CHAPTER 65

ROLE OF THE CISO

Karen F. Worstell

65.1 CISO AS CHANGE AGENT

65.2 CISO AS STRATEGIST

65.2.1 Reliance on Digital Information

65.2.2 Inherent Insecurity of Systems

65.2.3 World Trends

65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE

65.3.1 Standard of Care

65.3.2 Governance and Accountability

65.3.3 Roles and Responsibilities

65.3.4 Reporting

65.3.5 Monitoring

65.3.6 Metrics

65.3.7 Executive Visibility

65.4 SUMMARY OF ACTIONS

65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs

65.5.1 Education and Experience

65.5.2 “Culture” of Security in the Business

65.5.3 Alliance with Corporate and Outside Counsel

65.5.4 Partnership with Internal Audit

65.5.5 Tension with IT

65.5.6 Organizational Structure

65.5.7 Responsibilities and Opportunities outside of CISO Internal Responsibilities

65.6 CONCLUDING REMARKS

65.7 NOTES

65.1 CISO AS CHANGE AGENT.

The title of chief information security officer (CISO) has evolved because of the realization that the function of the chief information officer (CIO) is so broad as to require another person to focus specifically on the security elements of information. Another motivation derives from the fact that the CISO can perform functions that are not usually associated with the CIO. Our approach to information security needs to change in response to the disruptive events affecting the network and the boardroom. CISOs should be the change agents to make this happen. This is a shift from the majority of CISOs' emphasis today as senior managers of information ...