CNBC ran an interesting article this weekend examining what cybersecurity professionals do - and more specifically, what the role of a CISO is ... They spoke to the first person to have the title and I'm curious what you all think about the list of responsibilities they came up with.
Article is linked above or here: https://www.cnbc.com/2018/07/20/what-is-ciso-chief-information-security-officer.html
I think there were some very interesting ideas regarding reporting structure discussed in the previous CIO vs CISO thread, but there's a lot to unpack on this topic.
Organizations driven by business may perceive a CISO as an extra cost --- & even a hindrance! --- so they often want to ensure that the costs of employing one are justified by the potential losses due to IT Security breaches, non-compliance with regulations, etc.
Starting from the lowest to higher levels of IT Security in an organization, you may have one of the following scenarios: -
To answer the question, in addition to being able to assess, improvise, & manage Information Security in an organization, the CISO should be adept at interacting with top management to show them that IT Security is properly aligned with the organization's business objectives.
In my view the CISO role can vary widely depending on the size and IT Security maturity of an organization. In short the CISO is the bridge between the CIO (IT) and the management team (CEO,COO, etc.). They should be able to coordinate security activities that are happening in the agency, determine security shortfalls in the agency, develop plans to address those based on staff and budget and evaluate the current security posture. Once the evaluation is done they should be able to develop plans to improve the security posture to an acceptable level. In smaller organizations the CISO may have to be more hands on for periods of time. In larger organizations they may manage a team. They should also be able to speak the language of business and understand that not every security shortfall may be able to be addressed due to shortages in staffing or budget and be able to suggest alternatives or help management prioritize the activities that can be done.
Here is an interesting discussion and podcast: https://securityintelligence.com/media/the-state-of-the-ciso-and-the-board-a-panel-of-security-leade...
The job is definitely evolving at a pace.
This discussion could go on for many moons, on this subject.
@Caute_cautim Nice articles. Thanks for sharing.
I think it was summed up nicely at the bottom of the second article. Highlights in red are my emphasis.
Before delivering the message, CISOs must consider how it will be received and what would be the logical next steps for someone who just read or heard it. The purpose of the message and any call to action should be clear — and so should be the reason for the message, its timing and its context.
The articulate leader will prove their value to his or her organization with his or her ability to provide insights on cyber issues, advise the business leadership on appropriate courses of action and execute tactics to keep cyber risks under control. In doing so, the CISO will have demonstrated his or her ability to be true cyber risk partners to the business.
Citation: Article: How to Become an Articulate Leader and CISO in Five Steps, https://securityintelligence.com/how-to-become-an-articulate-leader-and-ciso-in-five-steps/July 31, 2018 | By Christophe Veltsos