StrategyMix Insights Forum - Every Question Gets a Great Answer

Insight Questions

About Insights

The StrategyMix Insights Online Forum operates in much the same way as our roundtables in the sense that they deploy a Q&A format and are run under the Chatham House Rule. The group is also tightly moderated, so there will be no spam - just quality content.

The group is only open to Senior IT Executives and to carefully screened Trusted Advisors, who we believe will add value by providing valuable answers to the forum questions.

How to Join Insights

Note: If you are already an Insights member, the link to logon is:

Productivity metrics - do you use these? I’ll make an assumption that most companies are starting to struggle with productivity, especially with the upsurge in remote working or working from home. It seems that I hear this from many people across all industries. It’s important for CEOs and our executive team is wondering what is the best way to test this assumption, relying of course on the CIO to answer this. We use the Microsoft 365 stack, as I’m sure many others do as well in this forum. What tools do you leverage in M365 to help you answer these questions? How much time are people spending in online meetings? How many people are in these meetings? Does general work activity fluctuate when staff are working remotely vs. the office? Thanks in advance.

Last Update: 28 Sep 2023 - (Non-Cyber)

Cyber Frameworks - which would you recommend? We have been PCI compliant for a decade now and we have used PCI as a de facto cyber framework despite its limitations (it is very prescriptive and very narrow in scope). We want to adopt one of the broader frameworks (NIST, Essential 8 etc) while avoiding too much duplication and added work – does anyone have any recommendations or experiences to share in this area? We looked at this in panel discussion and there were some suggestions that NIST works best as a basis but the best answer may be a tailored mix. I like that (and I think it is always inevitable to some extent) but I do also like the certainty when interacting with partners, insurers and board of being able to state compliance to a particular framework. Any further thoughts?

Last Update: 28 Sep 2023 - (Cyber for CIOs)

Which frameworks and controls are companies using to defend against internal and external source code compromise and CI/CD pipeline compromise? Some context: I’m working with our head of DevOps on securing the global DevOps program. So, I’m focused on creating a custom framework for securing the “production line” of software developed in-house. I’m looking at OWASP’s DevSecOps maturity framework plus Gartner’s content (I have a sub). Both aren’t exactly what I’m looking for. My question: I’m interested to know which frameworks and controls companies are considering for securing repositories for source code, artifacts and containers, commits and CI/CD pipelines. We’re standardising on GitHub, including GH Advanced Security, and are looking at tools like Cycode and Legit Security.

Last Update: 26 Sep 2023 - (Cyber Leaders)

How are others handling threats like juice-jacking, or staff plugging in random USB drive/disk? What combination of approaches do you use?

Last Update: 13 Sep 2023 - (Cyber for CIOs)

With all the leakage of personally identifying data happening around the globe, will we ever see a digital or other ID that can’t be faked?

Last Update: 11 Sep 2023 - (Cyber for CIOs)

In the privileged access management (PAM) world, how do you best remediate the risk when service accounts are being automatically managed? ie: credentials changed (or not changed)

Last Update: 06 Sep 2023 - (Cyber Leaders)

Ransomware Payments - Should you pay, if so in what circumstances?

Last Update: 27 Jul 2023 - (Cyber Leaders)

Quotes and Cliches - love, hate, overused, fresh? Are there quotes you rely on to support your message that you think really resonate, or you now realise are terrible distractions from your message?

Last Update: 27 Jul 2023 - (Cyber Leaders)

CASB - cloud access security broker - advice? Currently assisting an org that doesn’t have a CASB solution, but has an audit finding recommending it be implemented. I have not heard “CASB” discussed recently or seen any big marketing campaigns but I might have been looking the other way. Perhaps everyone has bought one and the advertising has moved on. Do you have one, and if so, can you share any feedback on the capability, effectiveness and operating overhead needed?

Last Update: 27 Jul 2023 - (Cyber Leaders)

What tools are people using for container security to secure container storage, runtime and environment? We have limited on-premises infrastructure these days and use mainly AWS, Azure and GCP.We currently use Wiz; this is currently agentless and can scan both container storage as well as container environment (e.g. AWS Fargate) and will soon have an agent that can scan a container’s runtime. We are looking at Crowdstrike and SentinelOne for general endpoint protection and EDR, and these also have the facility to scan containers. Does anyone have any recommendations or information based on comparisons?

Last Update: 27 Jul 2023 - (Cyber Leaders)