How Does a CISO Fit Into a Security Program?
April 12, 2017
25 min read
People mistakenly think that a CISO (Chief Information Security Officer) is just the leader of an organization’s technical security operations — like a security-focused IT manager — and that’s it.
While it’s true that CISOs have to be pretty tech-savvy, their responsibilities often reach much wider than keeping an eye on technical security configurations.
CISOs not only lead a security program’s strategy and initiative, they’re also the bridge between the security program and other executives and decision-makers. A CISO must keep the big picture of the organization and the security program’s role in mind to make informed security decisions.
This article explores some of the common responsibilities that a CISO has and why an effective cyber security program is important for an organization.
Compliance and Requirement Translator
While managing risk is a critical part of a CISO’s job, there’s more that goes into a security program. CISOs must also ensure that the organization complies with any legal requirements based on their industry, type of business, or data that they handle.
Whether it’s ensuring that a clinic handles all PII and records in compliance with HIPAA or ensuring that any stored credit card information is PCI-compliant, the CISO is ultimately responsible for keeping the security program and the organization compliant with these laws.
Beyond regulatory and legal requirements, the CISO should also be aware of any customer requirements for changes or improvements to the security program, as these also impact any security projects and initiatives.
What do you need to be an effective CISO? We've compiled a checklist of best practices.
Cyber Threat Expert
The cyber threat landscape is constantly changing. One of a CISO’s duties is to be aware of any threats and risks relevant to their organization and building a team to support in assessing and identifying both new and existing threats.
Staying on top of the threat landscape will help determine what steps need to be taken to prevent breaches, data theft, viruses, or other threats to an organization’s assets along with employee and client information.
Bridge Between Security Operations and Leadership
CISOs need to have excellent communication skills, as one of their biggest roles is to act as a liaison between the technical operations side of the organization and its executive leaders.
When a CISO identifies a security project that needs to be done in order to prevent a threat, they need to be able to communicate the importance of this project and the impact it might have on the organization’s big picture and bottom line.
Most business leaders won’t want to be bogged down by unnecessary tech-speak, and technical IT-leaders might not know how to articulate why a technical change might impact the business.
The CISO is the advocate and bridge that connects both worlds to ensure that the most important information from the security program is being communicated and used to make informed business decisions.
Security Culture Creator
Threat reduction strategies, policies, and processes are only effective if they’re used and enforced consistently. This means that everyone in an organization, not just the security team, must be on board.
Employees need to keep up with the policies that reduce their exposure to threats and maintain the organization’s security posture. From keeping malware detection software updated to regularly updating the password on their work laptops, these rules are only effective if they’re being followed.
A CISO is tasked with making sure employees clearly understand why these policies are in place and maintaining compliance with them. Beyond this, providing appropriate security training and awareness will better prepare employees for how to identify and report potential incidents and suspicious activity.
Building an Effective Security Program
A cyber security program involves layers of procedures, policies, and processes to protect an organization from various security threats. An effective program provides a CISO visibility into the current state of risk that an organization faces so the executive team and other decision makers can take steps to prevent an incident rather than playing catch up.
A full security program requires multiple resources, not just a CISO, in order to effectively implement, manage, and maintain the appropriate policies and processes. Security needs to integrate and enable an organization’s business goals, rather than being tacked on as an afterthought to the business strategy.