{"id":20902,"date":"2026-06-23T11:00:00","date_gmt":"2026-06-23T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20902"},"modified":"2026-07-09T16:16:02","modified_gmt":"2026-07-09T16:16:02","slug":"which-decision-rights-of-the-ciso-must-be-documented-in-writing","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/","title":{"rendered":"Which CISO Decision Rights Must Be Set Out in Writing"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">6 min read<\/p>\n<p><strong>Friday, 2:47 a.m. The SOC reports lateral movement in the ERP segment and recommends isolation. The IT operations shift supervisor objects: month-end closing is running until 6:00 a.m. The CISO is on the phone, but the incident policy only says coordinate and advise. The question of who is allowed to shut down the production system at 2:47 a.m. is the wrong time for a fundamental debate.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li><strong style=\"color:#69d8ed;\">Expectation vs. Authority:<\/strong> The CISO is regarded as the security authority, yet in practice the mandate often ends at policy and advice. Without written authority, the loudest voice decides in an emergency.<\/li>\n<li><strong style=\"color:#69d8ed;\">Six Areas:<\/strong> Risk acceptance, policy exceptions, change approval, emergency isolation, budget and audit rights belong in the mandate with concrete thresholds.<\/li>\n<li><strong style=\"color:#69d8ed;\">Executive Management Remains Accountable:<\/strong> Section 38 BSIG and NIS2 Article 20 leave ultimate responsibility with executive management. The CISO acts under a delegated mandate that closes the gap.<\/li>\n<li><strong style=\"color:#69d8ed;\">Separate Reporting Line:<\/strong> Whoever is supposed to control IT operations should not report to it. BSI recommends direct assignment to top management.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#b8c5ce;margin:20px 0 32px 0;border-top:1px solid rgba(230,227,218,0.12);border-bottom:1px solid rgba(230,227,218,0.12);padding:10px 0;\"><span style=\"color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/20\/critical-roof-law-physical-resilience-ciso\/\" style=\"color:#333;text-decoration:underline;\">KRITIS Umbrella Act: When Resilience Becomes a CISO Obligation<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/19\/why-the-iso-certificate-alone-is-not-enough-for-the-bsi\/\" style=\"color:#333;text-decoration:underline;\">Why the ISO Certificate Alone Is Not Enough for the BSI<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Without a Written Mandate, the Loudest Voice Decides<\/h2>\n<p><strong>What Is a CISO Mandate?<\/strong> A CISO mandate, often called a charter, is the written agreement between executive management and the CISO that defines their role, reporting line, decision and veto rights, escalation paths, and resources. It translates the abstract expectation \u201cresponsible for security\u201d into concrete, enforceable authorities in an emergency.<\/p>\n<p>Most organizations treat the CISO as the top security authority. In practice, however, the mandate often ends at strategy and policy, without operational enforcement rights. This gap between expectation and authority is not an isolated case; it is structurally built in.<\/p>\n<p>The NIST Framework calls the core by name. The Governance, Roles and Responsibilities category in Cybersecurity Framework 2.0 requires that roles be equipped with the necessary authority. The revised guidance on Incident Response, NIST SP 800-61r3 from April 2025, states as a recommendation: Roles and responsibilities should be documented. Those involved need the authority to fulfill their tasks. The month-end closing versus isolation conflict is not a technical problem. It is a governance gap when the escalation chain is not documented in writing in advance.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Six Decision Areas That Belong in the Mandate<\/h2>\n<p>A mandate does not have to regulate everything. It must clarify in advance the conflicts that regularly escalate in day-to-day operations and during incidents. Six areas come up time and again.<\/p>\n<p><strong>Risk Acceptance with Thresholds.<\/strong> The CISO assesses risks and describes compensating controls. Final acceptance of business risk should not rest with them. The mandate sets thresholds, for example by severity, data classification, or process criticality, above which the business unit or executive management formally countersigns. The CISO\u2019s signature confirms the accuracy of the security analysis. The business decision is not theirs.<\/p>\n<p><strong>Policy Exceptions.<\/strong> The CISO qualifies whether an exception is permissible, sets a time limit, and requires compensating measures. Silent continuation via tickets without documented acceptance must be ruled out. Where they reject, the path leads to escalation. A workaround is not an option.<\/p>\n<p><strong>Change Approval for Risky Deployments.<\/strong> IT operations wants to meet the release deadline; the CISO sees open findings or a missing penetration test approval. The mandate defines tiers: standard changes proceed without the CISO, high-risk changes require their approval or veto, a deadlock goes to executive management or a cyber committee.<\/p>\n<p><strong>Emergency Isolation.<\/strong> The most important sentence in the mandate. Who is allowed to separate network segments, lock accounts, and take production systems offline without prior approval from executive management and within what parameters. An active incident with confirmed compromise is a different case from mere suspicion. Precisely this boundary must be drawn in advance.<\/p>\n<p><strong>Budget and Resources.<\/strong> Not a blank check, but minimum authorities: a dedicated security budget, an approval threshold for emergency expenditures such as forensics or external support, and a say in security-relevant procurements. The BSI explicitly calls for sufficient resources and a direct reporting line for the security officer.