Specifically, it is the task of the chief information security officer (CISO) to apply the power and influence of their position to effectively control the protection program.
The major role of the CISO is in defining the organizational governance architecture for security and implementing an effective control scheme over organizational perspectives and business processes that implement that architecture. An indirect effect of this activity produces the control architecture, technical security architecture, protection processes, protection mechanisms, and content and its business utility, however the CISO rarely has direct control over any of theses things. The role of the CISO also extends to direct responsibility over business and people life cycle issues.
- Governance architecture: Typically, the
governance structure of the security function is reflective of the
overall governance structure of the enterprise.
- Structure: The CISO should have links into
all of the relevant governance functions within all business units and
at the enterprise level into cross-cutting functions that apply to many
or all business units. These links should allow influence and feedback
associated with the different aspects of the protection function.
- Influence: The CISO must understand how to
apply influence and have the power and mandate required to exert that
influence as appropriate, however, this influence is almost always
applied in a gentle manner using reasoning and liking before force and
acting on behalf of the executive committee to implement the duties to
- Feedback: The positional power of the CISO must grant the ability to examine almost any information at the enterprise from a standpoint of understanding protection effectiveness. This must include access to audit reports and the capacity to influence audits, access to protection settings down to the smallest detail, access to evidence of various sorts, and access to people and their ability to understand and report on events. This is more often a people feedback mechanism than a technical feedback mechanism at the CISO's level.
- Structure: The CISO should have links into all of the relevant governance functions within all business units and at the enterprise level into cross-cutting functions that apply to many or all business units. These links should allow influence and feedback associated with the different aspects of the protection function.
- Organizational perspectives and business processes: The CISO typically cuts across many
different business perspectives. [Drill-Down] These include but are
not limited to:
- Management: Protection management deals
with the management structure of organizations and how they control
their operations. The basic concept is that an organization is like a
truck - and the management steers it. If the truck is out of control,
it will crash. If it is in control, it will be highly competitive in
- Policy: Policy is a governance issue.
Properly defined policies identify organizational values and associate
responsibility with assuring that those values are attained and
retained. Policy normally provides the means for decision making and
power, provides an authorized means of appealing decisions, and
identifies other governance issues and bodies tasked with making
day-to-day operational decisions. [Drill-Down]
- Standards: Standards are commonly used to
identify specific requirements associated with specific circumstances.
They provide the means by which economies of scale may be attained in
the reuse of well-developed and previously understood results.
Standards also commonly provide easy interoperability. [Drill-Down]
- Procedures: Procedures are the
instantiation of standards in specific, realizable, terms.
- Documentation: Documentation is used to
support policy, standards, procedures, and all other aspects of
- Audit: Audit is the means by which
management gets necessary feedback about the effectiveness of controls.
For this reason, internal audit is normally a top-level management
function, and external audit is normally performed at the ongoing
request of top management as an independent verification that internal
audit is doing the job properly. [Drill-Down]
- Testing: Testing is the means by which
asserted behavior is verified.
- Technical Safeguards: Technical safeguards
provide automated means by which protection is affected. [Drill-Down]
- Personnel: Personnel carry out the
protection activities. Given proper guidance, knowledge, and controls,
people doing their jobs properly will result in effective protection.
- Incident Handling: When incidents occur, if
they are detected, the organization's response results in the
reassertion of control that was partially lost during the incident. A
better response capability provides the means for regaining control more
quickly and with less damage along the way.
- Legal: Generally, legal requirements
include laws, regulations, and liability issues and can have criminal
and civil implications toward individuals and organizations.
- Physical: There is no effective protection
without physical protection. Physical protection generally involved
preventing or mitigating the effects of physical events that disrupt
normal operations of information systems.
- Awareness: People are far more effective in
playing their part in information protection when they are kept aware of
what their part is. Awareness programs are used to provide assurance
that awareness is kept up-to-date.
- Knowledge: For individuals with substantial
responsibility for both carrying out and helping to define protection in
an organization, education is needed in order to provide them with the
deep knowledge required to make proper decisions. For people with
specific responsibilities for information protection, training in the
proper way to carry out their duties is important to success.
- Organization: Organizational structure and culture create an atmosphere that can be more or less conducive to effective information protection.
- Management: Protection management deals with the management structure of organizations and how they control their operations. The basic concept is that an organization is like a truck - and the management steers it. If the truck is out of control, it will crash. If it is in control, it will be highly competitive in delivering results.
- Business life cycles: Business life cycles
include critical elements of due diligence that are under the purview of
the CISO and the CISO must typically be involved in all major changes to
business structure including but not limited to mergers, breakups, going
public or private, large-scale terminations, and restructuring.
- People life cycles: The CISO is typically strongly involved in the definition of people life cycles and heavily involved when large-scale personnel changes are underway.
The CISO or equivalent business executive who is tasked with governing the enterprise security process is an executive level individual with great responsibility, regularly reporting to the CEO and the board of directors, and intimately involved with and understanding the issues underlying large-scale business decisions. As such this individual is a key member of the enterprise executive management team.
For more details and in-depth coverage of these issues, buy the Governance Guidebook.
This was first published in January 2006