A Chief Information Security Officer is the brigadier general of the security force of an organization. While the c-suite normally looks at the financial and overall management of an organization, it is up to the CISO to bring in the security aspect, keeping the organization safe from data breaches that could result in financial loss and reputational damage.
In the year 1994, a Russian hacker, Vladimir Levin, targeted Citigroup with a series of cyber-attacks. To cope with the situation, the bank formed the first cybersecurity team and hired Steve Katz as the CISO. According to Katz, the CISO plays an important role in interpreting the headlines and understanding the requirements of the security plan.
Today, when we talk about business, information security has become an integral part of the management policy. From government data breaches to bank account password hacks, cybersecurity has become the need of the business, so we turn to our management for guidance and specifically a CISO.
The Role of ‘S’ in CISO
While being a CISO is a fascinating job, it’s a difficult one too. Persistent data breaches have personified the job role of CISO, not concentrating on the possibility of the attack but rather on ‘when’ the attack will occur.
In the wake of a data breach, it is often the CISO who is held accountable for the mishap. In fact, according to a 2017 survey, 21% of IT security professionals would hold the CISO accountable in the event of a data breach.
Following the Equifax breach, former CEO Richard F. Smith apologized for not able to stand with the expected security standards, stating that “the human error was the individual who is responsible for communicating in the organization to apply the patch, did not.” The chief of security stepped down from her post after severe criticism ensued from various sources.
CISOs are often held responsible:
- When the security team fails to respond or detect the breach properly
- When the necessary data security technology is not within the reach or out of date
- The glitch of security operations team in maintaining poor systems and monitoring
- Non-human breaches are the ultimate responsibility of the CISO
For example, when someone from the security information department failed to upgrade patches or has not performed basic maintenance, then the CISO is the one blamed.
As a C-level executive, they hold the important responsibility of contributing to the company’s IT security posture in a meaningful way, enhancing the organization’s brand. It is their sole responsibility to protect the organizations’ crown jewels and detering data breaches, by analyzing and implementing various security requirements and making certain that security policies are followed at all levels of the organization.
What does a CISO do?
The security system requires a lot of money and human resources to execute and implement security policies. A good team under the CISO’s governance will ensure the functioning of cybersecurity up to defined standards. Higher officials may not vision a clear picture of the issues and possibilities of threats, this is where the ‘S’ in the CISO’s title makes all the difference in the job role.
CISOs represent and oversee a team of security professionals working for an organization. Their responsibilities vary by industry, size, and the regulations applicable. The role of a CISO is based on public research, academic resources, explicit interviews with security professionals, and job roles mentioned in job postings, specifically among the following five domains:
Governance
The first and foremost role is to define, implement, manage and maintain an information security program in alignment with the organizational goals and legal implications. The CISO should analyze the external laws, standards, regulations, and various provisions of the law that affect organizational security. They should be familiar with the ISO and Federal standards, regulatory information security organizations, appropriate industry groups, forums, and stakeholders. They should ensure that security management structure and security framework are in compliance with the auditing and certification programs.
Security Risk Management, Controls, and Audit Management
A CISO is responsible for sharing the progress on the development and control of information systems with the stakeholders. They should understand the risk tolerance level and must identify and select the resources required to implement and maintain information system controls effectively. Being involved with security management, CISOs represent the entire audit process and therefore, should be familiar with IT audit standards.
Security Program Management and Operations:
CISOs are not individual members working on the security systems. In fact, they lead a team of information security professionals who work in the direction of the CISO. They identify, negotiate, acquire, and manage the required resources for successful design and implementation of the information systems program in alignment with the organizational objectives. They also acquire, manage, develop and lead information security project team based on the budget allocated.
Information Security Core Concepts:
This job role of CISO surrounds various tasks like identifying, understanding, developing, implementing, and managing security access control devices, strategies, and systems.
CISOs are also required to develop the best practices to combat social engineering, phishing, or identity theft attacks, backup and recovery solutions in coordination with the business continuity plan, create software assurance program in all the phases of software development lifecycle, and identify potential security violations and comply with incident reporting requirements.
By assessing threats and vulnerabilities, the CISO can develop a strong incident management program, among their various other duties.
Finance:
CISOs prepare the budget for security systems, monitor, and oversee the cost management of security projects, allocate financial resources, and identify the procurement concepts such as a statement of objectives, statement of work, and total cost of ownership.
Are You Ready to Become a CISO?
EC-Council’s Certified Chief Information Security Officer (C|CISO) program is aimed at producing top-level information security executives, focusing on the five domains mentioned above to bring together all the components required for a C-Level position. These five domains were mapped in alignment to the NICE Cybersecurity Workforce Framework (NCWF), with the aspiring CISO in mind, focusing on the most critical aspects of an information security program.