What is a CISO? What are they Responsible for?

Written By Todd Mitchell

The CISO has a set of roles and responsibilities that define accountability to the governing body of an organization. They are as follows:

●             Manage IT assets

●             Have an independent party review the implementation of controls

●             Define the business value of expenses

●             Have IT, financial, and business managers monitor cybersecurity

●             Trace cybersecurity rules to business rules

●             Convene a board to approve changes in security rules

●             Monitor application performance throughout the lifecycle, not just in development

●             Use standard IT processes that are well documented and reviewed

●             Identify business owners for all information systems

●             Train and empower the IT employees to be able to perform their duties

These principles will allow a CISO to govern the IT systems to accomplish the business goals of the organization while ensuring the security of the data (Worstell, 2014).

The roles of the CIO are to protect the data and information processes; similarly, the CISO will also use the security controls to protect the data. The CTO is charged with return on investment to justify new technology purchases; likewise, the CISO will show the business value gained by implementing the security rules traced to business rules. The CPO is charged with ensuring the privacy and confidentiality of the data and information of the organization and its customers, working with the CISO to implement controls will allow the security processes to mitigate the risk of exposure of data to unauthorized users (Dawson, Burrell, Rahim & Brewster, 2010).

The role of the CISO may differ from organization to organization depending on its size, but the need for one is more vital than ever (Raths, 2014). The CISO integrates methods of network and data security into the common business practices. In a smaller organization this may be a duty of the IT manager, in a very large organization it may be an entire department with the CISO as the head of several subordinate CISO’s. Most organizations will have one CISO that reports to the governing body along with other Chiefs.

References:

Dawson, M., Burrell, D. N., Rahim, E., & Brewster, S. (2010). Examining the role of the chief information security officer (ciso) & security plan. Journal of Information Systems Technology & Planning, 3(6), 1-5. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=iih&AN=63283579&site=eds-live&scope=site

Raths, D. (2014). Security leaders sound off. Government Technology, 27(8), 28-32. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=iih&AN=99943697&site=eds-live&scope=site

Worstell, K. F. (2014). The role of the CISO. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed., pp. 65.1 - 65.20). New York, NY: John Wiley & Sons.

Todd Mitchell
Previous

What are the Weaknesses of Our Cybersecurity?
Next

How do I Create a Cybersecurity Awareness Culture?