The Role and Function of the CISO

Chief Information Security Officer

The role of the Chief Information Security Officer (CISO) is common role within the world’s largest organizations with some reports showing 90%+ of the Fortune 750 having a CISO. However, most organizations below this level often lack a designated CISO or even a IT security lead. Like many corporate titles, carries various responsibilities depending on the industry, size of company, and reporting structure. Like most management roles, typically, the smaller the company the broader the responsibility. A generally accepted definition for the role of CISO is:

    Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise’s strategy and programs to ensure information assets are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures.

 

What is the landscape a CISO is dealing with today

The responsibilities of a security leader are more complex today than ever before in the history of IT. There are truly more moving parts than an entire team can handle. And the reality is that few companies, even the Global 500, have more than a handful of dedicated security personnel. So what are some of the obvious trends that security leaders deal with in this fast paced, IT dependent world we live in:

    • Complexity has been the enemy of security while confusion has been the enemy of compliance; both continue to increase
    • Threat landscape is changing so rapidly that a focused team of security experts must be leveraged to be effective
    • The threat vectors originate globally and intelligence is achieved from a broad view across hundreds of enterprises
    • The bad guys have no rules
    • Threat motivations have evolved to encourage more talented player participation with more sophisticated tools
    • Evidentiary identification of what impact occurred with a compromise is increasing required
    • Mobility, Personally owned Devices used for business, Privacy and other trends are driving the need to focus security controls beyond the historical perimeter
    • Experts all agree if an organization is targeted, its only a matter of time before a breach, so mitigation planning as become a top priority

… Yet, the ultimate cost of failure often has no bounds. The CISO is often the primary target for finger pointing.

Typically, the CISO, or the Corporate CISO for large organizations, is responsible for security across the entire enterprise. Core responsibilities include:

    • Information Technology (IT) security and information assurance inclusive of the integrity, availability and confidentiality of the information (cybersecurity)
    • Overall technology evaluation and selection to meet the agreed upon security architecture plan
    • Management of IT Security systems and applications (MSSP, SIEM, VMS, LMS, 2FA, etc)
    • Management of Security staff and Security Operations Centre (SOC)
    • Security and Business Continuity and Disaster Recovery Planning (BCDR)
    • Authentication, identity and access management
    • Perimeter, System, and Application Vulnerability Management
    • Information Technology (IT) and Business Process risk management (supply chain, financial systems, etc)
    • Computer Emergency Response Team / Computer Security Incident Response Team
    • IT investigations, digital forensics, eDiscovery
    • Communications of situational status when security events occur to corporate Public Relations (PR)

Often, and increasingly, the following roles are assigned to the Chief Compliance Officer, Chief Privacy Officer, Chief Regulatory Officer, but if these roles do not exist they also fall to the CISO:

 

 

 

 

Globally, the CISO role is on the rise.  Organizations are constantly pressured to add the role in order to stay competitive and demonstrate their focus on security from both customers and board members, but most often the role in smaller organizations is based on the need to have an individual responsible for meeting compliance requirements. SAVANTURE can help your organization if you don’t already have a CISO by give you access to experienced CISO’s who have decades of experience managing information risk in large and small organizations.  If your organization already has a CISO, SAVANTURE can provide them with access to resources that will help them to be more efficient and effective protecting the information assets in your organization. 

Drop us a quick email and we can give you a call back and provide you more details on our services or answer any questions you may have.

 

We are SAVANTURE. We can help you.
  • SAVANTURE Services are best in class and provide the most optimal cost performance solution in the marketplace allowing you to focus on your business
  • Best in class offerings allow us to protect your revenue, reputation and regulatory compliance better than any other solution in the marketplace
  • Flexibility in deployment methods allow a low cost entry option, while breath of services allow you to increase your protection logically over time as threats change and regulatory requirements evolve
  • SAVANTURE allows you to leverage best in class point solutions or take advantage of SAVANTURE’s Genesis5 platform

Ease of deployment and ease of use while always being cost-effective, reliable, and secure

Contact Sales and we can answer any questions or get you started now.