Role and Importance of the Chief Information Security Officer

Chief Information Security Officer

Abstract

Chief information security officers play a vital role in the well-being of a business. Extensive research has been done to uncover specifically the duties, responsibilities, needed skill-set, and importance of a CISO. In current events, the daily threats a CISO encounters is shown when the possibility of a medical record breach happens and exposes the danger that CISO’s work so hard to maintain. This shows just how vital a chief information security officer is and displays the direct impact they have on the safety of society. Lastly, the characteristics of what makes a successful CISO is explored along with examples of the most successful CISOs today. The information gathered from this research can be helpful for those looking to become a chief information security officer or plan on working under the management of one. After revealing what is takes to be a CISO, one can conclude that their role is highly rewarding however, also very challenging as technology is rapidly growing every day and the need to protect it is in high demand.

Introduction

A CISO which is in full referred to as chief information security officer is a senior level executive in a company who has the responsibility to establish and maintain the corporate programs, visions, and strategies for ensuring technologies and information assets are protected adequately. The role of a Chief Information Security Officer is important in an organization setting in various scenarios, for example, on September 29, there was security breach in a hospital in Gwinnett Georgia (Gwinnett Medical Center), if the CISO in the institution had been doing their job or if they had one, then this would have been avoided or prevented.

The role of a Chief Information Security Officer comes in many job duties from conducting company-wide security training and making sure that everyone and making sure that everyone stays in compliance. This role has you anticipating an attacker’s intent before an outbreak. The Chief Information Security Officer gives staff the directions to identify, develop, implement, and maintain enterprise processes for reducing IT (information and information technology) threats. A Chief Security Officer responds to cyber security cases, set up the fitting controls and standards, supervise and administer security technologies, and also directs the establishing and policies and procedures employment. They are mostly are accountable for information-associated compliances (for example, a Chief Information Security Officer manages the application of achieving ISO/IEC 27001 certification for a part or entire company unit).

Usually, the influence of a Chief Information Security Officer gets to the whole company. Some of the responsibilities of a Chief Information Security Officer comprise of the following:

• Identity and access management.
• Information risk management.
• Cyber security.
• Information security and information assurance.
• Disaster recovery and enterprise continuity administration.
• Information privacy.
• Computer-emergencies /computer security-incidents response team.
• Security architecture.
• ISOC (Information security operation center).
• Information regulatory compliance (for example, HIPAA, US PCI DSS, GLBA, FISMA; UK Data Protection Act 1998; Canada PIPEDA, Europe GDPR).
• Information technology management for financial and different systems.
• Information Technology research, eDiscovery, digital forensic

The skills you would need as a Chief Information Security Officer is many years working in the Cyber security realm, understanding your infrastructure as a whole. Having the certification through the right vendor, in this case it would be EC-Council C-ISO.

The following are the needed skills the chief information security officers:

1. Communication and presentation skills;
2. Policy development and administration;
3. Political skills;
4. Knowledge about the state government;
5. Collaboration and conflict management skills;
6. Planning and strategic management skills;
7. Supervisory skills;
8. Incident management;
9. Knowledge of regulation and standards compliance;
10. Risk assessment and management.

An example of a reputable CISO, who is also one of my role models is Steve Martino. He is currently working for Cisco as the company’s VP and CISO. Martino has over thirty years of experience in IT operations, products development, security, sales and marketing and has for a long time been leading the organization’s Information Security set. According to Steve Martino, CISO (Chief Information officer) in today’s organization setting have to be good translators in order to have success. This has meaning that you should be able to translate the strategy of the business to the risks the organization is ready to accept. Rather than addressing “DDoS,” and “malware” a Chief Information Security Officer is supposed to enlighten their organization’s board and corporate management about what security technology and trend mean in forms of risks to the company and the processes and resources necessary for managing such risks.

It is imperative to make everyone in the company accountable in some way to the overall security experience. A CISO can fail if he/she takes the role as just his/her job. Marketing needs to be accountable for customer data, HR should be accountable for employee data, and engineering must protect intellectual property. They all have to embed security in their processes and be able to measure how they are doing.

In addition, all employees must have a general understanding of cyber security threats. For example, once a year, as part of their code of business conduct training, Cisco’s employees learn about the company’s expectations regarding security. Each quarter, employees receive fake phishing campaigns. They can go to an internal website (called “the phish pond”) to learn more about phishing and validate any test phish. As a result, clicks on fake phish have been reduced by two-thirds, says Martino.

