The Chief Information Security Officer (CISO) of a company is becoming more and more important as cybersecurity threats increase in both frequency and reach. Every business needs to ensure that their CISO is not only concerned with security, particularly when it comes to any IT systems, but will also be responsible for risk management throughout the company. This risk management should take into consideration all the possible threats that could affect their business, particularly those from internal as well as external agents including vendors.
What Does the CISO Role Entail?
It is important that the CISO is part of the C-level of executives in order to be able to both liaise and report to the leaders of a company, and oversee the controls protecting the important critical information and technology relating to the business as a whole. The CISO must be able to implement strategies to protect the sensitive data held by a company and comply with any regulatory bodies that govern the security of that data.
Gone are the days when security just encompassed the installation of firewalls and data encryption. With the increase in sensitive data being held by firms the world over and the greater sophistication of cyber threats, not only does a CISO have to protect information but they also need to manage the risks associated with processing that data. This has to encompass security measures within a company and that associated with normal business practices when dealing with external vendors.
What Are the Risk Management Issues?
Depending on the industry that a company is in, there are a number of dedicated standards and security regulations that need to be complied with. A CISO needs to be on top of both the security implications relating to any sensitive data their company controls and stores, as well as any risk management requirements that their specific regulations stipulate. It is vitally important that the person involved in looking after the security aspects of a company should make sure that the considerations include a focus on risk management.
For example, ISO 27001 is the international standard for security systems and prescribes the requirements for an ISMS (Information Security Management System). An ISMS is essential for effective risk management as it uses a set of regulated processes which encompass both technology and people to help you protect and manage any sensitive information you hold within your company.
For businesses within the health industry, the HIPAA (Health Insurance Portability and Accountability Act) helps to standardize the way health information is used and stored, such that it reduces fraud and abuse while still ensuring individuals can transfer and retain health insurance even when changing jobs. It requires stringent security measures to protect any health data, and this includes safeguards implemented with a risk management approach.
NIST standards are used as a framework to help companies, particularly federal agencies, comply with standards and regulations relating to their specific industries. NIST 800-53 in particular relates to security controls and lays out the responsibilities of staff, including the CISO, which are needed to enable a successful CDM (Continuous Diagnostics and Mitigation) program.
What Risk Management Functions Should a CISO Consider?
Risk Management needs to take into account all the possible problems that today’s IT systems navigate. This includes knowledge of any gateway that could allow cyber-attacks and procedures that set out how to deal with them, so that critical systems can be operational again as soon as possible in the event of an incursion. The areas that should be considered include:
- Establishing Critical Systems and Data – In case there is a breach and the IT infrastructure is shut down, critical systems, networks and data need to be accurately determined so that they can be the first to be restored should there be issues.
- Protecting Against External Threats – These could come from cybercriminals gaining access directly into your systems or through any third-party vendors that a company works with. Security protocols should be regularly updated and maintained on your systems and those of your partners.
- Protecting Against Internal Threats – A chain is only as strong as its weakest link, which means that staff should be trained to be on the alert for cyber-attacks, and role-specific and multi-factor authorizations should be implemented in order to protect network access.
- Continuous System Monitoring – Hackers do not work 9 to 5 and constant automated monitoring will allow early notification in the event of an incursion being found, along with better preparation for identifying and repairing any vulnerabilities.
- Disaster Recovery and Business Continuity – If the worst were to happen, having strategies in place to recover critical systems and restore business continuity as soon as possible is essential to the successful management of the impact of a cyber-attack.
Reporting Considerations for a CISO
The post of CISO has only been in existence since 1994, originated by Citigroup in response to Russian cyber-attacks, and originally it was a role that reported in to the CIO (Chief Information Officer). Latterly though, this has been flagged as a possible conflict of interest because the CISO and CIO will have different priorities when it comes to purchasing and managing any assets related to the IT infrastructure. As it is such an important role for a company, it should be considered on a par with other C-level executives with a reporting responsibility to the CEO (Chief Executive Officer) and Board of Directors.
Reporting to the Board of Directors
While it may not seem essential in day-to-day business, corporate governance when it specifically relates to security, regulations and standards is an important part of a board’s responsibilities. In fact, some regulations and standards even specify the importance of corporate governance as a compliance issue.
Inclusion of the board members during IT security discussions can be beneficial to both the CISO and the company as a whole in order to assess all the risks and be able to create the appropriate management strategies to combat them. The board needs to be able to provide the necessary oversight and to advise on the issues in order to protect their company and the data it holds. The Sarbanes-Oxley Act (also known as SOX) regulates the responsibilities of corporate boards and can fine or jail board members if they do not comply.
Additional Help for CISO Duties
The security and risk management of a large company can be onerous for a CISO and their team. There exists, however, automated software that can assist in the assessment of risk and advice for streamlining many security processes. These take into account many of the risk management issues that a CISO has, including the internal and external worries of role-based authorization and vendor management respectively in order to restrict any sensitive data being accessed inappropriately.
The extensive reporting capabilities of this type of software can also save time when specific information is required for the Board of Directors or internal and external auditors. The thoroughness of this type of software can even speed up audits because of its automated information gathering, which allows the auditors to arrive at their conclusions much faster when they have all the information at their fingertips, saving time and money.
Latest posts by Ken Lynch
- The CISOs Role in Risk Management - October 17, 2018