The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

Information security strategy

  • Security strategy definition, articulation and update
  • Capability maturity assessment Identification of emerging risks
  • Security programme development and tracking
  • Assessing emerging technologies

Stakeholder engagement

  • Alignment with business and technology strategy
  • Communications plan
  • Leadership and staff updates
  • Coordination with Product, Engineering, Compliance and other teams

Security committee

  • Terms of Reference

  • Ensuring relevance of content
  • Member engagement
  • Material preparation (deck, minutes, etc.)

Reporting

  • Board reporting
  • Security Committee reporting
  • Metric selection, review and validation
  • Report tooling

Security project management

  • Current state assessment and improvement prioritisation
  • Activity planning
  • Supplier onboarding
  • Progress tracking and reporting
  • Coordinating product security improvements

Governance

  • Information Security Management System
  • Policy and procedure development and review
  • Roles, responsibilities and ownership

Risk management 

  • Risk assessment
  • Risk ownership and governance
  • Risk articulation and management review
  • Risk mitigation strategy
  • Risk acceptance process
  • Tooling for risk management / risk log maintenance
  • Emerging risk identification

Brand protection

  • Marketing and customer service engagement
  • Social media account security
  • Alignment with Legal

New business initiatives

  • New initiative identification and engagement
  • Security consulting for enterprise projects
  • Supporting international expansion

Operating model

  • Operating model development and review
  • Roles and responsibilities
  • Change management
  • Workforce planning and development

Finance

  • Business case for security improvements
  • Alignment with investment portfolio
  • Budgeting and tracking Investor relations (funding, governance, etc

Mergers and acquisitions

  • Risk management
  • Due diligence
  • Secure integration

Physical security

  • Landlord services
  • Physical access control
  • Business continuity and disaster recovery planning
  • Health and Safety

Fostering the culture of security

  • Campaign planning and management
  • Security awareness
  • Targeted training
  • 1:1 coaching
  • Security champions
  • Phishing prevention measures
  • Tooling (e.g. eLearning)
  • Measuring and metrics
  • Continuous improvement

Data security

  • Data governance
  • Data ownership and custodianship
  • Data and process mapping
  • Data analytics security
  • Encryption and masking (in transit and at rest)
  • Access and storage of sensitive data
  • Data classification
  • Data retention and destruction strategy
  • Data loss channel identification (USB, email, SaaS)
  • DLP tooling selection and implementation

Vulnerability management

  • Identification and scoping
  • Approach to fixing vulnerabilities
  • Baseline Verification
  • Metrics

Incident preparation 

  • Stakeholder engagement (Board, IT, HR, Legal, Communications / Marketing / Media relations, customers, suppliers) 
  • Runbooks for critical incident types (customer data breach, ransomware, etc.) 
  • Alignment with crisis communication plan 
  • Breach notification templates and customer notification strategy 
  • Incident coordination and response tooling 
  • Links to wider business continuity / communications strategy 
  • Response exercise / test

Incident management

  • 24×7 security monitoring
  • Identification
  • Triage
  • Containment
  • Resolution
  • Recovery
  • Root cause analysis and lessons learned
  • Digital forensics capability

Cyber insurance

  • Broker and underwriter engagement
  • Limits and deductibles
  • Covered scenarios
  • Pre-breach risk and control maturity assessment
  • Post breach engagement

In-house SOC 

  • Recruitment
  • Development, retention and promotion 
  • Knowledge retention
  • Team and shift management
  • Continuous training
  • Technology upgrade

Outsourced or shared SOC

  • Supplier selection and management 
  • Contract negotiation
  • Knowledge transfer
  • Resource commitments
  • Metrics and KPIs

Threat management

  • Alerting from security tools
  • Log analysis and correlation
  • Open source and commercial threat feeds
  • Threat hunting (automated and manual)
  • Social media and Dark Web monitoring

Identity and access

  • Identity repository and federation
  • Credential and password management
  • Multi factor authentication
  • Joiners movers leavers HR process integration
  • Access review
  • Single sign-on
  • Conditional access

Product security

  • Threat modelling
  • Application assessment and hardening
  • Change and configuration management

Integrating security in SDLC

  • Secure application development standards
  • Secure coding training and review
  • Security pairing / 1:1 coaching
  • Security testing in the pipeline
  • Checking for vulnerable dependencies
  • Checking for secrets in code

Security testing and assurance

  • Integrating security testing in the QA process
  • Code reviews
  • Penetration tests / red team exercises
  • Bug bounty / vulnerability disclosure programme
  • Continuous security testing

Email security

  • Anti-spam controls
  • Email encryption
  • Malware protection
  • Phishing protection
  • SPF, DKIM & DMARC configuration
  • Multi factor authentication

Cloud infrastructure security

  • Identity and access management
  • Configuration hardening
  • Networking and communication security
  • Logging and monitoring capability
  • DDoS prevention capability
  • Backup capability

Container security

  • Vulnerability identification and remediation
  • Security policies Identity and access management
  • Network segmentation
  • Secrets management
  • Logging and monitoring

Security operations

  • Anomaly detection capability
  • Procedures and runbooks
  • Rule adjustments
  • Metrics and KPI reporting
  • SOC and ticketing system
  • Investigation

Team leadership

  • Recruitment and retention
  • Performance management
  • Coaching and mentoring
  • Training and development

Business continuity planning

  • Business impact assessment
  • Cyber attack scenario planning
  • Business continuity plan development and review
  • Backup and restoration capability

Endpoint security

  • Asset management
  • Secure baseline
  • Hardening
  • Patching / software updates
  • Malware prevention
  • Threat detection
  • Encryption
  • PIN / Password enforcement
  • Remote wipe functionality
  • BYOD security

Supply chain security

  • Pre-contract due diligence
  • New contract reviews
  • Contract renewals
  • Negotiations
  • SLAs
  • Audits

Regulatory requirements

  • Regulatory landscape assessment
  • Self-assessment
  • Annual review
  • Supplier engagement
  • Control development and review
  • Improvement plan development and implementation

Data protection

  • Security controls for data protection
  • GDPR programme and BAU support
  • Privacy Impact Assessment support
  • Data transfer mapping and security

Internal compliance

  • Security policies and standards
  • Vendor assurance
  • Publication and awareness
  • Project security requirements

Control assurance

  • Control framework
  • Management risk and control reviews and reporting
  • Internal audit (Compliance team)
  • External audit

Continuous improvement

  • Security health checks (testing, tech risk landscape)
  • IT control assessment
  • Threat detection capability assessment
  • Prioritised remediation planning

1 Comment

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s