Creating an effective CIO/CISO organization

“As a CISO it is always my neck on the line…”

The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are vital cogs in the enterprise wheel. The implementation and tracking of government regulation compliance, standards compliance, digital infrastructure and information security measures are today acknowledged as crucial components to an enterprise’s survival.

Failing on any of these aspects, can have huge implications on the finances, operations and reputation of the enterprise. Sample this, a malware opened by a single employee at Union Bank of India, resulted in a $171 million financial loss, large operational disruption for up to two weeks and huge reputational damage as the news got public.

So, how should a CIO or CISO create an effective organization that can handle the threats, regulations, and audits of their information systems?

Key principles to establishing any effective organization are — Transparency and Accountability. These principles take on new dimensions when we are talking about information systems.

Transparency

What is transparency in information systems?

Transparency for a CIO or CISO means that they have a clear picture on what is present in the organization, how it is regulated and protected. So, for example, an enterprise based out of Singapore might use a single Australian vendor, whose server in Sydney processes some crucial benefit for the enterprise using the payment card data collected anywhere in the world. In such a scenario, it is essential for the server in Sydney to be compliant to the worldwide PCI DSS standards, and the CIO/CISO to be able to track the same. Similarly, if the enterprise has 2000 devices that need to be upgraded to the latest software, then the CIO/CISO needs to be informed of such a requirement, and also be able to track the current state of progress on the compliance.

Automation for Transparency

Automation can play a key role in ensuring transparency of information systems. An automated GRC system can establish the standards and controls, and tamper-proof reports can ensure that there is complete internal transparency. Any significant policy violation should get red flagged all the way to the C-levels and tracked to closure.

Challenges to true automation

While automation can ensure there is correctness in what is reported, a truly transparent automated system will also ensure there is also completeness to the reports. This means that operations management in the CISO organization shouldn’t be able to mask or remove checks that show embarrassing failures.

True information security transparency ensures correct and complete information to the CIO or CISO

Accountability

The second pillar on which to build an effective CISO organization is ‘Accountability’. Proper accountability, requires the organization to be able to assign exclusive responsibility to individuals and teams for every unique responsibility.

Guiding principles to proper accountability

Proper structure of accountability ensures

  • Skills that belong together stay together, and
  • Roles are clearly defined.

For example, teams that deal with securing the payment card data and PCI DSS compliance belong together. Similarly, accountability for PCI DSS compliance in voice infrastructure and in data infrastructure should be clearly separated and defined and roles identified, since the goals are the same but the skills are different between the two.

Automation for accountability

Automation for accountability is significantly different from automation for transparency. Many GRC software provide platforms through which a mature model of automated accountability can be constructed.

To ensure an effective CIO/CISO organization, the focus in automation for accountability in such software is

  • Defining controls with Boolean outcomes — i.e. the controls should have Yes/No outcomes.
  • Assigning ownership to all the controls.
  • Completeness of the controls.

Conclusion

A concerned C-level at a panel discussion —

“As a CISO it is always my neck on the line..”

So, have you built your CISO organization on sound principles? Are you making your automation work effectively for you?

A CIO/CISO needs to be on top of the whole setup, and not feel lost in the jungle. He/she needs to make his organization work for the enterprise, and not feel he is dancing to their tunes. The difference between one and the other lies in effectively employing the principles of transparency and accountability, to make appropriate decisions.


Creating an effective CIO/CISO organization was originally published in Assertion on Medium, where people are continuing the conversation by highlighting and responding to this story.