<\/p>\n<p><strong>Audit and Review Rights.<\/strong> No visibility, no veto. The CISO needs read and audit access to logs, firewall rules, vulnerability reports, and backup-restore tests, independent of IT operations. This authority belongs in the mandate with time and legal limits, yet must be enforceable.<\/p>\n<p>The following overview shows the pattern, without spelling out an entire RACI matrix.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:560px;border-collapse:collapse;margin:0;font-size:0.95em;\">\n<thead>\n<tr style=\"border-bottom:2px solid #69d8ed;\">\n<th style=\"text-align:left;padding:10px 12px;\">Decision<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Who Decides<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Escalation on Deadlock<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Final risk acceptance<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Business unit or executive management, CISO signs the analysis<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Executive management<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Approve high-risk change<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">CISO approval or veto<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Executive management or cyber committee<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Isolate production system<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">CISO or CSIRT in an active incident<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Immediate notification to executive management without prior approval<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Policy exception<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">CISO time-limited, with compensation<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Executive management if rejected by the business unit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">CISO and CIO: Why the Same Reporting Line Hides the Conflict<\/h2>\n<p>Availability and security are two legitimate goals that regularly conflict. IT operations wants to deliver; the CISO wants to secure. When both roles sit in the same reporting line, IT leadership controls exactly what the CISO is supposed to control: patches, identities, logging, backup. This breaks the separation of duties.<\/p>\n<p>BSI therefore recommends assigning the Information Security Officer (ISB) directly to top management to preserve independence. Integration into the IT department can create role conflicts. Governance analyses point in the same direction: Where the security function reports to IT leadership, information deficits and quiet self-interests easily arise in the chain.<\/p>\n<p>The practical answer is not a status debate about whether the CISO belongs in the C-suite. It is an escalation rule: A professional deadlock between IT leadership and the CISO escalates to executive management within a defined time window. Executive management decides on the business risk; the CISO documents their security position; both are recorded in writing in the minutes.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">The Legal Framework Draws the Line Between Responsibility and Authority<\/h2>\n<p>Laws and standards define management responsibility. They do not regulate the CISO\u2019s operational decision-making powers. The mandate closes precisely this gap. Section 38 BSIG obliges executive management to implement risk management measures and monitor their implementation. In the event of a culpable breach of duty, they are liable under corporate law rules. NIS2 Article 20 sets out the same line at EU level: The management bodies approve the measures, monitor them, and can be held liable for violations.<\/p>\n<p>BSI basic protection makes the consequence clear. Top management bears overall responsibility. Delegating operational tasks does not release them from it. This results in a clean division of roles: Executive management remains the ultimate decision-maker for risk acceptance and strategic trade-offs. The CISO receives delegated authorities for security operations, a veto in defined areas, and an escalation obligation. The order matters: The law does not specify which rights the CISO has. That is an organizational question. Therefore it must be answered in writing.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Belongs in a CISO Mandate and Where to Start<\/h2>\n<p>A mandate is a compact contract between executive management and the CISO, not a 40-page policy bundle. Eight building blocks suffice: role and scope with clear boundaries versus the CIO and data protection, the reporting line with minimum frequency and unfiltered conflict reporting, decision authorities with thresholds, the enumerated veto rights, the escalation path with time window and availability, resources including emergency approvals, audit and enforcement rights, and a review cycle signed off by executive management.<\/p>\n<p>Getting started requires no major reorganization. Three steps are enough to begin. First: answer the three incident questions in advance-who isolates, who notifies executive management and authorities, who may sacrifice availability. Second: record these answers identically in the mandate and the incident plan. Third: run the ERP segment isolation scenario once as a tabletop exercise, with IT leadership, the CFO, and executive management at the table, beyond the SOC. Anyone who has done this exercise will no longer argue about responsibilities at 2:47 a.m.<\/p>\n<p>In very small organizations, the role sometimes coincides with IT leadership. Compensating measures are then required: a four-eyes principle, external reviews, and a direct reporting line to executive management during an incident, clearly time-limited. This is the second-best solution, but at least it is documented.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is closed. Tap to unlock the answer.