When a CISO is talking to the employees, he/she can communicate to them about the means which attackers mostly use to breach an organization, for example, the internet is great but it’s like being in the middle of a large city rather than a small town’s main street. Making them aware of the importance of backing up their personal files is important, as 18% of people never back them up and 39% only do so when reminded.

There are also programs at Cisco targeted at specific groups of employees. For example, the “security ninja” training program helps software developers build products and services in a secure way. They work their way up various levels until they get the coveted black belt. For business-related roles, special training programs cover topics such as designing secure business processes, regulatory issues, and the employees’ responsibilities as data stewards.

CISOs should also create programs and processes that “get everybody in the boat with you”. One such program at Cisco is the “service security primes,” in which manager-level staff in different IT groups are chosen to be the single point of contact for security escalations. This results to getting people embedded throughout the organization that the IT leader cares about because they report up to that leader. This results in a “stronger partnership [with IT] to make informed decisions.”

Being with a Chief Information Security Officer or a related role in a company has come to be a standard in corporate, non-profitable, and governmental, sectors. All over the globe, an increasing number of establishments have a Chief Information Security Officer. By the year 2009, an approximation of eighty-five percent of huge companies had security executives, up from fifty-six percent in the year 2008, and forty-three percent in the year two thousand and six. A study conducted by PricewaterhouseCoopers in the year 2006 for organization’s Annual Information Security Survey,eighty percent of companies had a Chief Information Security Officer or a similar related role. Around 1/3 of every company’s security chiefs report to a CIO (this is the Chief Information Officer), thirty-five percent report to their company’s CEOs (Chief Executive Officers), and about twenty-eight percent report to their organization’s B of D (board of directors).

In the settings of a corporation, the tendency is for Chief Information Security Officers to assume a strong technology knowledge and business acumen balancing. Chief Information Security Officers are mostly in huge demands and compensations are similar to different C level positions who hold alike business titles as well.

Some independent establishments, for example, EC-Council  and HISPI (Holistic Information Security Practitioner Institute) offer certifications, education, and training through the promotion of an approach deemed holistic to Cyber security to CISOs, Technology Risk Managers, Directors of Information Security, ISOs, Security Analysts, Information Security Managers, and Security Engineers from notable companies and groups.

It is recommended balancing security with active response. Typically, the time between when an attack starts and when someone finds out about it is a hundred and sixty to two hundred days. That is unacceptable. Part of the investment in cyber security technology and process has to be devoted to this kind of work so the time it takes to discover an attack is down to a day or less.

Organizations need people with the right cyber security skills and experience to do this job and they are hard to find nowadays. To tackle the cyber security skills shortage, “you have to grow people, have a process to bring in people and move them to be more proficient. It is advisable that when hiring, you look for people who are inquisitive. As cyber security is constantly changing, it’s best to hire people who are “self-motivated to learn.” And once they are hired, look for where you need them to be in the future and inject specific learning opportunities.

It is anticipated that companies that have a digital strategy at their core will recognize the importance of trust to their customers and markets. This will focus security strategies on solutions that are integrated, delivering efficacy, visibility and speed to respond.

Conclusion

Many enterprises today are going through a digital transformation, digitizing their processes and customer experiences. With most products and services having a digital dimension, companies must incorporate the management of cyber security risks into their business strategy.

In the modern age of technology, there will always be a need for a Chief Information Security Officer in any organization setting. Jobs will only continue to grow and finding the right person to fill that role of Chief Information Security Officer will be hard, but as long as they can perform the functions and be held accountable for their actions, I think they will do great.

References

• Karanja, E., & Rosso, M. A. (2017). E Chief Information Security O cer: An Exploratory Study. Journal of International Technology and Information Management,26(2), 23-47. Retrieved October 09, 2018, from https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1299&context=jitim.
• Harkins, M. (2016). Managing risk and information security: Protect to enable. Berkeley: Apress Open.
• Ragan, S. (2018, October 02). Gwinnett Medical Center investigating possible data breach. Retrieved October 9, 2018, from https://www.csoonline.com/article/3309953/security/gwinnett-medical-center-investigating-possible-data-breach.html