{"id":60560,"date":"2026-04-29T16:00:00","date_gmt":"2026-04-29T16:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/"},"modified":"2026-04-29T16:00:00","modified_gmt":"2026-04-29T16:00:00","slug":"8-best-practices-for-cisos-conducting-risk-reviews","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/","title":{"rendered":"8 best practices for CISOs conducting risk reviews"},"content":{"rendered":"
<\/div>\n

The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers<\/em><\/a> (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more.<\/em><\/em> In this blog, Rico Mariani, Deputy CISO for Microsoft Security Products, Research Infrastructure, and Engineering Systems shares some of his best practices and expertise in conducting risk reviews.<\/em><\/p>\n

The nature of cyberthreats has never been static<\/a>, but it\u2019s hard to accurately convey the scale of their recent evolution and proliferation. As we\u2019ve seen in many other arenas, AI has become a very powerful productivity tool for would-be cybercriminals. Between April 2024 and April 2025, Microsoft stopped $4 billion in fraud attempts.1<\/sup> And as of the writing of the Microsoft Digital Defense Report 2025<\/a>, we are tracking 100 trillion security signals each day (a 40% increase since 2023).2<\/sup><\/p>\n

This is why I decided to write a blog about risk reviews. By asking the right questions, risk reviews help us transform the utility of our security data from primarily reactive remediation and response information into key insights helping to inform our proactive security stances. And embracing strong proactive security is something we can all do to mitigate our increased exposure to security threats.  <\/p>\n

Risk reviews are also a topic I\u2019ve lent focus to during my first six months as Deputy CISO for Microsoft Security. It\u2019s a very interesting role for me, as I\u2019ve traditionally described myself as performance specialist and a systems specialist more than a security specialist. It\u2019s not necessarily a distinction of skill set, but more one of mindset, and what I\u2019d like to share with you is actually a bit of a synthesis of my inherent performance- and systems-first way of thinking and things I\u2019ve brought into that practice after working with many of the other Microsoft Deputy CISOs over the last few months.<\/p>\n

There are roughly eight points I want to bring up concerning risk reviews in this blog. Each point has the potential to help expose potential security vulnerabilities when brought up with security teams. Together, they represent a structured and approachable way to initiate necessary conversations and drive meaningful results:<\/p>\n

    \n
  1. Assets<\/li>\n
  2. Applications <\/li>\n
  3. Authentication <\/li>\n
  4. Authorization <\/li>\n
  5. Network isolation <\/li>\n
  6. Detections <\/li>\n
  7. Auditing <\/li>\n
  8. Things not to miss <\/li>\n<\/ol>\n

    Now, why did I choose to highlight these areas and not others? Generally, I find that looking at problems from the lens of risk management gives me a fresh perspective. When you very consistently ask specific questions around these areas, they often effectively start the conversation you want to have.<\/p>\n

    Just one last thing before we dive in: What I\u2019m about to tell you is only approximately correct. There will be edge cases and exceptions, but generally I think you\u2019ll find this information helpful.<\/p>\n

    1. Assets<\/h2>\n

    The best place to start a review is\u202fidentifying\u202fthe assets that you need to protect. This will\u202flargely define\u202fthe scope of the review. A good place to find those assets is, of course,\u202fon\u202fyour architecture diagrams and your threat models. The assets we\u2019re talking about could be storage (where\u202fperhaps you\u2019re\u202fstoring sensitive or otherwise important data) or they could be highly-privileged applications like command-and-control systems or something similar. This is, in short, the list of things that your cyberattacker wants to get to.\u202f<\/p>\n

    2. Applications<\/h2>\n

    In the next step, you\u202fidentify\u202fyour applications. These are, broadly speaking, the active part of your system.\u202fThey are\u202fthe outward-facing surfaces\u202fthat customers will use\u202fand\u202fthe set of microservices that\u202fsupport\u202fyour interface. These systems\u202fcould be providing any set of services that you might need\u2014and\u202fherein\u202flies the problem. It\u2019s\u202fentirely normal for your applications to require access to your most important assets,\u202fbut that means the applications themselves can become\u202fviable\u202ftargets for a cyberattacker. So how do we make this situation better? At this point,\u202fit\u2019s\u202freasonable to start talking about\u202fpossible controls.\u202f<\/p>\n

