What is it?
Chief Information Security Officer. The most senior individual responsible for protecting an organization’s information assets.
Why is it important?
The CISO has overall responsibility for the information security program for an organization. The CISO works closely with executive management and business stakeholders to protect information assets.
Why does a business professional need to know this?
The CISO is charged with providing an efficient and effective security program, which includes retaining skilled cybersecurity specialists and documenting and automating cybersecurity processes and procedures. Business professionals should know and work with the CISO and his or her team to build a secure environment.
The CISO works with management stakeholders to allocate an appropriate budget for cybersecurity; acquire the necessary personnel, tools, and resources; and create and execute plans for improving cybersecurity maturity. The CISO is accountable for identifying and communicating relevant information security threats, balancing the competing needs of business operations and information security, and leading the cybersecurity team as it works towards these objective. Cybersecurity maturity occurs over time as more investments are made, processes are refined, and tools are integrated into a long-term plan.
The CISO is responsible for ensuring that appropriate policies, standards, procedures, and guidelines exist within the organization to reduce overall risk and comply with regulatory and privacy requirements. Administrative, technical, and operational controls collectively fulfill this objective.
For example, a cybersecurity analyst may be assigned to implement controls that aggregate and correlate security events to detect malicious behavior against critical information assets. The CISO is responsible for warning stakeholders about the risk of potential malicious events, putting monitoring procedures in place, ensuring that oversight and secondary quality controls are present, and creating a monitoring strategy that reflects the organizations tolerance for risk.
- (Fitzgerald 2007) CISO Leadership: Essential Principles for Success: Fitzgerald, Todd and Micki Krause, editors (2007). Auerbach Publications. Describes practical, applicable, real-world skills for aspiring senior security executives.
- (Fitzgerald 2011) Information Security Governance Simplified: From the Boardroom to the Keyboard: Fitzgerald, Todd (2011). CRC Press. Describes how to implement an information security program.
- (Cobit) Cobit 5 for Information Security: Information Systems Audit and Control Association. Practical guidance for information security.