Cybersecurity For Dummies
Book image
Explore Book Buy On Amazon
CISO stands for chief information security officer. The CISO represents the information security function in an enterprise. This person is responsible for ensuring that cybersecurity initiatives are carried through in an organization.

While all businesses need someone within them to ultimately own responsibility for information security, larger enterprises often have large teams involved with information security and need someone who can oversee all of the various aspects of information security management, as well as manage all the personnel involved in doing so. This person also represents the information security function to senior management — and sometimes to the board. Typically that person is the CISO.

While the exact responsibilities of CISOs vary by industry, geography, company size, corporate structure, and pertinent regulations, most CISO roles share basic commonalities.

In general, the CISO’s role includes overseeing and assuming responsibility for all areas of information security. Keep reading to gain a better understanding of each of these areas.

Overall cybersecurity program management

The CISO is responsible to oversee the company’s security program from A to Z. This role includes not only establishing the information security policies for the enterprise, but everything needed to ensure that business objectives can be achieved with the desired level of risk management — something that requires performing risk assessments, for example, on a regular basis.

While, in theory, small businesses also have someone responsible for their entire cybersecurity programs, in the case of large enterprises, the programs are usually much more formal and have more moving parts. Such programs are also forever ongoing.

Test and measurement of the cybersecurity program

The CISO is responsible to establish proper testing procedures and success metrics against which to measure the effectiveness of the information security plan and to make adjustments accordingly.

Establishing proper security metrics is often far more complicated than one might initially assume, as defining “successful performance” when it comes to information security is not a straightforward matter.

Human risk management in cybersecurity

The CISO is responsible for addressing various human risks as well. Screening employees before hiring them, defining roles and responsibilities, training employees, providing employees with appropriate user manuals and employee guides, providing employees with information security breach simulations and feedback, creating incentive programs, and so on all often involve the participation of the CISO’s organization.

Information asset classification and control

This function of the CISO includes performing an inventory of informational assets, devising an appropriate classification system, classifying the assets, and then deciding what types of controls (at a business level) need to be in place to adequately secure the various classes and assets. Auditing and accountability should be included in the controls as well.

Security operations

Security operations means exactly what it sounds like. It is the business function that includes the real-time management of cybersecurity, including the analysis of threats, the monitoring of a company’s technology assets (systems, networks, databases, and so on) and information security countermeasures, such as firewalls, whether hosted internally or externally, for anything that may be amiss.

Operations personnel are also the folks who initially respond if they do find that something has potentially gone wrong.

Information security strategy

This role includes devising the forward-looking security strategy of the company to keep the firm secure as it heads into the future. Proactive planning and action is a lot more comforting to shareholders than reacting to attacks.

Identity and access management

This role deals with controlling access to informational assets based on business requirements, and includes identity management, authentication, authorization, and related monitoring. It includes all aspects of the company’s password management policies and technologies, any and all multifactor authentication policies and systems, and any directory systems that store lists of people and groups and their permissions.

The CISO’s identity and access management teams are responsible to give workers access to the systems needed to perform the workers’ jobs and to revoke all such access when a worker leaves. Likewise, they manage partner access and all other external access.

Major corporations almost always utilize formal directory services type systems — Active Directory, for example, is quite popular.

Cybersecurity and data loss prevention

Data loss prevention includes policies, procedures, and technologies that prevent proprietary information from leaking.

Leaks can happen accidentally — for example, a user may accidentally attach the wrong document to an email before sending the message — or through malice (e.g., a disgruntled employee steals valuable intellectual property by copying it to a USB drive and taking the drive home just before resigning).

In recent years, some social media management functions have been moved into the data loss prevention group. After all, oversharing on social media often includes the de facto sharing by employees of information that businesses do not want going out onto publicly accessible social networks.

Fraud prevention

Some forms of fraud prevention often fall in the CISO’s domain. For example, if a company operates consumer-facing websites that sell products, it is often part of the CISO’s responsibility to minimize the number of fraudulent transactions that are made on the sites.

