[BreachExchange] Portrait of a CISO: Roles and responsibilities

Destry Winant destry at riskbasedsecurity.com
Mon Jul 29 10:30:23 EDT 2019


https://searchsecurity.techtarget.com/feature/Portrait-of-a-CISO-Roles-and-responsibilities

The chief information security officer role was created in recognition
of increasing and evolving threats to enterprise data and information
security.

This executive manager is in charge of operations, strategy and budget
for the organization's security infrastructure and assets. CISOs serve
as advisors to the board of directors on security issues, threats and
regulatory compliance measures. In addition to advising other
executives, a CISO reports to customers and shareholders as well.
Employees within an organization look to the CISO for security
awareness training and assurance that their leadership focuses on
improving security posture.

CISOs must be vigilant day in and day out when it comes to predicting
and outmaneuvering attacks. This is what makes the CISO different from
other security responders. Rather than waiting for attacks to happen
to execute incident response plans, this executive functions to
anticipate those attacks. For this reason, a CISO is never done
learning about threats and vulnerabilities. The research never stops
because the evolving threats never do.

Here are three informative articles to shed light on the importance of
the CISO role, the regulatory guidelines CISOs enforce and the skills
necessary to be successful in the position.

Evolution of threats expands CISO roles and responsibilities

The tech industry has recently experienced executive-level
reorganization. CISO roles and responsibilities are now simultaneously
shifting and expanding in response to job title revisions, not to
mention increasingly sophisticated security threats.

In the past, the role of CISO has been described as largely advisory.
Originally, this person was expected to update company leadership on
security incidents and conduct security awareness training for
employees. Fast forward to today's challenging threat landscape,
coupled with the advent of a cybersecurity skills shortage, and CISOs
will tell you the job hasn't gotten any easier. Read more on the
evolution of this security manager's position and how this important
employee may finally be getting the recognition she deserves.

New regulation policies affect CISO compliance oversight

A CISO must be vigilant about compliance with government and industry
regulations. Familiarity with policies and guidelines, like GDPR and
the California Consumer Privacy Act, is a must. CISOs organize
security assessments and audits to determine weak spots before
cyberattacks happen and, if deemed necessary, identify how to improve
cybersecurity awareness within the organization. This is complicated
by the fact that new legislation constantly introduced by lawmakers
around the world launch cybersecurity concerns into the center of
debate. Read more about how this is changing the daily grind for CISOs
worldwide.

CISOs must demonstrate quality communication skills

The CISO must be a good communicator. One of the most important of the
CISO's roles and responsibilities is communication with customers and
shareholders alike, who need assurance that their leadership approach
prioritizes the security posture of the organization. CISOs work with
other departments within the organization to reduce operational risks
in the event of a security incident. A CISO must relay highly
technical language to employees and leaders within his organization
who may not possess the same technical background. The ability to
present information on security compliance and company policy in
accessible terms to co-workers is essential.

It is also vital that the lines of communication always be open
between the CISO and the board of administrators. Fortunately, the
role of CISO is experiencing increased recognition and interest from
company executives who accept that security is of the utmost
importance to businesses and customers alike. Read more from seasoned
CISOs about how to pitch important messagessuccinctly and effectively
to an administrative audience.


More information about the BreachExchange mailing list