There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches. Seems to me that the biggest problem with CISO is a misunderstanding of the role. CISOs are staff, not line. They are not responsible for security, line managers are. They are not responsible for preventing breaches, line managers are.
They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors. They are responsible for articulating strategy but not for adopting or implementing it. They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them. They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them. They are responsible for measuring enterprise IT risk and for reporting on it to general management.
The wise CISO negotiates his success before taking the job. When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management.
100% ... but will that type of CISO ever be hired? Organizations really want CISOs to be the maid, the pool boy, the dry cleaner, and the live-in contractor.
ReplyDeleteOne role that I did not suggest but which is being forced by events is that of public relations officer. In the event of a breach, the CISO will be expected to speak for the organization to the media. This is. at best, a very high risk role. On the one hand, the CISO may be in the best position to know what really happened. Speapking on such an event, may make one appear to be responsible for something over which one has no control. Speaking early, before the facts are fully known, is a way to get into trouble.
ReplyDelete