Management guide for CISOs: responsibilities, strategies and best practices
Chief Information Security Officer (CISO) is a role that is becoming prevalent in a variety of companies that have sophisticated cybersecurity protocols. A CISO has the responsibility to manage internal and external risk management for IT and beyond. In this guide, we’ll focus on what a CISO does, including risk management functions and best practices for a CISO to be successful in addressing risk.
The multiple areas of risk CISOs must manage
The origins of the Chief Information Security Officer title date back to the mid-90s, when Citigroup hired Steve Katz for the role to deal with new world of security and information. This came in response to a series of cyberattacks from a Russian hacker. Nowadays cybersecurity is, of course, one of the biggest concerns that any company has when it comes to the safety of their data.
The duties of a CISO vary by company and industry. Simply put, the CISO is the top cybersecurity executive. Regulations and compliance can also impact the CISO’s role.
According to research by CNBC, there are at least seven areas of focus for a CISO:
- Security operations: This includes the real-time evaluation of threats, looking specifically at points of possible breach such as firewalls, entry points and databases. If a breach or attack occurs, then the problem needs to be analyzed and resolved
- Cyber-risk and cyber intelligence: This sector includes understanding emerging risks in the cyberworld as well as collecting intelligence about companies or products that could affect a business’s risk appetite
- Data loss and fraud protection: Proper tools need to be in place and monitoring the flow of information internally and to external parties. The objective is to prevent or immediately be aware if someone emails sensitive data or attempts to steal intellectual property
- Security architecture: A CISO needs to be the lead in developing and enhancing the foundation of a network’s security. In doing so, the CISO may recommend penetration testing and ethical testing to gauge the strength of networks and pinpoint weaknesses
- Identity and access management: In this segment, it’s all about who can access what and how. This team must handle credentialing. Credentials have to be kept up to date, removing access to anyone who leaves the company or changes roles
- Program management: This is the big picture for CISOs. Risk has been measured. Intelligence has been gathered. Gaps have been identified. This process is continually being refined based on lots of factors, all with the goal to keep the company as secure as possible
- Investigations and forensics: When an incident occurs, it’s essential to investigate it and have proof that an employee or outside agent committed a crime. Forensic results are typically what is needed for an indictment to happen
- Governance: CISOs must have a detailed framework for how security is handled, yet it also must be adaptable to the changes that are inevitable due to regulations or new threats on the horizon. Governance is critical to accountability and allowing for an accurate view of risk for CEOs and other leaders
Beyond these seven areas, CISOs are also encountering a newer realm — artificial intelligence. The reality is that AI is actually helping cyber-attackers automate attacks. But while they are using it for harm, AI also has the ability to be a great tool for a CISO and his or her team. AI can address cybersecurity challenges by identifying threats, risk assessment and more.
The Strategic CISO
There’s no denying that many organizations, no matter how much money or resources they have, struggle with cybersecurity. There are a lot of competing priorities and agendas, which only increases in large enterprises.
One of the biggest challenges is strategic alignment between the security organization and the business. In fact, a Deloitte study found that 46% of CISOs struggle with this proposition. There are several reasons this is a challenge.
Many CISOs come from a technology background, not a business one. Because of the lack of experience here, it’s critical for a CISO to get more involved and engaged with the business goals and needs.
There can also be a communication barrier. It’s necessary for a CISO to work with many other leaders in the company to have a better alignment. The same Deloitte study found that many CISOs “have to invest a lot of time to get buy-in and support for security initiatives.” This means a CISO has to do a lot of proving that cybersecurity has to be deeply ingrained into every part of the business. The CISO deserves a seat at the table and can help put themselves there by:
- Understanding leadership’s or a board’s business strategy
- Developing a more inclusive information security plan that is also measurable (leaders respect things that can be measured and show a return on the investment)
- Communicating honestly and transparently with leaders
Another concern, as alluded to earlier, is the talent shortage. CISOs can spend a lot of time and worry on trying to find the necessary talent to keep security operations moving, which means they have less time to be strategic.
The CISO Handbook: A Key Resource for Threat Management
The CIO and CISO Councils created a CISO Handbook in 2018 to help CISOs stay on top of security needs as it pertains to federal law. The handbook was released based on the government’s emphasis on CISOs modernizing their IT systems. The handbook is also useful to encourage the workforce to take up cybersecurity roles, as there is already a gap for these professionals which is expected to grow to 1.8 million by 2022, according to the Center for Cyber Safety and Education.
The handbook has a particular focus on CISOs embracing the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which includes standards, guidelines and best practices for managing cybersecurity-related risk and promotes a proactive approach to protecting infrastructure.
Further, the handbook is a searchable archive for frameworks, guidelines, policies and mandates. While the handbook is primarily intended for those that work with the federal government, it’s really a great resource for any CISO.
Additional Best Practices for CISOs
CISOs have a heavy burden and a full plate. However, it’s not an impossible feat to have a successful risk management strategy that aligns with business goals and meets the priorities of keeping systems and data safe. For any CISO to manage risk well and holistically, it’s vital to:
- Recognize that cybersecurity risk is a business risk, not just an IT problem. Consider how digital transformation has evolved how every company does business and the deendence on technology to do so
- Acknowledge that positions on risk must be aligned across an entire organization. Business goals can be the driver here. Most importantly, risk can live in silos. It affects every part of a business. This needs to be communicated and embraced by all for a risk-aware culture
- Create a common risk language for consistent and actionable risk measurement models. This requires agreement among departments on the definition of risk, so there is no room for confusion or misinterpretation. This allows for a way to communicate and measure risk reliably
To take a further look at how a CISO can manage effectively, dive into this in-depth interview with an expert and former CISO from the Infosec blog. You can also check out our CISO resources page for more insights.
- Here’s what cybersecurity professionals at companies actually do, and why they’re so vital, CNBC
- The Chief Information Security Office (CISO) Handbook, cio.gov
- New perspectives on how cyber risk can power performance, Cyber Risk
- Global Information Security Workforce Study, GISWS
- Framework Documents, NIST