The CISO(Chief Information Security Officer) is a C-Level position, responsible to align security to business goals and to secure information assets of the company. The C-Level position has changed and evolved so much, we see the ‘CISO’ as a union of CRO,CIO etc. and the sole person responsible for the company’s security.
We have identified 5 major segments of a CISO's Role, namely Understanding the Organization's Business Strategy, Understanding the IT Infrastructure & Building a Security Architecture Optimized for it, Creating Optimal Risk Management & Disaster Recovery Plan, Managing the Insider Threats & Training Programmes and Maintaining all systems with respect to Compliance and Regulations. Each of the CISO Role Segments have been described briefly below along with the major pointers under them.
CISO Role Segments-
- Organization’s Business Strategy
- IT Infrastructure, Security Architecture & Assets
- Optimal Risk management & Disaster Recovery Plan
- Managing Inside Threats (training & awareness)
- Compliance & regulations
( Read More: How To Respond To A Breach During First 24 Hours )
Role1: Organization’s Business Strategy
Understanding the Business Plan & Strategy is key to align security to it. Security should not become a hindrance, if it is necessary it should be discussed to optimize the strategy and find a solution. A CISO should participate in discussions to take the Business point into consideration.
- Partnerships & Acquisitions to enhance the company’s security standing
- Cloud platform Adoption for Productivity Benefit Vs Low Cost
- Integration & Strategy
- Compliance Requirements
- Architecture
- CASB partners & strategy
- SLA
- Policy
- Vendor Risk
- Security Monitoring modes eg. Testing
- BYOD Platform to create a employee friendly environment and minimizing the risks
- Access Controls
- Secure VPNs
- Policies & Guidelines
- Monitoring lost devices & Remote swipe
- Vendor Risk
- ROSI for security strategy to create optimal plan with available budget
- Security Budget
- Highest ROSI
- Security Standing of company
- Vendor Risk Management
- Third Party Apps
- Service Providers
- Public/Private/hybrid Cloud
Role2: IT Infrastructure, Security Architecture & Assets
Understanding the present IT Infrastructure and the greatest assets should enable a CISO to create an optimal security strategy, a chief component of a CISO's role. A well-planned security architecture implementation addresses issues at the root level and can go a long way.
- Application Security eg. WAF, Secure coding etc.
- Encryption Technology Adoption
- Vulnerability management
- Network Security eg. monitoring, packet filtering, segmentation, firewall , IPS & IDS etc.
- Identity & Access Control eg. SSO, 2FA, Role based access etc.
- Cloud Integration
- Disaster recovery
- Compliance & Regulations
- Threat Prevention
- Data Loss Prevention
- Incident Management & Forensics eg. IR plan, Response time, First 24 hours etc.
- Sensitive Data Storage eg. Data discovery, Data classification, policies etc.
- Monitoring eg. Detailed logs, log management etc.
Role3: Optimal Risk management & Disaster Recovery Plan
This segment finds overlap with security architecture, however due to its importance we have mentioned it separately. A CISO's role is often to build and oversee the security architecture from the scratch, post which Risk Management and Disaster Recovery are the major components.
- Risk Management Strategy
- Architecture implementations
- Points of anomaly capture
- Infrastructure support for disaster
- Contact personals- Legal, Audit Advisors etc.
- IR Plan
- Asset priority
- Prevention plans
- Forensic support
Role4: Managing Inside Threats (Training & Awareness)
Controlling the access, data leak and preventing accidental organization risk comes under this category. Raising awareness in all employees & customers handling any sensitive data or using any organization asset is a primary part of it. Training and awareness indirectly helps a CISO carry out his role and responsibility.
- Training & Awareness programs
- Measuring progress in employees & customers
- Test attacks
- Monitoring Policy Violations Or Access Escalations
- Security courses & certifications
- Policy violation penalty
Role5: Compliance & regulations
This is relatively complex but mandatory control in the organization with plenty of regulations and updates making it difficult to keep track. Frameworks to maintain and regulate compliance have been made and make life easier. A CISO's role in the field of compliance can be overwhelming due to new regulations & updates from time to time.
Popular Compliance list-
- PCI DSS
- HIPAA & HITECH
- Sarbanes-Oxley
- FISMA
( Read More: Free Resources For Kickstarting Your IT GRC Program )
References-
.png)
Comments