Welcome to this video on organizational responsibilities.

Modern businesses are structured in many different ways, depending on the industry they operate in and the requirements of their stakeholders. Whatever structure an organization has, the information security function needs to be able to influence policy and ensure the appropriate security processes and behaviours are implemented.

This video defines the organizational structures of modern businesses and where the role of the Information Security Manager sits within this. It also looks at the responsibilities of the Board and management teams in implementing effective security practices throughout the organization.

Let’s start by looking at how organizations are structured.

The Chief Executive Officer (CEO) or Managing Director is generally the head of the organization and most businesses of significant size also have a Board of Directors who report to the shareholders. The Board monitors what the CEO does.

The executive leadership group – often known as the C-suite – report to the CEO, although some may also be members of the Board. They perform a variety of functions aligned to business areas such as Finance, IT, HR, Operations, Marketing and Sales.

Each business area is managed by an executive and these roles typically include the Chief Financial Officer (CFO), Chief Information Officer (CIO) and Chief Operating Officer (COO). Each senior manager has a subset of responsibilities allocated to them by the CEO. For example, the CIO looks after the organization’s information strategy and the COO is responsible for the day-to-day running of the business. 

Now let’s look at where the ownership of information sits within the organization structure to see which stakeholders are concerned with information risk.

Generally, the Chief Information Security Officer (CISO) reports either to the senior management team or directly to the CEO. However, as you can see, there are different structural variations. Establishing a clear organizational structure that allows the business to manage information security is vital if risks are to be successfully mitigated.

There be a nominated individual with the responsibility for day-to-day management of all information security areas and authority, for information security must be present at the right level of the organization – a level that can influence other areas.

There’s little point having a security manager that nobody listens to or policies that aren’t taken seriously. The CISO or Information Security Manager (ISM) needs to understand the information assurance risks facing the organization.

Risks come from outside threat agents, such as competitors, foreign governments, terrorists and journalists, as well from employees inside the organization. Security breaches can also happen by accident.

Responsibilities of the CISO or ISM include:

•         Co-ordinating information assurance across the organization

•         Creating information assurance policies

•         Communicating the information assurance policy and guidelines to the rest of the organization

•         Qualifying the appetite of the business for risk and taking appropriate mitigating action

•         Monitoring emerging threats and establishing guidelines for responses

•         Monitoring and reporting on the effectiveness of security measures to senior management, and

•         Creating a security culture that will use security to the benefit of the organization

If the organization is very risk averse, strict policies might lead to fully locked down IT systems and tight processes. If the organization’s risk appetite is greater, a more balanced approach might be taken. The balance is driven from the business imperatives defined by the Board, such as cost and usability.

Management teams within the organization must actively support the Information Security Manager. This is achieved by appointing a security lead in each of the business areas or having members of the Information Security Team seconded into the business units.

Security responsibility always starts at the top of the business with the CEO, flowing down through all levels, including contract and temporary staff. Where there’s a need for a larger team of information security experts, for example in the IT support department of a large financial institution, there may be further delegation of responsibility.

Governance is an important aspect of the information assurance structure. A high-level forum, often called the Security Working Group or Security Steering Committee, should meet on a regular basis to provide oversight and promote good security practices.

The working group should be chaired by the Information Security Manager and be attended by line-of-business heads from all parts of the organization. External stakeholders should also be included if they’re required to support planning or governance.

The Security Working Group should be the advocate for information security throughout the organization. Members should have written terms and conditions and be advocates for information assurance in their own work areas. This helps create a security culture.

If an organization can’t justify the expense of maintaining a full-time security manager or security team, they might employ external specialists on a part-time basis. For example, it might not be cost effective for an organization to employ a team of penetration testers; so, if their security policy requires periodic health checks, then they would bring in an external resource to complete the activity.

Having a relationship with a trusted, specialist company with appropriate certifications and accreditations allows an organization to meet its objectives without the cost of employing a team of experts.

Terms of reference for anybody involved in information security should be clearly defined, especially where responsibilities are delegated to individuals who aren’t members of the Information Security Team. This helps to distinguish security responsibilities from other core areas and establishes reporting lines to the Information Security Manager.

The responsibilities should reflect the organization’s information assurance policies, as well as any legislative or compliance aspects that the staff member must understand.

Adding these responsibilities to the individual’s job description helps to embed them in ‘business as usual’ activities.

A critical element of information security management is communicating with and educating staff. A security awareness programme should be rolled out across the organization. It’s essential that the key elements of the organization's security policies are communicated, and training should be evaluated to establish the organization’s current level of awareness.

The security awareness programme should be designed by the Information Security Team in conjunction with specialist training designers. It should then be introduced across the organization to meet the requirements identified in the training needs analysis.

Security awareness training should incorporate an assessment and the results should be recorded. This helps to identify the level of awareness and what measures are required to make improvements. Every individual in an organization has a responsibility for security.

However, it’s only possible to fully promote this level of personal accountability if the Information Security Manager has successfully introduced a security awareness programme.

Then, every member of staff will understand their responsibilities in relation to the organization’s security posture, including the security-related aspects of their own job and the part they play in the security of the organization.

That’s the end of this video on organizational responsibilities.