cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kaity
Community Manager

What is a CISO?

CNBC ran an interesting article this weekend examining what cybersecurity professionals do - and more specifically, what the role of a CISO is ... They spoke to the first person to have the title and I'm curious what you all think about the list of responsibilities they came up with.  

 

Article is linked above or here: https://www.cnbc.com/2018/07/20/what-is-ciso-chief-information-security-officer.html

 

I think there were some very interesting ideas regarding reporting structure discussed in the previous CIO vs CISO thread, but there's a lot to unpack on this topic. 

 

 

4 Replies
Shannon
Community Champion

 

Organizations driven by business may perceive a CISO as an extra cost --- & even a hindrance! --- so they often want to ensure that the costs of employing one are justified by the potential losses due to IT Security breaches, non-compliance with regulations, etc.

 

Starting from the lowest to higher levels of IT Security in an organization, you may have one of the following scenarios: -

 

  1. The organization invests in an infrastructure that caters to IT functionality, and doesn't bother about IT Security. Responsibilities related to securing systems are assumed by those administering them. With no security syolutions or dedicated security staff, don't expect to see a CISO.
  2. The organization procures minimal security solutions to protect its IT infrastructure, but can't afford to have dedicated personnel to administer these, so the regular staff are given the 'honor.' Again, there's no CISO.
  3. The organization has IT Security solutions & dedicated staff to manage them, along with an Information Security Officer to head all this. IT Security reports to the CIO, so there's no need for a CISO.
  4. The organization is compelled by regulations to have a CISO --- but this is just a namesake. The CISO has no say in anything, other than explaining what goes wrong.
  5. The organization has an IT Security department that reports to a CISO --- & the CISO in turn reports to a CIO, so IT Security requirements are circumvented if needed.
  6. The organization has an IT Security department headed by a CISO, who has an equal footing with with CIO --- and reports directly to the organization's top management.

 

To answer the question, in addition to being able to assess, improvise, & manage Information Security in an organization, the CISO should be adept at interacting with top management to show them that IT Security is properly aligned with the organization's business objectives.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CISOScott
Community Champion

In my view the CISO role can vary widely depending on the size and IT Security maturity of an organization. In short the CISO is the bridge between the CIO (IT) and the management team (CEO,COO, etc.). They should be able to coordinate security activities that are happening in the agency, determine security shortfalls in the agency, develop plans to address those based on staff and budget and evaluate the current security posture. Once the evaluation is done they should be able to develop plans to improve the security posture to an acceptable level. In smaller organizations the CISO may have to be more hands on for periods of time. In larger organizations they may manage a team. They should also be able to speak the language of business and understand that not every security shortfall may be able to be addressed due to shortages in staffing or budget and be able to suggest alternatives or help management prioritize the activities that can be done.

Caute_cautim
Community Champion

Here is an interesting discussion and podcast:  https://securityintelligence.com/media/the-state-of-the-ciso-and-the-board-a-panel-of-security-leade...

 

The job is definitely evolving at a pace.

 

https://securityintelligence.com/how-to-become-an-articulate-leader-and-ciso-in-five-steps/

 

This discussion could go on for many moons, on this subject.

 

Regards

 

Caute_cautim

CISOScott
Community Champion

@Caute_cautim Nice articles. Thanks for sharing.

I think it was summed up nicely at the bottom of the second article. Highlights in red are my emphasis.

"

Before delivering the message, CISOs must consider how it will be received and what would be the logical next steps for someone who just read or heard it. The purpose of the message and any call to action should be clear — and so should be the reason for the message, its timing and its context.

The articulate leader will prove their value to his or her organization with his or her ability to provide insights on cyber issues, advise the business leadership on appropriate courses of action and execute tactics to keep cyber risks under control. In doing so, the CISO will have demonstrated his or her ability to be true cyber risk partners to the business.

"

Citation: Article: How to Become an Articulate Leader and CISO in Five Steps,  https://securityintelligence.com/how-to-become-an-articulate-leader-and-ciso-in-five-steps/July 31, 2018  |  By Christophe Veltsos