this”..

reddit.com
u/AdOrdinary5426 — 13 days ago
▲ 15 r/ciso

SSO Integration Costs for Legacy Apps — Real Numbers From Our Own Audit

ran an internal experiment to figure out what SSO integration actually costs per application. sharing because i haven't seen honest data on this anywhere and vendor materials are useless

tracked actual time across 12 legacy app SSO integrations over 6 months:

  • modern SaaS with native SAML/OIDC: 3-8 hours
  • internally built apps on modern frameworks: 2-6 weeks
  • legacy apps requiring code changes: 3-5 months
  • legacy apps with no active dev team: abandoned in 4 of 5 attempts

the finding that changed how i think about this: for roughly 30% of our legacy portfolio, full SSO integration is not economically viable. the cost exceeds the remaining useful life of the application. we've been treating SSO coverage as a solvable problem when for a meaningful chunk of the estate the honest outcome is "govern with alternative controls indefinitely."

this is where identity orchestration becomes practically relevant. not as a way to avoid SSO integration but as a governance layer for the apps that will never get integrated. orchestration that operates at the application layer rather than the IdP layer can extend policy enforcement to legacy apps without requiring them to be SSO-capable. for the 30% that's never getting integrated, that's the only realistic path to coverage.

what alternative controls are teams using for apps that will never get fully onboarded?

reddit.com
u/Alone_Bread5045 — 14 days ago