There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches. Seems to me that the biggest problem with CISO is a misunderstanding of the role. CISOs are staff, not line. They are not responsible for security, line managers are. They are not responsible for preventing breaches, line managers are.
They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors. They are responsible for articulating strategy but not for adopting or implementing it. They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them. They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them. They are responsible for measuring enterprise IT risk and for reporting on it to general management.
The wise CISO negotiates his success before taking the job. When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management.
Posts
100% ... but will that type of CISO ever be hired? Organizations really want CISOs to be the maid, the pool boy, the dry cleaner, and the live-in contractor.
ReplyDelete