Lessons learned during a breach (directly from a CISO that experienced a breach):
1. Don't deploy technology without business context. Technology on a network with no business context will only indict you in a breach.
2. Drive your program from external industry experts 1/

Risk is not a security responsibility. Don't accept the risk yourself. Evaluate and translate risk for the business and let org leadership accept risk. We can eliminate risk - "I can secure my company out of business in less than 15 minutes." 2/

3. Before a breach, I only had to keep the CIO happy. Post-breach, I have HR, legal, risk, business operations, etc. before IT. Business sometimes has more costs associated. "You're doing this on a spreadsheet. I can't secure a spreadsheet. I CAN secure a replacement system." 3/

4. People skills matter a LOT. Learn how to integrate with the people who must accept the risk. Integration works. Throwing yourself against a process wall does not.
5. It's all about priorities and focus. We were looking at point security solutions vs. overall enterprise. 4/

6. Before a breach, we were just focused on our out of date IR plan document. Post breach, our entire IR process is built into our ticketing system. Automate that process because things will be missed otherwise. 5/

7. During an incident, everyone has good intentions. Most of those intentions are wrong. Tabletops help you make those mistakes (minus the impact) before a real incident occurs.
8. Work with the org. "If you're a stone, the stream will go around you." 6/

9. If you're trying to influence management, don't just bring problems. Bring a solution. Also, do a "what if" analysis and articulate what happens if we just maintain the status quo.
10. Don't be a gatekeeper to the risk register. Let anyone add items, then understand why. /FIN