Sign in to follow this  
Followers 0
WaterRide

The CISO Role

6 posts in this topic

I love meeting other InfoSec professionals at other companies as it opens my eyes to what their risk priorities are and how they educate their staff good security behaviour, for example.

Recently I hmet mates in one company where they do not have a CISO per say, rather a senior manager who they report to - do you think an explicit CISO role is needed?

I would say "yes" as this person is an expert and has their team's interest at heart and take ideas and concerns to the Senior Managers.

Also, one company had a CISO who is contracted from an external consultancy firm - should a CISO be a permanent employee?

As much a CISO should bring knowledge, does having a contracted CISO bring potential conflicts of interest (especially if they are from a consultancy firm)?

0

Share this post


Link to post
Share on other sites

"By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006." [Wikipedia]

http://www.infosecisland.com/blogview/21657-Do-You-Really-Need-a-CISO-to-Have-Security.html

 

"However, there can be no denying that having a single person (and/or team) accountable for information security, which more importantly the organisation knows is responsible for information security, will go a long way to providing an adequate level of direction during the management and control of infosecurity policies.

While having a CISO or CIO in place will not guarantee security, without one, many large organisations will surely struggle with the general complexity of interconnected technical, physical and personnel related components that make up a complete infosecurity framework." - http://www.computerweekly.com/opinion/Security-Zone-Do-You-Need-a-CISO

 

I basically feel the same as the above quote.

0

Share this post


Link to post
Share on other sites

I think there is a ton of value of having a single person who is responsible for security. A CISO specifically tends to be a larger company initiative. In my experience, CISO's range from a Chief technical security engineer to someone on the legal or executive team who handles the compliance side of the shop. In our shop, we have 2 people who are in charge of security - a head of infosec on the Engineering side and a CISO on the legal side. The head of infosec runs our security team, does red team/blue team activities, technical training, pen testing, development of defend tools, and so on. The 'CISO' handles compliance legalize, audit activities, customer security questionnaires, etc. Both are CISSP certified but our head of infosec has the on the ground knowledge.

I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. 

0

Share this post


Link to post
Share on other sites
On 11/1/2016 at 4:18 PM, j0k3r said:

I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. 

Your final quote is worthwhile, thanks.  I guess it shows that a contracted CISO from a consultancy may benefit from us implementing certain products (e.g. getting a bonus or cut of the sale).

0

Share this post


Link to post
Share on other sites

This has been an interesting topic with security professionals in my area.  In taking a brief review of titles in a top 5 US city of which I live near/work, the CISO title is from what I have seen dependant on two things: company culture and role at the board level.  If the company culture doesn't see the need, then there is little likelihood of there being a CISO.

I have also seen that the reporting of CISOs or like roles varies as well.  Some report to the CIO, some to a CSO, some to Risk Management and some to Legal.  Although the need for security professionals has been dramatically increasing, the importance has changed very little.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.