Leadership Role in Information Security
Leadership role in an organization is to enact the values they say are important. Employees often pay more attention to what their supervisors say and do rather than directives learned in training, or from awareness aides like posters and flyers. The first thing leadership can do to promote security in an organization is to lead by example. Leadership needs to clearly practice security and adhere to policies consistently to set the example. Leaders also have to take a proactive interest in their staff becoming security aware and following policies. Leadership need to be actively involved in ensuring staff training is being done and compliance adhered to (WIPRO Web, 2015).
It is critical that users at all levels of an organization to buy into security awareness and policies. This requires an advocate, someone willing to develop, implement, enforce, and promote, information security and software assurance throughout an organization. This advocate is usually a senior executive level person, often a specific position called the Chief Information Security Officer (CISO). The CISO is the advocate who promotes a culture that is accepting and willing to integrate strong security into the business process.
An information security chat was hosted by IBM Security team on June 17, 2014. The chat was attended by prominent business leaders and CISO/CSO’s and was based around key questions concerning the CISCO/CSO role and influence on information security. The following outlines many of the key characteristics and roles discussed.
Three primary threads evolved from the discussion about what is top of mind for the CISO. First was the need to address awareness. The second was the need to focus on the maturity level of the security team and its infrastructure. The last was the need to be able to communicate at all levels.
One of the primary roles noted is that the CISO is responsible for articulating the risk profile to the key stakeholders and the business value of security to ensure that it does not remain a hidden topic.
A CISO needs excellent communications skills, hard experience, in-depth knowledge of the security domain, and the ability to see the big picture.
Information security responsibilities exist, regardless of the existence of a CISO. The Chief Security Officer (CSO), Chief Information Officer (CIO) or Chief Executive Officer (CEO) are all viable contenders for addressing the responsibilities one would normally associate with the CISO.
The CISO should be both influencer and protector. The role of responder should be delegated to members of the CISO team.
Overall it was noted that the CISO must have a wide-range of skills, the ability to effectively lead, the ability to articulate the state of information security to the company stakeholders, and the ability to lead employees in the concepts of security. Other important roles include; ensuring comprehensive risk analysis to identify gaps, integration of appropriate security tools and analysis capabilities, and steering the company toward a more security-aware culture (Burgess, 2014).
WIPRO Web. (2015, February). Embedding a ‘Culture of Security’ Is the Best Defense. Retrieved August 11, 2015, from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CEwQFjADahUKEwjd5e7WrqLHAhUGA5IKHX7xChw&url=https%3A%2F%2Fwww.wipro.
Burgess, C. (2014, June 23). What Is the Role of Today’s CISOs? 7 Questions from Business Leaders. Retrieved August 13, 2015, from https://securityintelligence.com/what-is-the-role-of-todays-cisos-7-questions-business-leaders-are-asking/