    Read up on Zero Trust for source code access<\/a>.<\/p>\n

    3. Good quality authentication\u202f<\/h2>\n

    The next thing\u202fyou\u202fwill\u202fwant to\u202finspect\u202fis the form of authentication that your system is using. The best systems are using tokens for authentication, and they are getting these tokens from standard token issuers like, for instance, Microsoft Entra<\/a>. It\u2019s sometimes viable to have your own token generation system, but remember that such systems tend to have bugs. Those bugs can be exploitable. And even lacking bugs, there could be, say,\u202fgaps or\u202fvulnerabilities in your token issuing system such that perhaps the tokens cannot be properly scoped. The tokens could also tend to be too long-lived, or difficult to be made fine-grained enough, or lack the capacity to allow for flowing user context from the request to the authorization system. Many such deficiencies are possible.\u202f<\/p>\n

    Even with\u202fa good quality\u202ftoken issuing system, you can easily find yourself in a situation where the tokens that\u202fyou\u2019re\u202fcreating are too fungible,\u202for too powerful,\u202for both. Thinking back to the assets\u202fyou\u2019re\u202ftrying to protect and the applications that you have, you can\u202flikely categorize\u202fsome of the applications as having more\u202f\u201cpower,\u201d\u202fif you will, than others. Sometimes we call these \u201chighly privileged applications\u201d\u202fbecause they have the capability to do something that is especially of interest to cyberattackers, like reading a lot of data, changing configuration, or anything like that.\u202f<\/p>\n

    To best manage the privileges associated with these applications, it needs to be the case that the kinds of tokens that they use are as limited as possible. So,\u202fa particular token might authorize\u202fa\u202fcapability\u202ffor a certain customer, on behalf of a certain user, for a certain\u202fset\u202fof data\u2014and nothing more than that. When privileges are very generic, like \u201cI can do this operation for anyone, anywhere,\u201d things become much more dangerous. So, here the idea is to make sure that the tokens that\u202fyou\u2019re\u202fgetting are\u202fvery specific\u202fto the intent that you have and that only\u202fthe applications that need those tokens can get them, and, again, the tokens are as limited as possible. This goes a long way in reducing the possible damage that a cyberattacker could do if they found such a token errantly stored somewhere.\u202f<\/p>\n

    A lot of the things we think about when\u202fwe\u2019re\u202fworking with tokens and trying to limit them fall into the\u202fcategory of limiting what a cyberattacker can do\u202fif\u202fthey get a foothold somewhere. This is the Zero Trust<\/a> model, where you assume breach everywhere.\u202f <\/p>\n

    Additionally, it\u2019s essential to use standard libraries to accurately authenticate with tokens, so that all the aspects and limitations of the token are certain to be honored.\u202f<\/p>\n

    Learn about phishing-resistant multifactor authentication<\/a> from the Microsoft Secure Future Initiative (SFI). <\/p>\n

    4. Good quality authorization\u202f <\/h2>\n

    Good quality\u202ftokens are not going to help you if\u202fthey\u2019re\u202fenforced poorly (or not at all). And bugs can creep into code. Ad hoc authorization code can\u202frender\u202fthe good authentication that\u202fyou\u2019ve\u202fdone\u202fmoot.\u202f<\/p>\n

    Any time you can use declarative style patterns that help you verify tokens against incoming APIs and the data that the client is\u202fattempting\u202fto access with your API,\u202fyou\u2019ll\u202ffind yourself in a better place. Simple, consistent authorization yields fewer bugs and therefore less risk.\u202f<\/p>\n

