Technical Specialist

Obviously, to lead the information security organization, the CISO needs to be well versed in security concepts and strategies and in the products that are a core part of a protection architecture. The CISO needs to be a technical specialist who knows the nuts and bolts of information and cybersecurity and who can address the broad requirements and technical aspects of the security program. Much of this domain specific craft knowledge is encompassed in the common body of knowledge defined by the International Information System Security Certification Consortium, or (ISC)2. As the information security profession was forming, it became evident that there needed to be some way to distinguish accomplished and capable professionals from those who did not have the knowledge or experience required to be an information security professional. A group of distinguished practitioners came together to form (ISC)2 and to develop the taxonomy of knowledge that was immediately accepted as the knowledge base of the profession. In 1994, the common body of knowledge was created and became the basis for the Certified Information Systems Security Professional (CISSP) certification. This body of knowledge undergoes an annual review to ensure it remains current and that it reflects existing technical knowledge requirements for information security professionals. The common body of knowledge encompasses eight domains^1:

1. Security and Risk Management
2. Asset Security
3. Security Engineering
4. Communications and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

Executive Strategist

While an understanding of the technical specializations necessary of an effective information security program are essential, there is also a critical need for practitioners to understand the organization and how information security supports organization growth and development. The security practitioner needs to be able to work as an essential part of enterprise and operational risk management. This is particularly true for the CISO, who, as the chief executive representative of information and cybersecurity within the organization, needs to be able to support the organization and integrate the security program into the strategic initiatives and operational activities of the organization.

A 2016 study by executive recruiter Korn Ferry identified that 80 percent of CISOs say their jobs have a very high visibility and accountability orientation, which is higher than other managers at the same reporting level. The researchers identified that more CISOs are reporting outside of the traditional IT structure. Instead, there is an increasing trend for the CISO to report with a more strategic orientation; to organization leaders such as the head of risk management, the general counsel, the chief operations officer (COO), or the CEO. This strengthens the position of information security as being an organization critical service rather than a technology specialization within IT.

The evolving orientation of information security has resulted in a change in expectations as to what skills and expertise the security lead in the organization must have. It is no longer as important to only be a strong technologist. It is becoming more critical that the CISO understands how to address technical information protection requirements from the perspective of an organization strategist. Table 25.1 identifies the key attributes required for CISOs as identified in the Korn Ferry research.²

Information Security Governance

As the lead for information security governance in the organization, the CISO establishes and maintains a framework and supporting processes that ensure that the information security strategy is aligned with organization goals and objectives. This governance framework supports overall governance activities within the organization and contributes to efforts to ensure that information risk is appropriately managed and that information security program resources are managed responsibly. Within this governance responsibility, the CISO is responsible for defining the goals and objectives of the security program, aligning them with organizational goals and objectives, and developing and implementing the policy, procedures, and guidelines required as part of the program. As the champion for information security within the organization, the CISO seeks to gain organizational support and commitment for the security program at all levels within the organization. As a contributor to the organization’s ability to manage information and technology risk, the CISO identifies external influences to the organization (e.g., technology, organization environment, risk tolerance, geographic location, legal and regulatory requirements) to ensure that these factors are addressed by the information security strategy. The CISO will also establish, monitor, evaluate, and report metrics to provide management with accurate information regarding the state of risk, the impact on the organization, and the effectiveness of the information security strategy.

To be the lead for information security governance and to integrate this into the overall governance structure of the organization, the CISO has certain knowledge requirements. These include:

• The fundamental concepts of governance, how they relate to information security, and the relationship between information security and organization goals, objectives and functions.
• Methods to implement the security governance framework.
• Internationally recognized standards, frameworks, and best practices.
• Strategic budgetary planning and reporting methods.
• Methods to obtain commitment from senior management and support from other stakeholders.
• Organizational structures and lines of authority.
• Methods to select, implement, and interpret metrics.

Information Risk Management and Compliance

The second area of CISO professional competence involves information risk management and compliance. This area of expertise is focused on the management of information and technology risk. The CISO is responsible for integrating information risk management into organization and IT process and for promoting consistent and comprehensive information risk management processes across the organization. This can include establishing and maintaining processes for information asset classification to ensure that measures taken to protect assets are proportional to their organization value. The CISO ensures that risk and vulnerability assessments are conducted periodically and develops risk treatment plans and programs to manage risk to acceptable levels. The CISO also evaluates controls to determine if they are appropriate and effective and monitors risk to ensure that changes are identified and managed. When there is a gap between current and desired risk levels the CISO reports these and will develop or assist in developing and implementing needed changes. In their compliance role the CISO identifies legal, regulatory, organizational and other compliance requirements, and builds programs to ensure continued compliance. While the CISO has these responsibilities depending on the organization structure some accountability may be shared with other organization executives including the chief risk officer.

To accomplish their risk management responsibilities, the CISO has certain knowledge requirements. These include:

• Information asset classification and valuation methods.
• Risk and vulnerability assessment and threat analysis methodologies.
• Legal, regulatory, organizational and other requirements for information security.
• Sources of information regarding emerging threats and vulnerabilities.
• Risk assessment and analysis methods.
• Risk treatment strategies and methods and how to apply them.
• Security controls and countermeasures.
• Control baseline modeling and its relationship to risk based assessments.
• Risk reporting, monitoring and review requirements.
• Techniques for integrating risk management into organization and IT processes.
• Maturity-gap and other gap analysis techniques.
• Security controls and countermeasures and the methods to analyze their effectiveness.

Information Security Program Development and Management

A major part of the CISO’s responsibility is the development and management of the information security program. As part of this responsibility the CISO needs to align and integrate the security program with other organization functions and ensure that the program advances the information security strategy. The security architecture, which integrates the program elements addressing people, process, and technology forms the basis for the security program. Since security is part of everyone’s responsibility, the CISO leads programs to ensure security is part of the organizational culture through awareness programs. As an organization unit leader and representative of the security program across the organization, the CISO needs to implement and communicate information about the effectiveness and efficiency of security program and provide periodic reports to executives and board members.

To accomplish these management responsibilities, the CISO has certain knowledge requirements, including:

• Identify, acquire, manage and define requirements for internal and external resources.
• Establish, communicate and maintain organizational information security standards, procedures, guidelines and other documentation to support and guide compliance with information security policies.
• Establish and maintain a program for information security awareness and training to promote a secure environment and an effective security culture.
• Integrate information security requirements into organizational processes.
• Integrate information security requirements into contracts and activities of third parties.
• Establish, monitor, and periodically report program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.

Information Security Incident Management

The last area of expertise and action required of the CISO is that of the security incident manager. As cyber threats too frequently lead to security incidents, the CISO is responsible for developing and maintaining incident detection capabilities as well as the ability to expeditiously respond to limit damage and to return the organization to normal activities. To accomplish this increasingly critical activity, the CISO has certain knowledge requirements including:

• Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents.
• Establish and maintain an incident response.
• Develop and implement processes to ensure the timely identification of information security incidents.
• Establish and maintain processes to investigate and document information security.
• Establish and maintain incident escalation and notification.
• Organize, train, and equip teams to effectively respond to information security incidents in a timely manner.
• Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
• Establish and maintain communication plans and processes to manage communication with internal and external entities.
• Conduct postincident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness, and take appropriate remedial actions.