The chief information security officer (CISO) holds a unique position in the organisation with responsibility for ensuring the protection of information and systems that are critical to the business. The CISO must walk a tightrope; if the security controls that are put in place are too stringent they could affect the effectiveness and efficiency of the business, too lax and the business will inevitably suffer a security breach.
The CISO therefore, first and foremost, needs to understand the business they are trying to protect, and should be able to identify information and systems that are critical to that business.
Information like any valuable asset needs to be identified and managed.
The CISO needs to understand the regulatory environment in which the business operates, and understand how this affects information that the organisation stores, modifies and shares.
The CISO needs to understand the range of controls that can be put in place to protect information's confidentiality, integrity and availability, no matter whether the controls are physical, regulatory, policy based or technological.
Perhaps most importantly the CISO must be able to influence people. This starts at the top of the business, ensuring that the board or top-level management understands the importance of information assurance and security to their business. All users who access information that the business own, or are custodians of, need to be guided and trained; and where necessary monitored and controlled, how this is done is the responsibility of the CISO.
The right technology needs to be purchased, buying the wrong firewall, the wrong intrusion detection system or the wrong security cameras will affect the security of information. The CISO needs to be able to calculate the return on investment of the technology that is brought, or programme that is embarked upon. This demands an understanding of the effectiveness of the measure that will reduce the threat posed to the organisation, and also, an understanding of the consequences of not making the investment.
The right policies and standards need to be put in place; the effectiveness of security can be undermined if incorrect policies and standards are used. It is the CISO responsibility to implement and monitor policy and standards to ensure that they are meeting any legal requirements and are effective against the current threats.
So in summary, the CISO must understand the business and the information assets and systems that are critical to it. The CISO must understand the threats to that information. The CISO must also understand the people that use the information and systems, and be able to influence their behaviour through the use of controls, training and communications. Finally, the CISO must be adaptable and dynamic, the threats posed to modern information systems come from many sources, and can range from the accidental deletion of a customer record to a state attempting to steal intellectual property, and the ability to respond to all of these threats will be critical to the survival of the business.
Mark Hutching is a technical consultant at QA.
Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.