CISO | Top Roles and Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles and Responsibilities of a Chief Information Security Officer [Checklist included]

CISO | Top Roles and Responsibilities 

Many people mistakenly think a CISO (Chief Information Security Officer) is simply head of technical security operations – sort of an IT manager – and that’s the extent of their role. The truth is that while CISOs must be tech-savvy, their responsibilities demand much more. They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

They must be excellent communicators and leaders, as well as incredibly good at understanding the big picture. In this article, we’ll explore some of the top responsibilities that belong to an organization’s CISO and discuss how an information security program can help.

Legal Compliance Translator

A CISO’s duties are about more than simply eliminating threats that could be dangerous or inconvenient for the organization itself. They’re also charged with ensuring that the organization is in compliance with legal requirements that internal counsel or compliance deem applicable to the environment. Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information

Whether it’s making sure all information handled by a medical organization is in compliance with HIPAA, or ensuring that use and storage of all credit card information is PCI-compliant, a CISO is key in keeping an organization from unintentionally running afoul of the law.

Ever-Alert for Security Threats

Part of a CISO’s responsibilities are building a team that will help assess existing threats, as well as identify potential new ones. This will help them determine what steps need to be taken to prevent data breaches, theft, viruses, and other threats to an organization’s assets, as well as employee and client information.

Effective Communicator Between IT Operations and Leadership

It’s key that a CISO has excellent communication skills. One of their biggest roles will be as a liaison between the technical operations side of the organization and the leaders who steer the business itself. When a CISO identifies an investment needs to be made in order to prevent a threat, it’s important that they be able to effectively communicate – in business terms – how this threat may affect the big picture and the organization’s bottom line.

Often, business leaders don’t know technical-speak and often IT specialists in an organization don’t know how to address the business side of things. A CISO must be able to move fluidly between the two worlds and speak both languages.

Help Train Employees and Implement Policies

Threat-reduction strategies are only effective if they’re put into consistent use. In order for this to happen, a CISO needs the entire team on board. This means all employees will need to help implement policies that will reduce threats and improve security. It could mean properly password-protecting their work laptops if they remove them from the office, or knowing what patient information is protected under medical privacy laws. A CISO will be tasked with helping all employees clearly understand why certain policies are in place, as well as helping to train them in information security and to use any new software or devices that are necessary to ensure security and legal compliance.

How Does an Information Security Program Support a CISO with Their Role & Responsibilities?

An information security program involves layers of procedures and policies that are put into place to protect an organization from various security threats. Rather than playing catch up after a data disaster has already occurred, security programs are designed to mitigate threats before they become real problems.

A CISO can’t design and implement an information security program alone. Rather, they need their entire team to work together – from the members of the CISO’s security group and the business leadership who design and approve procedures and policies to employees who work to adhere to them for the benefit and well-being of the organization.

Building a comprehensive information security program from scratch can be complex. That’s why CIOSHARE strives to help businesses build security programs that work. Contact us today in order to get started.

Download CISO's Checklist

CISOs | Best Practices to Understand, Communicate and Make Informed Decisions

CISOs | Best Practices to Understand, Communicate and Make Informed Decisions

CISOs | Guide to Informed Decision Making and Moving it Forward

As the lead protector of information security within an organization, a chief information security officer (CISO) must understand the risks that exist, as well as be able to clearly communicate those risks and possible solutions to the organization’s leadership. In addition to this, they have to be able to make informed decisions about what risks demand attention and the best strategies to mitigate those risks.

A security program is the key to helping a CISO, and the organization itself make informed decisions.

What is a Security Program?

A security program involves a set of policies and procedures that are put in place to protect data, measurement processes to understand risk and the impact to organization’s assets from various threats, communications, systems, and remediation activities. Members of an organization’s security group are in charge of implementing these procedures and the effectiveness of this overall system.

If the CISO is the general of this information security army, the rest of the team are like soldiers who each have various roles. First, the security architect works as a kind of lieutenant, managing preventative and detective informational safeguards and ensuring that they all work together like a well-oiled machine.

Meanwhile, the security engineer is responsible for managing specific preventative and detective technologies within the organization. Finally, the security analyst does research into the performance of current security and measurement processes in order to determine results, as well as any changes that need to be made.

Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program

How Does a Security Program Help a CISO Understand Risks?

Protecting an organization’s data is about more than simply stopping threats against attackers. It’s about protecting the organization’s clients, as well as their employees. A strategically-designed security program will do more than simply stop threats; it will also help an information security officer better understand and anticipate new ones in order to prevent those from occurring.

A security program will provide a look into an organization’s processes and show areas where non-compliance to certain requirements can result in data breaches or other risks. This could be anything from employees failing to properly secure information on their laptops while traveling on business or staff not understanding how to safely handle credit card numbers while using the organization’s point-of-sale system.

Download: Best Practices and the Top Steps that Every CISO Should Follow 

Excellent Communication Across the Organization

Once a CISO is able to make an informed decision about what threats deem attention, as well as the best way to combat them, the work isn’t over. CISOs have to then act as a business advisor to the organization’s executives, educating them so that they can make informed decisions about where to best deploy organizational resources and funding. This advice may be showing the value of purchasing the appropriate security products or implementing measures to ensure that potential security threats do not become a reality.

This communication flow is only made possible with an effective security program in place. It is the system that will ensure that both the CISO and organizational stakeholders are always working with the best possible information in any given situation.

From Education to Implementation

A strategically-designed security program is much more than IT putting software in place to keep information in and hackers out. It’s an intricate system that identifies potential threats, measures them, and then support the analysis, decision making and implementation of remediation to reduce them when it makes sense. By using this system, a CISO will be able to properly understand risks and communicate to the rest of the company so that everyone can work together to respond to those threats in an appropriate manner. Organizational leaders benefit by getting effective and appropriate information along the way to make informed decisions, as well as the most cost-effective implementation of those decisions once made.

If your organization isn’t sure where to start with building a security program, contact CISOSHARE to find out how to get started. We have been helping organizations build security programs to protect data and organization’s assets for over 20 years.

For more Information Security Content Please Feel Free to Download From a List of White Papers or Contact our Information Security Experts
Download Here

What Security Assessment Framework Is Best For Your Organization?

What Security Assessment Framework Is Best For Your Organization?

How to Choose a Security Assessment Framework | SOC vs ISO vs HITRUST CSF

The most important thing that should drive which framework you select is to always begin by understanding your internal business objectives for information security and then to select the framework that best supports this objective.

While this is what you should do, many times organizations go with a particular framework because a client or partner or external assessor tells them they should. THIS IS A BIG MISTAKE.

How Security Assessment Frameworks Support Objectives

Common objectives for an organization with the frameworks that work best for each approach. This list is not comprehensive but should give you an idea on how frameworks support objectives.

We want a framework to use as a benchmark to see how our current security program stacks up

I like to use a combination of the ISO 27001 standard as well as NIST 800-53 as a starting point to get a good set of safeguards that you can compare your environment against.

If you are in healthcare, you can also use the Hitrust framework, but I think this is overkill, especially if you do not have an established benchmark, to begin with.

We want to impress our customers with security

Many times people think ISO 27001 certification or some other certification framework will do this. The thing that people forget is that these programs take years to get thru all of the certification steps. It also takes a great deal of resources to get thru the certification red tape; an effort that helps with certification but not actually increasing security. For most organizations, you are better served to focus on just implementing a true security program that aligns to ISO but does not focus on the certification elements. I have also written some other suggestions on quick things any organization can do that will make your organization appear more secure to customers to also help in this area.

We are a service provider that must demonstrate our service is secure

In these situations, if your service is critical to your customers (ie. A data center, process financial transactions for customers, etc), a SOC assessment process might be the way forward. In these situations, you have to be in the core value chain for another business, which should be fairly easy to determine.

Be aware, many organizations are requesting their customers to get SOC audits and remediation without justification in my opinion. Don’t fall into this trap if you don’t have to.

We process, store or transmit credit cards on behalf of people or customers

You should align to the Payment Card Industry (PCI) guidance.

We want to certify our security effort

Again, I ask, why do you want to do this? In my opinion, there is no correlation between increased security and certification.

However, if your organization aligns to ISO in other areas of the business, ISO 27001 probably makes the most sense. In healthcare, HiTrust is available but I really think it is overkill in almost every situation I have seen it applied. 

We want to make informed decisions about information security to protect our business

This is the methodology we teach at CISOSHARE. If you can make informed business decisions, you will always be best situated to implement an informed approach. It is also important to note you can align to other frameworks, even certify, but still not have this most critical capability.

If you have any questions, connect with us and let us know how we can help you move your Security Program forward.

Security Policy | Top 5 Tips for Implementing a New Security Policy

Security Policy | Top 5 Tips for Implementing a New Security Policy

Considerations to Keep in Mind When Implementing New Security Policies

Any time you implement a new security policy into an environment you are implementing change. Change can have positive effects, but there are often very specific considerations when producing a new security policy that can be the difference between a policy that meets business needs and one does not. Here are the top tips:

Top 5 Tips When Implementing New Security Policy: 

Tip #1: Publish Your Security Policy – Many times people spend most of their policy development efforts on building the security policies. But people forget to make them available so people know what they are. It is even worse when you punish someone for not following a policy that is unavailable.

I was recently on a vacation where the resort implemented a policy to claim items left on a lounge chair to prevent people from reserving the best chairs while not there. Good idea for the late sleepers, but the resort just took people’s stuff and then left a note that said they were claiming according to published policy. Great, but the policy was not published anywhere. For us early risers that work on the lounge chairs in the am, we got to watch person after person get infuriated as they found their notes.

security policy

Tip #2: Ensure Security Policy Instruction is Clear- The verbiage in a security policy needs to be clear, and also must be in the language of the audience. Do not use acronyms that people will not understand, nor terms that are undefined unless they are totally defined. Most important, I generally leave all security nomenclature out of my security policies, unless the terms are strictly defined.

Tip #3: Understand Outlier Situations – There are always wacky people in your organization that will work outside the normal working conditions, which is normal for them but may break policy. The funny thing is that these people are often abnormal in a good way. The top producers, the most creative, THE MOST IMPORTANT TO YOUR ORGANIZATION. Ensure that your security policies consider these people and situations in their application.

Tip #4: Understand Security Policy Liability- Make sure you think out the liability in your security policies. If you set direction to inspect every bag that comes into your building. Ok, but think thru what happens if your team breaks something while doing it.

Tip #5: Match the “Why” with Application – There should be a very clear reason why you have a specific security policy. Further, once implemented, you need to measure if the application of your security policy, in the end, addresses the why. Simple exercise, but very powerful and often forgotten.

If you have any questions or need help with your Security Policy, connect with us!

Security Program | Start of Security Program Development Content at RSA

Security Program | Start of Security Program Development Content at RSA

RSA Conference Starting to Acknowledge Security Program Development

Thank you, RSA! It started in 2014 when a Security Strategy track was added to the agenda, one that was defined as a covering security program development issues. This year, it actually is going to the next level, though, as there are actually a couple sessions that talk about security program development. I am going to count this as a huge win…

I love the RSA Conference. Heck, I served on the program committee for 3 years and have given 5 talks at the show over the years. The team that organizes it are passionate about making a difference and work real hard.  I was excited when I reviewed the tracks this year, as well as some security program development specific content because I firmly believe there is a relationship between a limited focus on security program development at the show and organizations still really struggling at security.

RSA Conference: Shining a Light on Security Program Development 

My specialty is and always has been security program development, even when I was on the program committee through 2013. Back then, this niche discipline was an outlier in terms of finding a conference track. So they always stuck us in either the Professional Development Track, where we talked about the skills needed to be a CISO, or in Governance, Risk & Compliance Track, where we talked about how to certify to a framework like ISO27001 or something like that. Neither of these are security program development, not in 2012 or today. Further, it has not been RSA conference’s fault, they simply organize the tracks based on what people ask for. My hypothesis is people don’t ask because they don’t understand what a true security program is, as well as why they need it.

Security Program Development the Niche art of Building Repeatable Systems

Security program development is the niche art of helping organizations build repeatable systems for managing information security within their organization. Functionally, it helps an organization establish a benchmark for security, implement and perform processes for measuring against that benchmark, the ability to give this information to management. to support the ability to make informed decisions, and the ability to support the implementation of those decisions once made. 

I am biased no doubt, but in my travels, most organizations are really struggling with implementing functionally healthy security programs, even when they may be ISO 27001 Compliant, spend a ton on information security or have big teams. I firmly believe that until organizations focus on building healthy security programs, the attacks and mess we are in will continue.

Maybe this is the birth of a much needed dedicated track of security program development at the conference.

If you have any questions around Security Program Development we are here to help

Security Program Architecture |  What is a Security Program and Who is it Led by?

Security Program Architecture | What is a Security Program and Who is it Led by?

So what is a Security Program Architecture is the People, Process, and Technical Safeguards

So the first 3 security program articles discussed the various ways in which an information security program is defined. This article will simply summarize and cover Security Program Architecture.

What is a Security Program and Who is it Led by?

A Security Program is a System for Protecting the Confidentiality, Integrity, and Availability of Information…

If you were to walk into an organization and ask “Hey where is the cyber security program,” you would most likely get this answer ‘It is the group within the organization that is charged with the task of managing security.’

Who in the Organization is the Security Program led by?

In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the manager deputy director, director or vice president of information security.

What Kind of Documentation Does Security Program Produce?

The most common known documentation of a security program is represented in the suite of security policy documentation and the security program charter. The charter describes the mission and mandate of the security group, while the security policies describe the rules of the road for the organization as it relates to information security.

Structural Makeup of the Security Program: This describes the way in which the group is organized. Is it one group for the organization, multiple groups per business unit or something in between.

Functional Capability of Health Security Program: Any healthy security program must be able to do 4 things

  1. Sets a benchmark for security
  2. Ability to measure against a benchmark
  3. Enables management decisions
  4. Supports execution of those decisions

Management of Security Architecture

The security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards.) A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure that they are appropriate for the environment.

Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program

If you have any questions, connect with one of our Information Security Program Experts.



Connect With Us




Security Program Components | Top 3 Components of Healthy Security Program

Security Program Components | Top 3 Components of Healthy Security Program

Top 3 Primary Components of a Healthy Security Program

The Primary Security Program Components Include:

1. The structural make-up of the security program

This describes what the structure of the program will be. Will there be one security office for the whole organization or one for each business unit? What are the scope of the program, its mission and mandate, and overall roles and responsibilities? In most organizations, the structure of the security program will be illustrated in the Information Security Program Charter document, as well as in the security governance section of an organization’s security policies.

2. The functional capability of the security program

Any healthy security program, regardless of its structure, must be able to perform 4 core functions on a repeatable basis:

a) Sets a benchmark for security

  • Enables for a point of measurement
  • Established through a suite of security policies, standards, as well as, program and process documentation.

b) Ability to measure against a benchmark

  • Processes for consistently measuring the environment against the benchmark
  • Managed through the security risk management program for the organization

c) Enables management decisions

  • Report to measure environment against benchmarks
  • Enables management to make informed decisions

d) Supports execution of decisions

  • Performance of security specific tasks associated with the security program
  • Supports the business in the implementation of their security remediation activities as required.

3. Establishes and manages the security architecture for the organization

The security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards.) An example of preventive safeguards is a lock on the door or password to get into a system, while an example of a detective safeguard is a video monitoring system or logging of access to an application.

Security Program Components Conclusion

A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure they are appropriate for the environment. This enables CISOs in charge to provide leadership clear information and findings for management to make informed decisions.

If you have any questions and need support with building a healthy information Security Program, contact us.




Connect With Us




Security Program Documentations | What are the Common Documentations

Security Program Documentations | What are the Common Documentations

List of the Security Program Documentations

Security Program Charter: This document will illustrate the mission and mandate of the information security program, as well as its overall strategy.

It also generally has the scope of the program, documented roles, and responsibilities, the risk mgmt. A system that will be utilized, and the communication framework for information going into the program and out of the program.

Security Policies, Standards, and Guidelines: This documentation is generally what most people believe a security program to be. It is a suite of documentation, that are sometimes either combined or at times are individual groups of documents.

They usually exist in the following domains, though this can vary depending on the best practice framework, if any, that were used in their design. Common best practice frameworks that are used are ISO27001 or NIST 800-53.

  • Information Security Governance
  • Risk Management
  • Compliance
  • Incident Management
  • Security Operations
  • Vulnerability Management
  • Acceptable Use
  • Identity Management
  • Security Architecture
  • Network Security
  • Application Security
  • Business Continuity

The documents generally contain policy statements, which set the direction and overall organizational position on a domain of security, the standards, which are more the requirements to further define this position, as well as optional requirements which are defined as guidelines.

Security Program Documentations Procedures and Processes

Another common suite of documentation is the documented security procedures and processes for common responsibilities of the security program.

Common process and procedure documentation will be in the following areas:

    • Security Program Management
    • Security Operations Management
    • Risk Management
    • Vulnerability Management
    • Incident Management
    • Security Policy Management
    • Compliance Management
    • Training and Awareness

Need a solid Information Security foundation in your organization? Let us know how we can help

Mike Gentile, President, and CEO of CISOSHARE and Author of CISO Handbook and CISO Soft Skills has been building information security programs for more than 20 Years. He has built, in a full-time or consulting role more than 100+ information security programs across every industry in both private and public environments.

His first book, the CISO Handbook, was one of the first published works to provide a step-by-step methodical approach to building a security program. This methodology is used as courseware in many advanced teaching organizations on security leadership and has been implemented in thousands of organizations around the world.





Connect With Us




Security Program | What Does it Look Like in the Common Organization?

Security Program | What Does it Look Like in the Common Organization?

Security Program in Common Organizations

Let’s begin with what is the difference between using the term cyber versus information security program. There is absolutely no difference other than the term “Cyber Security Program” is becoming more popular than “Information Security Program”.

People like me that have been in this game for a long time, often still use Information Security Program as a force of habit. The rest of this article series will use the term “Cyber Security Program” as a testament that even old dogs can learn new tricks.

So What Does a Security Program Look Like in the Common Organization?

A cyber security program is a system for protecting the confidentiality, integrity, and availability of information within a business…

If you were to walk into an organization and ask “Hey where is the cyber security program” you would most likely get this answer: Organizational Group Definition of a Security Program
It is the group within the organization that is charged with the task of managing security. Already this answer gets confusing though because, in most organizations, there are generally two groups that may or may not be related that will call themselves the security group.

  1. Physical Security Group: The first security group will be charged with protecting the physical building and the people within it. Essentially, the security guards.
  2. Information Security Group: This group (note it is still not called cyber security group in most organizations….yet), will be charged with protecting the information within an organization. Our focus for the rest of this series is with this group or the one that will be responsible for the cyber security program. Once you have found the group, the next piece will be to understand who is generally charged with running this group in the common organization.

Related Topic: How is Security Defined in Many Organizations

Who Leads the Information Security Program Group in the Common Organization?

In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the mgr., deputy director, director or vice president of information security.

Other Common Information Security Group Roles
You have found the group, its leader, and you are ready to understand some common roles on the cyber security team. Here goes:

Security Architect – This role is generally charged with managing the technical preventive and detective safeguards and how they interoperate with each other within an organization. Preventive safeguards prevent security events from happening while detective safeguards detect when security events occur. Locks on doors are an example of a preventive safeguard while video recording is an example of a detective one. A security architect is generally charged with managing how these safeguards all work together to meet security program objectives.

Security Engineer- While security architects operate at the forest level, security engineers operate at the tree level. They are responsible for managing and operating a specific preventive or detective technology.

An example would be the management of a firewall or logging technology. To learn more, in a recent article that was published on the Channel Co, I discussed in details the Top 5 Tips for any Security Technology Purchase.
Security Analyst- A security analyst is commonly responsible for managing research and performance of common tasks associated with security processes. We will discuss these processes more in the future but for reference, they are common items like risk, incident, security policy, or vulnerability mgmt. processes.

Related Topic: 2017: The Year of Security Program Development

Alright, hopefully, this gets you moving in the right direction with understanding what a cyber (information) security program is. In the next article in this series, we will look at common documentation found with the common cyber security program.

European Union Regulations: The New European Union (EU) Data Protection Regulations & Procedures [VIDEO]

European Union Regulations: The New European Union (EU) Data Protection Regulations & Procedures [VIDEO]

The New EU Data Protection Overview

The objective of this document is to give a high-level overview of the new rules and regulations surrounding the newly passed European Union (EU) General Data Protection Regulation (GDPR).

This new regulation is replacing the 20-year-old directive (95/46/EC)…

All Companies Must be in Compliance with EU’s General Data Protection Regulation 

Keep in mind, by May 25, 2018, companies not in regulation or have a data breach while not in compliance will be fined up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year whatever one is higher.

The GDPR does not only require UE companies to be in regulation, but it also requires any business holding data about any EU resident worldwide to follow this regulation, this regulation protects even people in the EU that are not citizens. A company employing vendors must ensure the vendors are within regulation or both will be fined.

And the Privacy Shield Certification no longer brings your business into compliance with the new GDPR.

The New EU Data Protection Regulations

  • Even if sharing is allowed the new EU regulation prohibits personal data from being transferred outside the European Economic Area (EEA); Unless the data controller assures an adequate level of privacy protection. Ensure that if data is being stored on a cloud network that data is not being sent and stored in a foreign location or moved between facilities, this will result in violation. Encrypting data before entering the cloud can protect you, showing that the controller took the necessary steps to “meet the individual’s reasonable expectations of data privacy” in the case of data loss.
  • Each company (or corporate group) will have one national Data Protection Agency (DPA) as its lead regulator to ensure they are in compliance. The head DPA will be required to communicate with other DPAs whose citizens are affected. Most importantly, the Regulation creates an entirely new super-regulator in the form of the European Data Protection Board. The European Data Protection Board will give guidance and will oversee resolving arguments among the national DPAs.
  • There are two new categories of data, genetic and biometric data. These categories fall under “sensitive” or “special” classifications, and they include personal data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation. But pseudonymized data remains personal data and is viewed as a highly-recommended risk reduction technique.
  • Consent is not valid in a contract if the data owner is required to give consent to use his or her personal data that is not necessary for the use of the contract/service. This will have a significant impact on “free” apps and other services that rely on using users’ data to pay for the costs of providing the app/service. Different types of data require separate types of consent.
  • Companies have 72 hours to report a data breach to DPA unless the data controller can demonstrate “that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” Individuals must be informed that their data has been compromised “without undue delay if the personal data breach is likely to result in a high risk” to their “rights and freedoms.”
  • Having and enforcing internal data protection policies and procedures is a requirement, companies may need to present this information in the event of an incident. And all data breaches and following investigations must be documented.
  • Companies must appoint a Data Protection Officer if its primary activity is processing operations that require regular monitoring of data on a large scale. Or if it consists of processing large groups of data that fall under a special category of data such as “data relating to criminal convictions and offenses.”
  • People can now request that his or her data be erased if:
  1. The data is no longer useful or being used in the matter that it was originally collected for.
  2. If the information owner has withdrawn his or her consent.
  3. If the person objects to the collection or processing of his or her personal data.
  4. Or if the organization processing personal data is not in compliance with (GDPR).

How Does the New EU Data Protection Regulation Impact Companies?

For companies holding information about individuals that may reside or be citizens of EU, this new directive will directly affect the information security side of the business. Their vendors as well as them self must be in compliance or will obtain substantial fees in the event of a data breach. Policies and procedures need to be updated to match the regulations and required procedures of the new regulations and ensure processes are taking place.