I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.
There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.
You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.
Information security strategy
- Security strategy definition, articulation and update
- Capability maturity assessment Identification of emerging risks
- Security programme development and tracking
- Assessing emerging technologies
Stakeholder engagement
- Alignment with business and technology strategy
- Communications plan
- Leadership and staff updates
- Coordination with Product, Engineering, Compliance and other teams
Security committee
- Terms of Reference
- Ensuring relevance of content
- Member engagement
- Material preparation (deck, minutes, etc.)
Reporting
- Board reporting
- Security Committee reporting
- Metric selection, review and validation
- Report tooling
Security project management
- Current state assessment and improvement prioritisation
- Activity planning
- Supplier onboarding
- Progress tracking and reporting
- Coordinating product security improvements
Governance
- Information Security Management System
- Policy and procedure development and review
- Roles, responsibilities and ownership
Risk management
- Risk assessment
- Risk ownership and governance
- Risk articulation and management review
- Risk mitigation strategy
- Risk acceptance process
- Tooling for risk management / risk log maintenance
- Emerging risk identification
Brand protection
- Marketing and customer service engagement
- Social media account security
- Alignment with Legal
New business initiatives
- New initiative identification and engagement
- Security consulting for enterprise projects
- Supporting international expansion
Operating model
- Operating model development and review
- Roles and responsibilities
- Change management
- Workforce planning and development
Finance
- Business case for security improvements
- Alignment with investment portfolio
- Budgeting and tracking Investor relations (funding, governance, etc
Mergers and acquisitions
- Risk management
- Due diligence
- Secure integration
Physical security
- Landlord services
- Physical access control
- Business continuity and disaster recovery planning
- Health and Safety
Fostering the culture of security
- Campaign planning and management
- Security awareness
- Targeted training
- 1:1 coaching
- Security champions
- Phishing prevention measures
- Tooling (e.g. eLearning)
- Measuring and metrics
- Continuous improvement
Data security
- Data governance
- Data ownership and custodianship
- Data and process mapping
- Data analytics security
- Encryption and masking (in transit and at rest)
- Access and storage of sensitive data
- Data classification
- Data retention and destruction strategy
- Data loss channel identification (USB, email, SaaS)
- DLP tooling selection and implementation
Vulnerability management
- Identification and scoping
- Approach to fixing vulnerabilities
- Baseline Verification
- Metrics
Incident preparation
- Stakeholder engagement (Board, IT, HR, Legal, Communications / Marketing / Media relations, customers, suppliers)
- Runbooks for critical incident types (customer data breach, ransomware, etc.)
- Alignment with crisis communication plan
- Breach notification templates and customer notification strategy
- Incident coordination and response tooling
- Links to wider business continuity / communications strategy
- Response exercise / test
Incident management
- 24×7 security monitoring
- Identification
- Triage
- Containment
- Resolution
- Recovery
- Root cause analysis and lessons learned
- Digital forensics capability
Cyber insurance
- Broker and underwriter engagement
- Limits and deductibles
- Covered scenarios
- Pre-breach risk and control maturity assessment
- Post breach engagement
In-house SOC
- Recruitment
- Development, retention and promotion
- Knowledge retention
- Team and shift management
- Continuous training
- Technology upgrade
Outsourced or shared SOC
- Supplier selection and management
- Contract negotiation
- Knowledge transfer
- Resource commitments
- Metrics and KPIs
Threat management
- Alerting from security tools
- Log analysis and correlation
- Open source and commercial threat feeds
- Threat hunting (automated and manual)
- Social media and Dark Web monitoring
Identity and access
- Identity repository and federation
- Credential and password management
- Multi factor authentication
- Joiners movers leavers HR process integration
- Access review
- Single sign-on
- Conditional access
Product security
- Threat modelling
- Application assessment and hardening
- Change and configuration management
Integrating security in SDLC
- Secure application development standards
- Secure coding training and review
- Security pairing / 1:1 coaching
- Security testing in the pipeline
- Checking for vulnerable dependencies
- Checking for secrets in code
Security testing and assurance
- Integrating security testing in the QA process
- Code reviews
- Penetration tests / red team exercises
- Bug bounty / vulnerability disclosure programme
- Continuous security testing
Email security
- Anti-spam controls
- Email encryption
- Malware protection
- Phishing protection
- SPF, DKIM & DMARC configuration
- Multi factor authentication
Cloud infrastructure security
- Identity and access management
- Configuration hardening
- Networking and communication security
- Logging and monitoring capability
- DDoS prevention capability
- Backup capability
Container security
- Vulnerability identification and remediation
- Security policies Identity and access management
- Network segmentation
- Secrets management
- Logging and monitoring
Security operations
- Anomaly detection capability
- Procedures and runbooks
- Rule adjustments
- Metrics and KPI reporting
- SOC and ticketing system
- Investigation
Team leadership
- Recruitment and retention
- Performance management
- Coaching and mentoring
- Training and development
Business continuity planning
- Business impact assessment
- Cyber attack scenario planning
- Business continuity plan development and review
- Backup and restoration capability
Endpoint security
- Asset management
- Secure baseline
- Hardening
- Patching / software updates
- Malware prevention
- Threat detection
- Encryption
- PIN / Password enforcement
- Remote wipe functionality
- BYOD security
Supply chain security
- Pre-contract due diligence
- New contract reviews
- Contract renewals
- Negotiations
- SLAs
- Audits
Regulatory requirements
- Regulatory landscape assessment
- Self-assessment
- Annual review
- Supplier engagement
- Control development and review
- Improvement plan development and implementation
Data protection
- Security controls for data protection
- GDPR programme and BAU support
- Privacy Impact Assessment support
- Data transfer mapping and security
Internal compliance
- Security policies and standards
- Vendor assurance
- Publication and awareness
- Project security requirements
Control assurance
- Control framework
- Management risk and control reviews and reporting
- Internal audit (Compliance team)
- External audit
Continuous improvement
- Security health checks (testing, tech risk landscape)
- IT control assessment
- Threat detection capability assessment
- Prioritised remediation planning
Cyber Security Leadership 
6 Comments