Who Leads the Information Security Program?

How is Security Defined in an Organization and Who Leads it?

An Information Security Program is a system for protecting the confidentiality, integrity, and availability of information within a business.

In most organizations, there are two potentially related groups that can be called the security group:

  1. Physical Security: The first group is charged with protecting the physical building and the people within it. At its core, this group is made up of the security guards that manage the physical office.
  2. Information Security Group: This group is charged with protecting an organization’s information.

Our focus for the rest of this series is on the information security program. Next, we will understand who is generally charged with running this group in the common organization.

Related Topic: What is an Information Security Program

Who Leads the Information Security Program?

In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the manager, deputy director, director or vice president of information security.

Other Common Information Security Group Roles
You have found the group, its leader, and you are ready to understand some common roles on the cyber security team. Here goes:

Security Architect – This role is generally charged with managing the technical preventive and detective safeguards and how they interoperate with each other within an organization. Preventive safeguards prevent security events from happening while detective safeguards detect when security events occur. Locks on doors are an example of a preventive safeguard while video recording is an example of a detective one. A security architect is generally charged with managing how these safeguards all work together to meet security program objectives.

Security Engineer- While security architects operate at the forest level, security engineers operate at the tree level. They are responsible for managing and operating a specific preventive or detective technology.

An example would be the management of a firewall or logging technology. To learn more, in a recent article that was published on the Channel Co, I discussed in details the Top 5 Tips for any Security Technology Purchase.

Security Analyst- A security analyst is commonly responsible for managing research and performance of common tasks associated with security processes. We will discuss these processes more in the future but for reference, they are common items like risk, incident, security policy, or vulnerability management processes.

Alright, hopefully, this gets you moving in the right direction with understanding who leads the information security program in an organization. In the next article in this series, we will look at common documentation found with the common information program.

Mike Gentile

CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles