دانلود رایگان مقاله نقش در حال ظهور از CISO

Abstract

Against a background of board-level concern for cybersecurity, organizations are seeking to ensure the protection oftheirinformation assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization’s security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members.

5. The reporting challenge for CISOs

Having established the risk context and having built security stories, the role of the CISO is then to communicate effectively the security performance and capability of the organization. Executive reports of security assurance and performance metrics, risk and compliance assessments, and ROI measures are often underpinned by a comprehensive set of metrics based on ISO 27001 or other security frameworks. The challenge with such comprehensive security reporting is that it is generally acknowledged that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives (Brousell, 2014). Addressing this challenge is not helped by the general trend for security briefings to occur less frequently than the monthly or quarterly briefings with other business disciplines such as finance, HR, or manufacturing. An industrysponsored survey on the state of risk-based security (Ponemon Institute, 2013) found most senior executives are only asking to hear from their CISOs when breaches have occurred or other security crises hit a need-to-inform crisis level. The focus of the survey was the communication of security metrics. Respondentsto the survey were notspecifically CISOs butincluded ITsecurity, operations, and risk management personnel, as well as internal audit and enterprise risk management. A total of 1,321 employees from U.S. and U.K. organizations responded.