Re: General Counsel Should Lead Security Managemen...

dcontesti · ‎04-22-2020

I have read many articles on the appropriate placement off Information Security over the years. There are many thoughts on it, some saying the CFO, some saying the CIO, others stating the Board, this is a new approach and wonder what others think on this one.

This is a synopsis:

https://www.todaysgeneralcounsel.com/gc-should-lead-security-management-and-risk/

You can link to the full article but a little difficult to read:

https://issuu.com/todaysgc/docs/todaysgeneralcounsel_spring2020/24

I agree with an alignment but am not convinced Legal should lead...........

Thoughts?

d

CISOScott · ‎04-22-2020

Definitely not under the CIO. Under legal? Hmmmmm... Maybe you would have some more pull with the threat of legal action. I could see it being OK being under legal, unless you got stuck in legal purgatory every time you proposed a change or it took 6 weeks to ratify a Rules of Engagement (ROE) (yes that happened to me) so maybe it isn't the best. I have seen Risk Manager being placed under legal so they could help quantify risks and legal exposure of risks, but not for the CISO or ISSO roles.

I like the CISO being their own C level position.

Caute_cautim · ‎04-22-2020

The CISO should be their own C level, they take risks, they understand them, and they are expected to be an excellent communicator, and capable of deciphering technical jargon to business speak, along with a calm mind, whilst everyone else pulls there own out.

Regards

Caute_cautim

General Counsel Should Lead Security Management and Risk