The role of the Information Security Manager

Just before you look at the typical roles and responsibilities of a Chief Information Security Officer (CISO) or Information Security Manger (ISM), take a moment to reflect on your own role in your organisation.

What responsibilities do you have at your organisation? Are they confined to a very specific area or are they more wide-ranging? Write down any thoughts you have.

Figure 1:CISO roles

CISO responsibilities

As technology continues to grow and expand, playing an ever more central part in every facet of business, the role of a CISO becomes wider and more extensive, needing to address a range of different duties. 

In this section, you'll look at those tasks and see why they are now essential parts of a modern CISO or ISM's remit. As mentioned, given how technology only continues to grow the expectations of the CISO will also. 

The principal responsibilities for CISO (or ISM) include:

• Coordinating Information Assurance (IA) across the enterprise. This is at the core of what cyber security needs to do. It means assuring information and managing risks related to the use, processing, storage, and transmission of information. It also involves protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA deals with physical as well as data protections and includes data in transit and data at rest.
• The generation of IA-related policies. The CISO needs to create policies that state the security controls of the business, and then map those policies to functions within the business. In this way, the organisation will be able to react to threats in the best possible manner. You need to implement these policies in order to foster IA. You need to communicate company-wide IA policy that will co-ordinate all departments as a unified front.
• Your duties also call for the monitoring of emerging threats and establishing guidelines for how the enterprise will respond to these.
• You also need to monitor and report on the effectiveness of current security measures to senior management. This is key, given that any breaches or potential breaches affect the entire company. If the business were extremely risk averse, strict policies might lead to extremely locked down IT systems and tight human-oriented processes, but if the risk appetite is greater, then a more managed approach may evolve. The balance to be struck is always decided by the various business imperatives that the CEO imposes on you. These typically include cost, usability, and staff morale.
• You are responsible for the creation of a security culture that will use security to the benefit of the business. In many ways this is one of the most important tasks and also one of the most difficult. With each member of the company using the network in some way it's critical to impart a company-wide awareness of security and its threats. Instilling a security culture is not done overnight. However, creating one will make a huge difference in the organisation's long-term protection from attacks and help mitigate against any damage sustained.

Given the number of roles and responsibilities on the CISO's shoulders, it's essential that they collaborate closely with a Security working group. You’ll be looking at how important that is in the next article.

Reflection

Before moving on, think back to your current responsibilities - how do they compare to those of a CISO? How do you think the responsibilities of the CISO will grow in the future?

What's next?

You've been looking in more detail at the CISO's role and how it includes many different responsibilities. In the next article, you'll be looking at assembling management teams and the central role these teams have.