Jump to content

Recommended Posts

I love meeting other InfoSec professionals at other companies as it opens my eyes to what their risk priorities are and how they educate their staff good security behaviour, for example.

Recently I hmet mates in one company where they do not have a CISO per say, rather a senior manager who they report to - do you think an explicit CISO role is needed?

I would say "yes" as this person is an expert and has their team's interest at heart and take ideas and concerns to the Senior Managers.

Also, one company had a CISO who is contracted from an external consultancy firm - should a CISO be a permanent employee?

As much a CISO should bring knowledge, does having a contracted CISO bring potential conflicts of interest (especially if they are from a consultancy firm)?

Link to comment
Share on other sites

  • 2 weeks later...

"By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006." [Wikipedia]

http://www.infosecisland.com/blogview/21657-Do-You-Really-Need-a-CISO-to-Have-Security.html

 

"However, there can be no denying that having a single person (and/or team) accountable for information security, which more importantly the organisation knows is responsible for information security, will go a long way to providing an adequate level of direction during the management and control of infosecurity policies.

While having a CISO or CIO in place will not guarantee security, without one, many large organisations will surely struggle with the general complexity of interconnected technical, physical and personnel related components that make up a complete infosecurity framework." - http://www.computerweekly.com/opinion/Security-Zone-Do-You-Need-a-CISO

 

I basically feel the same as the above quote.

Link to comment
Share on other sites

  • 1 month later...

I think there is a ton of value of having a single person who is responsible for security. A CISO specifically tends to be a larger company initiative. In my experience, CISO's range from a Chief technical security engineer to someone on the legal or executive team who handles the compliance side of the shop. In our shop, we have 2 people who are in charge of security - a head of infosec on the Engineering side and a CISO on the legal side. The head of infosec runs our security team, does red team/blue team activities, technical training, pen testing, development of defend tools, and so on. The 'CISO' handles compliance legalize, audit activities, customer security questionnaires, etc. Both are CISSP certified but our head of infosec has the on the ground knowledge.

I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. 

Link to comment
Share on other sites

  • 3 weeks later...
On 11/1/2016 at 4:18 PM, j0k3r said:

I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. 

Your final quote is worthwhile, thanks.  I guess it shows that a contracted CISO from a consultancy may benefit from us implementing certain products (e.g. getting a bonus or cut of the sale).

Link to comment
Share on other sites

  • 3 months later...
  • 2 months later...

This has been an interesting topic with security professionals in my area.  In taking a brief review of titles in a top 5 US city of which I live near/work, the CISO title is from what I have seen dependant on two things: company culture and role at the board level.  If the company culture doesn't see the need, then there is little likelihood of there being a CISO.

I have also seen that the reporting of CISOs or like roles varies as well.  Some report to the CIO, some to a CSO, some to Risk Management and some to Legal.  Although the need for security professionals has been dramatically increasing, the importance has changed very little.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...