FotolEdhar - Fotolia
According to a Threat Track Security survey, companies that employ a CISO are significantly more aware of security...
threats and more confident about their ability to defend against attacks. How much does having an actual CISO title in place matter versus someone who manages those duties with a title like information security director or manager? What internal benefits does the CISO title carry?
By definition, the CISO is a C-level position. Therefore, a CISO should have greater visibility and accessibility to executive level management. The CISO is responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected. Executive management support, however, should not be expected because of the CISO title, but it is the responsibility of the CISO to generate and maintain that executive support.
According to the Threat Track Survey referenced, 94% of security professionals say they are optimistic in their ability to prevent security breaches and that it will improve in 2015. This optimism is at least partly rooted in plans to invest in new cybersecurity technologies. This may very well be true and could potentially help in winning executive management support. However, experience shows position alone is not sufficient. The CISO needs to earn the trust and nexus. This can be accomplished with three objectives.
First, the CISO needs to establish recurring C-level communications with executive management. This could include a state of security monthly report providing a summary of incidents, attacks and protection methods in key channels -- external Web infrastructure, network, critical internal legacy applications, and internal logon experiences such as logon violations and privileged account activities. The key is to inform and educate executive management so when a breach does occur, they know the security program can manage the incident pragmatically. Without this first objective, a breach could be interpreted by executive management as more severe than it should be and possibly at the expense of the CISO.
The second objective is to align security initiatives with enterprise programs and business objectives, ensuring information assets and technologies are adequately protected. This implies security initiatives are based on the business strategic management, residual risk and total cost of ownership (TCO). These should be the foundation for protection -- do not over control. Make sure these security initiatives are included in the state of security monthly report.
The third objective is to use a proven information security framework, which is basically a blueprint for building an information security program to manage risk and reduce vulnerabilities. They need to be customized to the enterprise taking into consideration the business model, compliance and IT infrastructure. There are many to choose from such as ISO 27001, COBIT and NIST 800-53. Security frameworks also ensure the security program has vetted all generally accepted information security principles and has retrofitted them to the enterprise.
The CISO title does matter as long as the CISO earns management support with recurring communication, aligns security initiatives to business objectives and uses a proven security framework retrofitted to the enterprise. Can an information security director or manager accomplish the same without the title? Of course, but it would be less of a Sisyphean struggle.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Check out this feature to learn how the CISO role has changed under the spotlight and see why a CISO is necessary for successful enterprise security.
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading