What is the role of the CISO?
- Security Policy
- Business Enablement
- Compliance
- Protect Information Assets -
- Protect Corporate Secrets
Challenges of the CISO
- Budget
- Value Definition
- Control of Resources
- Technical Nature of Position
- Interact with C Suite,Board of Directors
Criteria for deciding where to place the CISO
- OrganizationalMaturity
- BusinessDomain
- SkillAlignment
Criteria:
Organizational Maturity
- How experienced is the organization in dealing with the types of risk that threaten lines of business?
- Does it build operational resilience to disasters, disruptions, have contingency plans to recover?
- Does it practice responding?
Criteria: Business Domain
- Nature of external environment
- Highly regulated?
- Market segment
- Security?
- Operational threats?
- Highly technical?
Criteria:
Skill Alignment
- Info Security skillsets relative to rest of organization
- Where does risk management responsibility lie?
- Appropriate balance between technical and business acumen
Less Mature organizations require more effort and focus by CISO
WHO DO THEY REPOT TO?
Prefer CISO reports to COO as extension of Operational Arm of organization
More mature organizations can rely on embedded personnel and resources more often
WHO DOES THE CISO REPROT TO?
CISO reporting to CIO or CFO is more common here (they own the risk), though less effective in ability to force change
Three factors THAT influence BUSINESS criterion ?
- Regulatory Environment
- Threat Environment
- Technical Environment
What is the threat to your organization?
- Do you have defined threat vectors?
- Is your organization political/activist in nature?
- Do you store/process valuable data?
report to CEO/COO for high threat environments
How is the CISO role similar to the CTO or CIO?
- Need to centralize technology management
- Need to improve efficiency and efficacy
- Manage risk of complexity
How is the CISO role different from the CTO or CIO?
- As a risk manager, the CISO requires significant business acumen
- Organizational efforts may require influence beyond technology department
- Bring order from chaos across all functional groups
- Must be authorized to initiate/direct emergency actions to respond to security events (especially in high compliance environments)
Three models for a CISO
- Technical IT-Focused CISO(traditional)
• CISO report to IT (CIO or CTO)
• Views security from Technical perspective - Empowered CISO (growing approach)
• CISO report to CEO or CFO
• Views cybersecurity in broader, risk-focused terms - Non-CISO CISO (new security role emerging)
• designated security officer
• regulatory and/or industry requirements
CISO provides guidance and expertise on ?
- Cybersecurity practices, procedures, metrics
- Data and asset classification
- Vigilance and monitoring of cybersecurity activities and trends
- Oversight of auditing and governance practices
- Incident response
- Security policy design
- Security services implementation
- Security training
- Holistic Risk Management and Assessment
Role as CISO : Responsibility?
- protect organizations assets
- Data
- Networks
- Applications • People
- Provide key security services
- Not interfere with ability to conduct business
Do you have the authority you need?
- Do I have the authority to act in an emergency?
- Do I have the authority to manage the cybersecurity suite?
- Do I control my budget?
- Do I select devices/applications used?
- Do I have authority to change and create policy?
- Am I a member of the IT Leadership Team?
- Am I allowed to present cybersecurity issues directly to executive management?
