Information security – who leads the charge when a full time role isn’t the answer?
In this article, we look at a scenario where responsibility for information and cyber security can fall between the cracks and offer advice on how to ensure this doesn’t happen.
So, what’s the crack?
There are a huge number of organisations where the role of Chief Information Security Officer (“CISO”) is assumed by, or conferred upon, a particular individual that does not carry the same title. In many cases, this can be an unspoken situation where, if you asked three different people from the same business as to who they thought performed the role, you might get three different answers.
The characteristics of the CISO role, such as its title, what the role demands, and who fulfils it, can vary. But if your business carries any level of information security risk, you will need someone in the Chief Information Security Officer role.
Allocating the role of CISO is key step in driving good information security and businesses should make sure they properly communicate what is expected as part of that assignment.
If opting for a non-dedicated internal resource, we recommend that you take time to set targets and KPIs and, where applicable, make the necessary amendments to employment contracts to reflect the individual’s wider responsibilities.
External providers should have already done the hard graft for you and will have suitable contractual documentation that gives you what you need. Business leaders still need to be sure that the contract is fit for purpose, however.
But our IT team takes care of all of this, don’t they?
This is so important, and yet so many organisations get this wrong. While often closely connected, Information Security management is very different to IT management. Even though the skill sets required of each may overlap, individuals in each discipline should be focused on achieving very different, sometimes conflicting outcomes.
Ok, check. We now have a CISO.
Great, now that you have assigned the role, your responsibilities (and accountabilities) are even greater. You now need to empower your CISO to deliver what you want them to achieve. First and foremost, that means having an appropriate understanding of this yourself (nudge, if you are not sure, we are here to help).
What does empowerment look like?
This list is by no means exhaustive, but here are our pointers:
1. Communicate their role throughout the business, and be clear on what it means
Everybody should be aware that the business has appointed a CISO, and they should be clear as to what it means for each of them.
It does not mean that there is someone to point at if something goes wrong (Information Security is everyone’s responsibility); it means there is now someone who is responsible for helping them drive good information security across every facet of the business’ day to day operations.
It does not mean that IT is suddenly going to be hamstrung; it does mean that IT now has a partner focused (at least in part) on helping them deliver their outcomes securely.
Communication of the role to the business is key. Get it wrong, and you can mislead the individual, the stakeholders, or your whole business. Get it right, and you build a springboard for your newly appointed CISO.
2. Training and support
If you have assigned the CISO role internally as part of a wider job function, it is very likely that the individual you have assigned it to will need appropriate training. Many businesses look at this as an additional cost. Turn this on its head – it is the smaller price you pay when not going external and not having someone dedicated to the CISO role. Support the person you have assigned the role to and give them all the training they need to succeed.
3. Access to budget and resources
Information and Cyber Security management is about the identification and treatment of risk. Often, the process of simply identifying risk puts a demand on resources. This may be in the form of a budget to fund a risk review in a specific or niche area or, more likely, in terms of time and investment from others in the business to help deliver risk assessments internally.
By definition, any treatment of risk (other than risk acceptance) is going to incur cost in some way. You are choosing not to accept the risk and thus must do something to mitigate it (insurance, implementation of controls, reduction of impact, etc.)
4. The AA standard for senior leadership
Ok, so we made the title up to fit the words, but the advice stands. Your CISO needs two things in respect of senior leadership: Access and Accountability.
And both are driven by one simple fact; that the Information and Cyber Security risks that your organisation faces belong to the organisation itself, not the CISO.
As a senior leader within that organisation, your CISO needs your guidance on how they should treat those risks. They can make recommendations that can inform decisions made at a senior level; you can even delegate the decision on the treatment of risk to them in accordance with the resources you have made available (in reality, it is nearly always a combination of both scenarios). Ultimately, as a senior leader in the business, you are accountable for the decisions made and for any scenario that the business faces as a result.
The role of CISO (by the same or any other title) is critical to any organisation that wants to properly manage its Information and Cyber Security risk.
If you are a leader and need to understand more about your role in driving good information security, read our article called: ‘How business leaders can help drive good information security‘.
If your organisation is in the situation outlined at the start of this article and needs assistance in Information and Cyber Security management, why not talk to us about how we could help? Get in touch at www.cyberlens.com/contact .