In the new digital world ‘’Data is the new gold’’. No matter what type of business that you run, Data is a valuable asset for your organisation. How good are you at protecting your “Gold”? Indeed, some people will argue that “You can have data without information, but you cannot have information without data”, which might lead us to think that Information is the new gold.
Your organisation inevitably stores a lot of sensitive information, how valuable are these information for you? And a very important question, who should be in charge of the security of these information?
While those questions are subjects of lot of debates, some organisations hire Chief Information Security Officers (CISO) to safeguard their wealth. In Mauritius, we already see some phenomenon happening and more organisation are following this trend.
If you are not familiar with the role of a Chief Information Security Officer, this article is for you. Here below are some areas of responsibility of a CISO, not not limit to them.
1. Compliance:
Compliance with the different Data protection regulations is one of the major challenges nowadays. Since the implementation of the GDPR, various organization have been fined due to non-compliance to the regulations. One might argue that this is the responsibility of the compliance officer, but a CISO will also be involved as regulations require technological measures, which is not necessarily a skill of compliance managers.
Tasks where the CISO will be involved:
· Develop the list of interested parties related to information security
· Develop the list of requirements from interested parties
· Remain in continuous contact with authorities and special interest groups
· Coordinate all efforts related to personal data protection
2. Documentation:
Documentation is probably one of the most painful tasks in the implementation of Information Security Measures. Indeed, all organization should have an information security policy, which its itself composed of various documents. The CISO should work in collaboration with the various concerned persons to draft the documents and most important, implement those policies.
Tasks where the CISO will be involved:
· Propose the draft of main information security documents. For example: Information security policy, Classification policy, Access control policy, Acceptable use of assets, Risk assessment and risk treatment methodology, Statement of Applicability, Risk treatment plan, etc.
· Be responsible for reviewing and updating main documents
3. Risk management:
Risk management is usually under the responsibility of a risk manager. However, as technology evolves, new threats known as cyber threats have appeared. Unfortunately, some risks managers are not updated of the newest developments and sometimes need assistance of the CISO to upgrade processes and train staffs.
Tasks where the CISO will be involved:
· Teach employees how to perform risk assessment
· Coordinate the whole process of risk assessment
· Propose the selection of safeguards
· Safeguards implementation
4. Human resources management:
Traditionally, human management is the responsibility of the Human resources manager. While the CISO will not be involved in the administrative parts such as registration with the tax authority or payment of salary, the CISO will sometime intervene on the background checks and surely assist on the training side.
Tasks where the CISO will be involved:
· Perform background verification checks of job candidates
· Prepare the training and awareness plan for information security
· Perform continuous activities related to awareness raising
· Performing induction training on security topics for new employees
· Propose disciplinary actions against employees who performed the security breach
5. Relationship with top management:
As most head of departments, the CISO will have a direct relation with top management of organisations. Due to the sensitivity and complexity of certain information, it is necessary that CISO report directly to the c-level.
Tasks where the CISO will be involved:
· Propose information security objectives
· Report on the results of measuring
· Propose security improvements and corrective actions
· Propose budget and other required resources for protecting the information
· Report important requirements of interested parties
· Notify top management about the main risks
· Report about the implementation of safeguards
· Advise top executives on all security matters
6. Improvements:
A CISO who does not propose improvement to existing Information Security Management System (ISMS), does not deserve the position. Indeed, with continuous apparition of new cyber threats and new methods of attacks, it is essential that ISMS are regularly updated and upgraded.
Tasks where the CISO will be involved:
· Ensure that all corrective actions are performed
· Verify if the corrective actions have eliminated the cause of nonconformities
7. Asset management:
Usually, assets management is under the responsibility of the IT department. However, some IT departments focus on the technological side (Laptops, telephone, mobile phone, desktop) and do not cater for assets such as drawers or other furniture that contains sensitive data. This is where a proper CISO will assist to improve the assets management.
Tasks where the CISO will be involved:
· Maintain an inventory of all important information assets
· Delete the records that are not needed any more
· Dispose of media and equipment no longer in use, in a secure way
8. Third parties:
Large organisations usually have an IT team which will study software and provide gap analysis to decide if the organization should change software or not. Unfortunately, sometimes risk assessment on the software provider is not properly conducted, which may lead to unexpected financial lost. A good CISO will perform those assessments.
Tasks where the CISO will be involved:
· Perform risk assessment for activities to be outsourced
· Perform background check for candidates for outsourcing partners
· Define security clauses that must be part of an agreement
9. Communication:
Since the Covid-19 pandemic, there was a shift in work system. Lot of companies adopted the work from home method, which was unfortunately followed by new methods of hacking. Even if the IT manager can endorse this responsibility, the CISO can also provide his input if not endorse full responsibility for this.
Tasks where the CISO will be involved:
· Define which type of communication channels are acceptable and which are not
· Prepare communication equipment to be used in case of an emergency / disaster
10. Incident management:
Incident management is probably the most sensitive task of a CISO. This particular exercise needs to master the whole Information Security policy. It requires an in-depth knowledge of procedures and knowledge to control the damage caused.
Tasks where the CISO will be involved:
· Receive information about security incidents
· Coordinate response to security incidents
· Prepare evidence for legal action following an incident
· Analyze incidents in order to prevent their recurrence
11. Business continuity:
Disaster recovery and other measures to ensure the business continuity is probably one of the most important aspect of information security. Even if an organization is highly secured, breach of information or disaster can happen. It is essential for organization to have back up plans and a team to coordinate the transition. The CISO is usually among this team, if not the leader.
Tasks where the CISO will be involved:
· Coordinate the business impact analysis process and the creation of response plans
· Coordinate exercising and testing
· Perform post-incident review of the recovery plans
12. Technical:
This is responsibility is relatively straightforward. The IT team is usually in charge of the technical side, but CISO are usually involves in the decision making process.
Tasks where the CISO will be involved:
· Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels
· Propose authentication methods, password policy, encryption methods, etc.
· Propose rules for secure teleworking
· Define required security features of Internet services
· Define principles for secure development of information systems
· Review logs of user activities in order to recognize suspicious behavior
As you noticed, the areas of responsibility of a CISO is quite large. It tends to overlap with the responsibility of other departments such as risk, HR, IT, procurement and others. In fine, the role of the CISO is not to overshadow other departments but build synergy to develop a culture of security and improve the current system.
Unfortunately some organisations are limited in their budget and do not have the means to hire a CISO. Ascentrix Consulting can provide you with CISO and even DPO service. You can contact us for a free consultation. We will provide you an independent overview of your current system.