WaterRide Posted September 19, 2016 Share Posted September 19, 2016 I love meeting other InfoSec professionals at other companies as it opens my eyes to what their risk priorities are and how they educate their staff good security behaviour, for example. Recently I hmet mates in one company where they do not have a CISO per say, rather a senior manager who they report to - do you think an explicit CISO role is needed? I would say "yes" as this person is an expert and has their team's interest at heart and take ideas and concerns to the Senior Managers. Also, one company had a CISO who is contracted from an external consultancy firm - should a CISO be a permanent employee? As much a CISO should bring knowledge, does having a contracted CISO bring potential conflicts of interest (especially if they are from a consultancy firm)? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted September 29, 2016 Share Posted September 29, 2016 "By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006." [Wikipedia] http://www.infosecisland.com/blogview/21657-Do-You-Really-Need-a-CISO-to-Have-Security.html "However, there can be no denying that having a single person (and/or team) accountable for information security, which more importantly the organisation knows is responsible for information security, will go a long way to providing an adequate level of direction during the management and control of infosecurity policies. While having a CISO or CIO in place will not guarantee security, without one, many large organisations will surely struggle with the general complexity of interconnected technical, physical and personnel related components that make up a complete infosecurity framework." - http://www.computerweekly.com/opinion/Security-Zone-Do-You-Need-a-CISO I basically feel the same as the above quote. Quote Link to comment Share on other sites More sharing options...
j0k3r Posted November 1, 2016 Share Posted November 1, 2016 I think there is a ton of value of having a single person who is responsible for security. A CISO specifically tends to be a larger company initiative. In my experience, CISO's range from a Chief technical security engineer to someone on the legal or executive team who handles the compliance side of the shop. In our shop, we have 2 people who are in charge of security - a head of infosec on the Engineering side and a CISO on the legal side. The head of infosec runs our security team, does red team/blue team activities, technical training, pen testing, development of defend tools, and so on. The 'CISO' handles compliance legalize, audit activities, customer security questionnaires, etc. Both are CISSP certified but our head of infosec has the on the ground knowledge. I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. Quote Link to comment Share on other sites More sharing options...
WaterRide Posted November 19, 2016 Author Share Posted November 19, 2016 On 11/1/2016 at 4:18 PM, j0k3r said: I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go. Your final quote is worthwhile, thanks. I guess it shows that a contracted CISO from a consultancy may benefit from us implementing certain products (e.g. getting a bonus or cut of the sale). Quote Link to comment Share on other sites More sharing options...
johnbell1 Posted February 22, 2017 Share Posted February 22, 2017 The certified CISO (CCISO) software is the primary of its kind training and certification program geared toward producing top-level information security executives. 300-135 CISCO Exam dumps Quote Link to comment Share on other sites More sharing options...
michaelkrogstad Posted April 29, 2017 Share Posted April 29, 2017 This has been an interesting topic with security professionals in my area. In taking a brief review of titles in a top 5 US city of which I live near/work, the CISO title is from what I have seen dependant on two things: company culture and role at the board level. If the company culture doesn't see the need, then there is little likelihood of there being a CISO. I have also seen that the reporting of CISOs or like roles varies as well. Some report to the CIO, some to a CSO, some to Risk Management and some to Legal. Although the need for security professionals has been dramatically increasing, the importance has changed very little. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.