Defining the Strategic Role of the Chief Information Security Officer (original) (raw)
Related papers
The Chief Information Security Officer and the Five Dimensions of a Strategist
2017
The modern organisation operates within a sophisticated and evolving security threat landscape that exposes its information infrastructure to a range of security risks. Unsurprisingly, despite the existence of industry 'best-practice' security standards and unprecedented levels of investment in security technology, the rate of incidents continues to escalate. Furthermore, a review of security literature reveals an apparent lack of strategic perspective in the field of information security management (ISM) which results in a number of strategic challenges for ISM function in organisations. The level of sophistication and dynamism of threat requires organisations to develop novel security strategies that draw on creative and lateral thinking approaches. Such a security campaign requires the Chief Information Security Officer (CISO) to function as a 'strategist'. However, there is little or no evidence in security literature to show that the security leader is required to function as a strategist. In this research, we set out to identify the specific competencies required by CISOs to become effective strategists by performing a systematic literature review of both security and strategic management literature. We thematically analysed and coded the characteristics extracted from strategic management literature into the five dimensions of the strategist. We discuss these macro competencies in the context of ISM, and argue that CISOs with these five dimensions of a strategist will be able to overcome the existing strategic challenges facing ISM in organisations.
The Role of the Chief Information Security Officer (CISO) in Organizations
CAPSI 2019, 2019
In an increasingly connected and digital world, information is seen as a business enabler and source of sustained competitive advantage. Thus, information security is becoming critical to protect these information assets, which is why organizations' information security strategy has been aligning with their strategic goals. This paper aims to study organizations' general information security environment, analyse the CISO's role in them and understand where they should be positioned on the organizational structure. Interviews were conducted on experienced information security consultants, information systems and information security directors, which allowed to conclude that organizations in Portugal still need to increase their maturity when it comes to information security, and that this may be due to the absence of an established security culture in the country. On the other hand, the CISO's role has been increasing in relevance, being considered that it should have a close and independent relationship with organizations' boards.
The Chief Information Security Officer: An Exploratory Study
Journal of International Technology and Information Management, 2017
The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predo...
2017
In today’s world Information is one of the most important assets for any organization, and securing information has become strategic and even critical to the survival of the organization. Most organizations have information systems and organizational structures that include the role of a Chief Information Security Officer (CISO), although not necessarily under this specific title. This paper proposes a model using a quantitative and qualitative research to evaluate the relationship between the CISO's place within the organizational structure and the organization's current level of information security maturity. Interviews, conducted with twenty-five Portuguese public and private organizations, were based on the information security maturity model and the high-level RACI (Responsible, Accountable, Consulted and Informed) chart of the CISO ́s role, outlined in COBIT 5. The resulting data was statistically analysed using correlation matrices and scatter plots.
Organisational Information Security Strategy: Review, Discussion and Future Research
Australasian Journal of Information Systems, 2017
Dependence on information, including for some of the world's largest organisations such as governments and multinational corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1) we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2) the conceptual elements of strategy and (3) the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our findings are then used to suggest future research directions. 1
Information Security Strategy in Organisations: Review, Discussion and Future Research Directions
Australasian Conference on Information Systems, 2015
Dependence on information, including for some of the world's largest organisations such as governments and multinational corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.
Towards a Framework for Strategic Security Context in Information Security Governance
Pacific Asia Journal of the Association for Information Systems, 2018
Information security governance influences the quality of strategic decision-making to ensure that investments in security are effective. Security governance involves a range of activities including adjusting organisational structures, designating roles and responsibilities, allocating resources, managing risks, measuring results, and gauging the adequacy of audits and reviews. We identified three security issues in an organisation around strategic context in an in-depth and revelatory case study. These are (1) limited diversity in decision-making; (2) lack of guidance in corporate-level mission statements to security decision-makers; (3) a bottomup approach to security strategic context development. We further argue that instead of an approach that is based on risk and controls, organisations should address objectives and strategies through developing depth in their security strategic context.
Understanding Information Security Strategy in Organisations
The University of Melbourne, 2018
The research topic under investigation in this thesis is information security strategy in organisations and I offer a novel substantive theory for understanding this phenomenon under varying environmental and internal conditions. My original contribution to knowledge includes a definition for information security strategy, criteria for organisational environment and information assessment, a conceptual model of information security strategy, a substantive theory on information security strategy, and a descriptive set of benefits that can be adopted after strategy selection and approval. Organisations are progressively undertaking digital transformation of their products and services to reduce costs, improve customer relationships, and consolidate operations. Information is the “lifeblood” of any organisation and is increasingly being used to support this digital transformation across the entire organisation. Yet, the boundaries of information, its value, and importance in supporting organisational goals are frequently overlooked, creating security exposures and vulnerabilities. One reason for this is a lack of attention paid to cataloguing and controlling valuable information being used as a business resource. Others are that usage of emerging disruptive technology such as cloud-based applications can create porous network borders, that security controls used to protect information can be expensive and complex, and that organisational leaders may resist the implementation of security controls due to a perception that they impede productivity. This then leads to increased risk to information, affecting organisational leaders in the governing body, who currently have no consistent guidance available to help them in selecting a strategy or setting a strategic direction for information security. To address this problem, I examine a range of concepts when adopting a strategy to secure information, by interviewing security leaders in organisations. In a qualitative study, I interviewed twenty-five participants and used grounded theory methodology and techniques to analyse the transcripts and their organisation’s information security strategy documents when permitted, to understand significant information security concepts and their relationships in an organisational context. The results show that organisational leaders choose from four main strategies when making decisions to secure their organisation’s information. Their choice depends on (1) consideration of organisational factors including constraints on outsourcing decisions and (2) the value of information held within the organisation. This facilitated the development of a conceptual model of information security strategy and a substantive theory on information security strategy. The implications of this are that organisations can continue business operations towards the achievement of strategic goals using information as a resource, and that the selection of an information security strategy can lead to a more complete understanding of the comprehensive strategic plans required to implement operational security controls throughout an organisation, making them more applicable and cost effective.
Information Security Governance: A Case Study of the Strategic Context of Information Security
2017
Security governance influences the quality of strategic decision-making towards ensuring that investments in security are not wasted. Security governance involves a range of activities including adjusting organisational structures, designating roles and responsibilities, allocating resources, managing risks, measuring results, and gauging the adequacy of security audits and reviews. We draw on a case study to identify three security issues in an organisation around strategic context. These are (1) limited diversity in decision-making; (2) lack of guidance in corporate-level mission statements to security decision-makers; (3) a bottom-up approach to security strategic context development. We further argue that instead of an approach that is based on risk and controls, organisations should address objectives and strategies through developing depth in their security strategic context.