    5. Network isolation\u202f<\/h2>\n

    In addition to having\u202fgood quality\u202ftokens,\u202fit\u2019s\u202fimportant to isolate the pieces of your environment to the maximum extent possible. Again, this is done because\u202fit\u2019s\u202fprudent to assume that a cyberattacker has a foothold somewhere in your network. The questions are\u202f\u201cwhere exactly can that foothold be,\u201d\u202fand\u202f\u201conce they have that foothold, where in my network can they get to?\u201d\u202fIf\u202fa threat actor can\u202freach any part of your system from any other part of your system, this is obviously less good than if your most sensitive systems can be accessed from exactly one or two key places and nowhere else.\u202fWhen properly controlled, most footholds\u202fbecome\u202fuseless to a cyberattacker\u2014or at least only indirectly useful.\u202f\u202f<\/p>\n

    Use service tags<\/a> to create boundaries around your\u202fvarious\u202fassets such that applications are used by exactly those systems that are supposed to be using them and data is accessed by exactly those applications that are supposed to be accessing the data. This goes a long way to take many cyberthreats off the table.\u202f <\/p>\n

    Network isolation can happen at several levels in the network stack. Popularly, level 7 is used at the perimeter. Maybe this manifests as some kind of HTTP proxy, for example, or an HTTP routing gateway. However, protection is incomplete without additional work happening at level 3 within your network. You want to limit IP traffic to be going to exactly the places that you want it to go. You might use techniques like virtual LANs, or similar constructs like network security groups (NSGs) in Microsoft Azure<\/a>. The idea is to limit connectivity to exactly what is necessary to do the job and not give the cyberattacker freedom to move around.\u202f<\/p>\n

    With good network isolation comes the ability to\u202flog\u202fany attempts to gain access at the perimeter, and potentially even internally. Depending on what networking technology you\u2019re using, all of this is great for hunting. We\u2019ll talk about that in the next section.\u202f <\/p>\n

    Learn more about network isolation and other best practices from SFI<\/a>.<\/p>\n

    6. Detections\u202f <\/h2>\n

    It\u2019s\u202fnormal to think about monitoring for reliability. Systems need to stay within their operating parameters in the face of changes and external conditions. But\u202fit\u2019s\u202falso important to think about detection from the perspective of your threat model. If you\u202fidentify\u202ffive or ten risks in your threat model that need controls,\u202fit\u2019s\u202fuseful to think about how you might detect if any of those things are\u202factually happening\u202fin your environment.\u202f <\/p>\n

    In this context, one place to look is at the perimeter\u2014by examining your incoming HTTP traffic, for instance. But you can also look anywhere in your environment where you predict that attacks might happen. You might look for badly formatted requests, or fuzzing, or evidence of DDoS attack\u2014whatever is\u202fappropriate to\u202fthe risks you have. The idea is that you want to be able to create alerts if you have evidence of a threat actor\u202foperating\u202fin your estate.\u202f <\/p>\n

    And, of course, security products can be\u202fvery helpful\u202fhere.\u202f <\/p>\n

    7. Auditing<\/h2>\n

    We separate the notions of auditing from detection. Specifically, auditing is what I will call the pieces of data that you would use after a breach\u202fto\u202fdetermine\u202fthe extent of the breach and the customers that were affected by it. In the event that you find a vulnerability without any evidence of threat actor exploitation, you\u2019d want to go and check your auditing again to verify those claims. That way you can have evidence that whatever problem you found was not in fact exploited. If it was exploited, you\u2019ll know to what extent, who was affected, and who needs to be notified.\u202f<\/p>\n

    Some parts of your endpoint detection and response (EDR)<\/a> stream will be\u202fvery useful\u202ffor auditing. Additional\u202fauditing information can come from the logs you create in your applications that record suitable information concerning recent activity.\u202f<\/p>\n