<\/p>\n<details>\n<summary><strong>What is the difference between a job description and a CISO mandate?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">A job description lists tasks and requirements. A mandate defines authorities: what the CISO may decide, where they have a veto, when they escalate, and which resources they are entitled to. In an incident, the mandate counts because it governs the authority to act.<\/p>\n<\/details>\n<details>\n<summary><strong>Does the BSIG prescribe the rights a CISO has?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Section 38 BSIG regulates the responsibility of executive management. It does not regulate the CISO\u2019s authorities. Which rights are delegated is an organizational decision. This is precisely why it must be made in writing; otherwise the gap between legal responsibility and operational action remains open.<\/p>\n<\/details>\n<details>\n<summary><strong>Should the CISO report to the CIO?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">BSI advises direct assignment to top management to preserve independence. Whoever is supposed to audit IT operations and, if in doubt, apply the brakes should not report to it. Where a direct line is not possible, at least an unfiltered escalation path to executive management is needed.<\/p>\n<\/details>\n<details>\n<summary><strong>May a CISO shut down a production system on their own authority?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Only if the mandate permits it. A clearly defined authority for isolation in an active incident with confirmed compromise makes sense, combined with immediate notification to executive management. Without this written rule, the delay arises that is most costly in a real emergency.<\/p>\n<\/details>\n<details>\n<summary><strong>How often should a mandate be reviewed?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">At least annually and after every major security incident. An incident quickly reveals where authorities did not hold up in practice. Every review ends with a fresh signature from executive management so the mandate remains current and authorized.<\/p>\n<\/details>\n<h3>Editor\u2019s Reading Recommendations<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/19\/why-the-iso-certificate-alone-is-not-enough-for-the-bsi\/\">Why the ISO Certificate Alone Is Not Enough for the BSI<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/21\/supply-chain-risk-is-a-program-not-an-audit-list\/\">Supply Chain Risk Is a Program, Not an Audit Checklist<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/20\/critical-roof-law-physical-resilience-ciso\/\">KRITIS Umbrella Act: When Resilience Becomes a CISO Obligation<\/a><\/li>\n<\/ul>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/19\/why-the-iso-certificate-alone-is-not-enough-for-the-bsi\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/iso-27001-nis2-bsig-zertifikat-luecken-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Why an ISO Certificate Alone Is Not Enough for the BSI<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/21\/supply-chain-risk-is-a-program-not-an-audit-list\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/tprm-lieferkettenrisiko-nis2-dora-programm-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Supply Chain Risk Is a Program, Not an Audit Checklist<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/20\/critical-roof-law-physical-resilience-ciso\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/kritis-dachgesetz-physische-resilienz-ciso-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">KRITIS-Dachgesetz: When Resilience Becomes a CISO\u2019s Mandatory Duty<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/en\/geopolitics-meets-the-data-center-roadmap-what-cios-must-secure-now\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-geopolitik-datacenter-roadmap-lieferkett-8054517-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Geopolitics Meets the Data Center Roadmap: What CIOs Must Secure Now<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/eu-requires-labeling-obligations-for-sme-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-eu-ai-act-2026-kennzeichnungspflichten-m-35346140-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">EU AI Act from August 2026: What labelling obligations really affect SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/16\/xfs4iot-meets-the-cloud-the-atm-becomes-a-platform\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-xfs4iot-cloud-geldautomat-plattform-syna-61345494.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">XFS4IoT Meets the Cloud: The ATM Becomes a Platform<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"CISO Mandate 2026: Which decision-making, veto, and escalation rights must be documented in writing so that it&#8217;s clear who can act during an incident.","protected":false},"author":10,"featured_media":18187,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"CISO mandate","_yoast_wpseo_title":"Which Decision Rights of the CISO Must Be Documented in Writing","_yoast_wpseo_metadesc":"CISO Mandate 2026: Define decision, veto, and escalation rights in writing to ensure clear action during incidents.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-mandat-entscheidungsrechte-eskalation-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-mandat-entscheidungsrechte-eskalation-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[258,259],"tags":[],"class_list":["post-20902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance","category-strategie-governance-en"],"evm_reading_time_minutes":10,"wpml_language":"en","wpml_translation_of":18186,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20902"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20902\/revisions"}],"predecessor-version":[{"id":21048,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20902\/revisions\/21048"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/18187"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}