6

The company I work for (kind of a startup) can't afford a full-time chief information security officer (CISO). So the boss is asking the security aware people in the team to work together to do a CISOs job. And I don't think we will have any budget for that.

The thing is, we all have a security related background, and know some stuff, but don't really know where to start, neither where to go after that.

We do know we should :

  1. Document ourselves for methods and best practices, set goals
  2. Assess the needs of our organisation and the risks
  3. Define a security policy
  4. Apply the security policy
  5. Promote security awareness throughout the company
  6. Control that the policy is being respected
  7. Report directly to CEO (and not, traditionally, to CIO)
  8. Adapt the policy with growth and business: back to point 2.

What we need are the exact steps, contents, things to look for, things we may not think of. Basically a complete guide to do a CISOs job.

We found and read through several resources, often complementary, sometimes contradictory, but never complete. So we don't really know what we are missing. And it seems a lot of work, but we believe that if the knowledge is correctly gathered and the methods defined, we would be able to succeed in doing this, while staying motivated and, above all, doing it right.

It's maybe a lot to ask, but can someone help me with that?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bytemare
  • 143
  • 5

2 Answers2

6

As someone who has overseen a number of shared CISOs and sold organisations on the need for someone in this role, I can tell you that the problem is that each organisation has different needs and different expectations of a CISO. Some expect operational support, some require a dedicated risk expert, some just want a Board-level representative of the security function who acts as a translator.

The core goal for the organisation is to know the risks, manage and monitor the risks, and communicate the risks to the organisations and any stakeholders. The CISO needs to think about the risks that the organisation cannot.

As an addition, the CISO should be able to lead the security function, the risk function, and/or the regulatory function of the business. But the expectations here are up to the organisation.

Deloitte has it's "Four Faces of the CISO" which is a pretty good guide for what a CISO should be.

CISOs continue to serve the vital functions of managing security technologies (technologist) and protecting enterprise assets (guardian). At the same time, they are increasingly expected to focus more on setting security strategy (strategist) and advising business leaders on security’s importance (advisor).

So, there is no set list of "things to do" for a CISO. There is a long list of things that need to be done, but you do not need a CISO to do them. For that, grab a framework (ISO 27001, NIST CSF, Cyber Essentials, etc.) and start the work. Your list in your question is a small set of things to tackle, but a good list.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I would add that which framework you should pick depends on which country and which industry you are in or aspire to be in. For example, if you are in USA, secure industry go with NIST RMF, critical infrastructure - go with NIST CSF, etc. – fpmurphy Jun 10 '18 at 04:30
  • Thank you for your answer ! Even though it is not the answer I expected, it is actually the answer I needed. We'll try to follow the frameworks to do the things that need to be done. Thanks again ! @fpmurphy1 thank you for completing :) – Bytemare Jun 18 '18 at 13:18
2

The ground level requirement of CISO would vary organization to organization but following would be a high level guidance on the scope.

The CISO’s scope is to provide vision and leadership for developing and supporting security initiatives. The CISO governs the planning and implementation of enterprise IT system, business operation, and mechanisms defense against security attacks, breaches and vulnerability issues. This CISO is also responsible for auditing existing systems, while directing the administration of security policies, activities, and standards. The CISO also responsible in implementation of required security standards, compliance systems, audits, etc.

CISO’s job scope can be defined to below major domains:

Security Strategy planning and management: Eg: Lead strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies using a risk-based assessment methodology.

Security planning and deployment: Eg: Identify the security needs of the organization and plan for deployment of required security mechanisms, standards, operational practices, etc

Security Operations: Eg: Manage the administration of all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems, cryptography systems, and anti-virus software.

Management Reporting: Eg: Act as the origination point for management reporting in terms of security related reports, dashboards, risk registry, etc

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • 1
    Thank you @Sayan ! I had to choose between both answers, and while yours helps me a lot with your examples, the other completes it. Your answer gives us a greater view on the different domains to effectively cover. – Bytemare Jun 18 '18 at 13:20