[BreachExchange] CISO job description: What does a CISO do?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Feb 28 18:55:42 EST 2017
http://www.itpro.co.uk/careers/28228/ciso-job-description-what-does-a-ciso-
do
The role of a chief information security officer (CISO) has changed over
the years as organisations face new and increasing threats against their
infrastructure. It has evolved from just focusing on the implementation and
management of security technologies to a more consultative, business
process aware risk management role.
Within an organisation, the CISO is responsible for establishing and
maintaining an information security stance for the whole company. This
includes policies and procedures aimed at protecting an organisation's
information assets, systems and communications. It also means this person
is looked upon to provide leadership and guidance in managing risks to the
confidentiality, integrity and availability of the organisation's
intellectual property.
The CISO also heads up the IT security department and its staff and while
they still generally report to the CIO, an increasing number report
directly to the CEO.
CISO responsibilities
While there is no single definition of what a CISO does, they have many
responsibilities they need to discharge as part of the job. Initially they
may need to hire and lead a team of IT security experts and provide
leadership, training opportunities and guidance to this team.
They also need to create a strategy to deploy IT security hardware and
software, as well as overseeing the development of corporate security
policies, standards and procedures. The CISO must also ensure these
complied with by the company and its staff.
CISOs must also integrate security policies and protection strategies with
IT systems development and collaborate with key people within the business
to create an IT security risk management programme. This means working with
senior management to make sure that IT security policies are deployed,
revised, sustained and overseen effectively.
Existing systems and servers need to be audited and assessed for risk.
CISOs need to predict emerging threats and monitor any security flaws and
threats within the infrastructure.
A CISO also needs to develop policies around security incidents and create
an Emergency Response Team to act as and when a security breach is looming
or has happened. They should also develop a disaster recovery plan to allow
for business continuity post-cyber-attack.
CISOs have budgets, so resources need to be prioritised and allocated
efficiently and financial forecasts prepared to ensure appropriate cover
for security assets. A CISO needs to show that investments can be used to
protect an organisation's assets and protect its brand if hacked.
A CISO must also head up education courses aimed at raising user awareness
and security compliance.
What skills are needed to be a CISO?
To be a competent CISO, a person needs several skills. These include
communication and presentation skills; policy development and
administration; knowledge about government (e.g. relevant legislation both
current and incoming); collaboration, planning and strategic management
skills; supervisory and incident management skills; and a knowledge of
regulation and standards compliance.
However, the most valuable skill should be the ability to articulate IT
security and technical issues in a non-threatening, clear and actionable
manner to non-technical leadership.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170228/f8678cb0/attachment.html>
More information about the BreachExchange
mailing list