    8. Things not to miss\u202f<\/h2>\n

    It\u2019s\u202fimportant to think about all the applications and data that you have in your estate. For instance,\u202fit\u2019s\u202feasy to overlook the backup data that you have stored. A cyberattacker might not be able to get access to your primary\u202fsystems but\u202fmight find that your backups\u202fare\u202fentirely unprotected and they can just read the backup.<\/p>\n

    Similarly, support systems often\u202fgo\u202foverlooked. There are frequently important customer support scenarios<\/a> that require access, and\u202fit\u2019s\u202feasy to fall into the trap of not giving\u202fthose systems\u202fthe highest level of scrutiny.\u202f<\/p>\n

    We should add systems that are under development and test systems\u202fto this problematic set. In both\u202fthese cases, the code\u202fthat\u2019s\u202frunning those systems is\u202fless\u202ftrustworthy than normal production code. Development code, for instance, can be presumed to have more bugs than production code. Some of those bugs might be authorization bugs. And if there are authorization bugs, that buggy code might provide access to important assets. Therefore, your plans should include even greater scrutiny when it comes to these kinds of systems.\u202f<\/p>\n

    Explore actionable patterns and practices from\u202fSFI<\/a>. <\/p>\n

    In summary<\/h2>\n

    If you\u2019ve gotten as far as identifying\u202fall of\u202fyour assets,\u202fall\u202fyour applications, and then thinking about the access patterns and controls that you have between them\u2014including authentication, authorization, network isolation, and the use of\u202fbug-resistant patterns\u2014you\u2019re in a pretty good place to write a risk\u202fsummary that can guide your actions for many months. And we haven\u2019t even touched on\u202fbasic\u202fthings like vulnerability management, security, bug management, and the usual software lifecycle things that are necessary to keep the system in good health.\u202fCombine\u202fall of\u202fthe above and you should have a good-looking risk plan.\u202f<\/p>\n

    To learn more about Microsoft Security solutions, visit our\u202fwebsite.<\/a>\u202fBookmark the\u202fSecurity blog<\/a>\u202fto keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security<\/a>) and X (@MSFTSecurity<\/a>)\u202ffor the latest news and updates on cybersecurity. <\/p>\n

    \n

    1<\/sup>Microsoft Cyber Signals Issue 9<\/a>. <\/p>\n

    2<\/sup>Microsoft Digital Defense Report 2024<\/a>.<\/p>\n

    READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Embracing strong proactive security is something we can all do to mitigate our increased exposure to security threats.
    \nThe post 8 best practices for CISOs conducting risk reviews appeared first on Microsoft Security Blog. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":60561,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-60560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure"],"yoast_head":"\n8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-29T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/dCISO_Mariani.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"8 best practices for CISOs conducting risk reviews\",\"datePublished\":\"2026-04-29T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/\"},\"wordCount\":2327,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/8-best-practices-for-cisos-conducting-risk-reviews.jpg\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/\",\"name\":\"8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/8-best-practices-for-cisos-conducting-risk-reviews.jpg\",\"datePublished\":\"2026-04-29T16:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/8-best-practices-for-cisos-conducting-risk-reviews.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/8-best-practices-for-cisos-conducting-risk-reviews.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8-best-practices-for-cisos-conducting-risk-reviews\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"8 best practices for CISOs conducting risk reviews\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/","og_locale":"en_US","og_type":"article","og_title":"8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-29T16:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/dCISO_Mariani.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"8 best practices for CISOs conducting risk reviews","datePublished":"2026-04-29T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/"},"wordCount":2327,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/8-best-practices-for-cisos-conducting-risk-reviews.jpg","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/","url":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/","name":"8 best practices for CISOs conducting risk reviews 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/8-best-practices-for-cisos-conducting-risk-reviews.jpg","datePublished":"2026-04-29T16:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/8-best-practices-for-cisos-conducting-risk-reviews.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/8-best-practices-for-cisos-conducting-risk-reviews.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/8-best-practices-for-cisos-conducting-risk-reviews\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"8 best practices for CISOs conducting risk reviews"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60560"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60560\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60561"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}