Even when such responsibility doesn’t fall within the purview of the CISO, the CISO is likely to be involved in the process, as anti-fraud systems and information security systems often mutually benefit from sharing information about suspicious users.

Besides dealing with combatting fraudulent transactions, the CISO may be responsible for implementing technologies to prevent rogue employees from stealing money from the company via one or more of many types of schemes — with the CISO usually focusing primarily on means involving computers.

Cybersecurity incident response plan

The CISO is responsible to develop and maintain the company’s incident response plan. The plan should detail who speaks to the media, who clears messages with the media, who informs the public, who informs regulators, who consults with law enforcement, and so on.

It should also detail the identities (specified by job description) and roles of all other decision-makers within the cybersecurity incident response process.

Disaster recovery and business continuity planning

This function includes managing disruptions of normal operations through contingency planning and the testing of all such plans.

While large businesses often have a separate DR and BCP team, the CISO almost always plays a major role in these functions — if not owns them outright —for multiple reasons:

  • Keeping systems and data available is part of the CISO’s responsibility. As such, there is little difference from a practical perspective if a system goes down because a DR and BC plan is ineffective or because a DDoS attack hit — if systems and data are not available, it is the CISO’s problem.
  • CISOs need to make sure that BCP and DR plans provide for recovery in such a manner that security is preserved. This is especially true because it is often obvious from major media news stories when major corporations may need to activate their continuity plans, and hackers know that companies in recovery mode make ideal targets.

Cybersecurity compliance

The CISO is responsible to ensure that the company complies with all with legal and regulatory requirements, contractual obligations, and best practices accepted by the company as related to information security. Of course, compliance experts and attorneys may advise the CISO regarding such cybersecurity matters, but, ultimately, it is the CISO’s responsibility to ensure that all requirements are met.

Investigations into cybersecurity incidents

If (and when) an information security incident occurs, the folks working for the CISO in this capacity investigate what happened. In many cases, they’ll be the folks who coordinate investigations with law enforcement agencies, consulting firms, regulators, or third-party security companies. These teams must be skilled in forensics and in preserving evidence.

It does little good to know that some rogue employee stole money or data if, as a result of mishandling digital evidence, you can’t prove in a court of law that that is the case.

Physical security

Ensuring that corporate informational assets are physically secure is part of the CISO’s job. This includes not only systems and networking equipment, but the transport and storage of backups, disposal of decommissioned computers, and so on.

In some organizations, the CISO is also responsible for the physical security of buildings housing technology and for the people within them. Regardless of whether this is the case, the CISO is always responsible to work with those responsible to ensure that information systems and data stores are protected with properly secured facilities sporting adequate security perimeters and with appropriate access controls to sensitive areas on a need-to-access basis.

Security architecture

The CISO and their team are responsible to design and oversee the building and maintenance of the company’s cybersecurity architecture. Sometimes, of course, CISOs inherit pieces of the infrastructure, so the extent to which they get to design and build may vary.

The CISO effectively decides what, where, how, and why various countermeasures are used, how to design network topology, DMZs and segments, and so on.

Ensuring auditability of system administrators

It is the CISO’s responsibility to ensure that all system administrators have their actions logged in such a fashion that their actions are auditable, and attributable to the parties who took them.

Cyber-insurance compliance

Most large companies have cybersecurity insurance. It is the CISO’s job to make sure that the company meets all security requirements for coverage under the policies that are in effect, so if something does go amiss and a claim is made, the firm will be covered.

While the CISO role can cover many of these responsibilities, the function is constantly evolving and may take on new task responsibilities.

About This Article

This article is from the book:

About the book author:

Joseph Steinberg is a cybersecurity and emerging technologies advisor with two decades of industry experience. One of only 28 people worldwide to hold the entire suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP), he writes an independent column covering cybersecurity and privacy, after previously covering those topics for Forbes and Inc. Magazine. He also authors thought leadership articles for many technology companies, including IBM and Microsoft, and has invented various cybersecurity-related technologies, which are cited in more than 400 U.S. patent filings.

This article can be found in the category: