[BreachExchange] The CISOs Role in Risk Management

Destry Winant destry at riskbasedsecurity.com
Thu Oct 18 11:02:52 EDT 2018


The Chief Information Security Officer (CISO) of a company is becoming
more and more important as cybersecurity threats increase in both
frequency and reach. Every business needs to ensure that their CISO is
not only concerned with security, particularly when it comes to any IT
systems, but will also be responsible for risk management throughout
the company. This risk management should take into consideration all
the possible threats that could affect their business, particularly
those from internal as well as external agents including vendors.

What Does the CISO Role Entail?

It is important that the CISO is part of the C-level of executives in
order to be able to both liaise and report to the leaders of a
company, and oversee the controls protecting the important critical
information and technology relating to the business as a whole. The
CISO must be able to implement strategies to protect the sensitive
data held by a company and comply with any regulatory bodies that
govern the security of that data.

Gone are the days when security just encompassed the installation of
firewalls and data encryption. With the increase in sensitive data
being held by firms the world over and the greater sophistication of
cyber threats, not only does a CISO have to protect information but
they also need to manage the risks associated with processing that
data. This has to encompass security measures within a company and
that associated with normal business practices when dealing with
external vendors.

What Are the Risk Management Issues?

Depending on the industry that a company is in, there are a number of
dedicated standards and security regulations that need to be complied
with. A CISO needs to be on top of both the security implications
relating to any sensitive data their company controls and stores, as
well as any risk management requirements that their specific
regulations stipulate. It is vitally important that the person
involved in looking after the security aspects of a company should
make sure that the considerations include a focus on risk management.

For example, ISO 27001 is the international standard for security
systems and prescribes the requirements for an ISMS (Information
Security Management System). An ISMS is essential for effective risk
management as it uses a set of regulated processes which encompass
both technology and people to help you protect and manage any
sensitive information you hold within your company.

For businesses within the health industry, the HIPAA (Health Insurance
Portability and Accountability Act) helps to standardize the way
health information is used and stored, such that it reduces fraud and
abuse while still ensuring individuals can transfer and retain health
insurance even when changing jobs. It requires stringent security
measures to protect any health data, and this includes safeguards
implemented with a risk management approach.

NIST standards are used as a framework to help companies, particularly
federal agencies, comply with standards and regulations relating to
their specific industries. NIST 800-53 in particular relates to
security controls and lays out the responsibilities of staff,
including the CISO, which are needed to enable a successful CDM
(Continuous Diagnostics and Mitigation) program.

What Risk Management Functions Should a CISO Consider?

Risk Management needs to take into account all the possible problems
that today’s IT systems navigate. This includes knowledge of any
gateway that could allow cyber-attacks and procedures that set out how
to deal with them, so that critical systems can be operational again
as soon as possible in the event of an incursion. The areas that
should be considered include:

- Establishing Critical Systems and Data – In case there is a breach
and the IT infrastructure is shut down, critical systems, networks and
data need to be accurately determined so that they can be the first to
be restored should there be issues.
- Protecting Against External Threats – These could come from
cybercriminals gaining access directly into your systems or through
any third-party vendors that a company works with. Security protocols
should be regularly updated and maintained on your systems and those
of your partners.
- Protecting Against Internal Threats – A chain is only as strong as
its weakest link, which means that staff should be trained to be on
the alert for cyber-attacks, and role-specific and multi-factor
authorizations should be implemented in order to protect network
- Continuous System Monitoring – Hackers do not work 9 to 5 and
constant automated monitoring will allow early notification in the
event of an incursion being found, along with better preparation for
identifying and repairing any vulnerabilities.
- Disaster Recovery and Business Continuity – If the worst were to
happen, having strategies in place to recover critical systems and
restore business continuity as soon as possible is essential to the
successful management of the impact of a cyber-attack.

Reporting Considerations for a CISO

The post of CISO has only been in existence since 1994, originated by
Citigroup in response to Russian cyber-attacks, and originally it was
a role that reported in to the CIO (Chief Information Officer).
Latterly though, this has been flagged as a possible conflict of
interest because the CISO and CIO will have different priorities when
it comes to purchasing and managing any assets related to the IT
infrastructure. As it is such an important role for a company, it
should be considered on a par with other C-level executives with a
reporting responsibility to the CEO (Chief Executive Officer) and
Board of Directors.

Reporting to the Board of Directors

While it may not seem essential in day-to-day business, corporate
governance when it specifically relates to security, regulations and
standards is an important part of a board’s responsibilities. In fact,
some regulations and standards even specify the importance of
corporate governance as a compliance issue.

Inclusion of the board members during IT security discussions can be
beneficial to both the CISO and the company as a whole in order to
assess all the risks and be able to create the appropriate management
strategies to combat them. The board needs to be able to provide the
necessary oversight and to advise on the issues in order to protect
their company and the data it holds. The Sarbanes-Oxley Act (also
known as SOX) regulates the responsibilities of corporate boards and
can fine or jail board members if they do not comply.

Additional Help for CISO Duties

The security and risk management of a large company can be onerous for
a CISO and their team. There exists, however, automated software that
can assist in the assessment of risk and advice for streamlining many
security processes. These take into account many of the risk
management issues that a CISO has, including the internal and external
worries of role-based authorization and vendor management respectively
in order to restrict any sensitive data being accessed

The extensive reporting capabilities of this type of software can also
save time when specific information is required for the Board of
Directors or internal and external auditors. The thoroughness of this
type of software can even speed up audits because of its automated
information gathering, which allows the auditors to arrive at their
conclusions much faster when they have all the information at their
fingertips, saving time and money.

More information about the BreachExchange mailing list