The Chief Information Security Officer: An Exploratory Study (original) (raw)
Related papers
The Role of the Chief Information Security Officer (CISO) in Organizations
CAPSI 2019, 2019
In an increasingly connected and digital world, information is seen as a business enabler and source of sustained competitive advantage. Thus, information security is becoming critical to protect these information assets, which is why organizations' information security strategy has been aligning with their strategic goals. This paper aims to study organizations' general information security environment, analyse the CISO's role in them and understand where they should be positioned on the organizational structure. Interviews were conducted on experienced information security consultants, information systems and information security directors, which allowed to conclude that organizations in Portugal still need to increase their maturity when it comes to information security, and that this may be due to the absence of an established security culture in the country. On the other hand, the CISO's role has been increasing in relevance, being considered that it should have a close and independent relationship with organizations' boards.
2017
In today’s world Information is one of the most important assets for any organization, and securing information has become strategic and even critical to the survival of the organization. Most organizations have information systems and organizational structures that include the role of a Chief Information Security Officer (CISO), although not necessarily under this specific title. This paper proposes a model using a quantitative and qualitative research to evaluate the relationship between the CISO's place within the organizational structure and the organization's current level of information security maturity. Interviews, conducted with twenty-five Portuguese public and private organizations, were based on the information security maturity model and the high-level RACI (Responsible, Accountable, Consulted and Informed) chart of the CISO ́s role, outlined in COBIT 5. The resulting data was statistically analysed using correlation matrices and scatter plots.
Defining the Strategic Role of the Chief Information Security Officer
Pacific Asia Journal of the Association for Information Systems, 2018
The level of sophistication and dynamism of the security threat environment requires modern organizations to develop novel security strategies. The responsibility to strategize falls to the Chief Information Security Officer (CISO). A review of the security literature shows there has been little emphasis on understanding the role of the CISO as a strategist. In this research, we conduct a systematic literature review from the disciplines of information security and strategic management to identify specific attributes required by CISOs to become effective strategists. We discuss these attributes in the context of Information Security Management and argue that CISOs with these attributes or capabilities are better positioned to overcome the existing strategic security challenges facing organizations.
From Corporate Bully to Security Cheerleader: Transforming the Identity of the CISO
2012
Most organizations now have a Chief Information Security Officer (CISO). While it may seem obvious that their role is to define and deliver organizational security goals, there has been little discussion on what makes a CISO effective. In this paper, we report the results from 5 in-depth interviews with CISOs, which were analysed using discourse analysis. The results show that CISOs are currently struggling to gain credibility within their organization, due to lack of power, confused identity, and their inability to engage effectively with employees. In response, they are trying to transform their current identity which is essentially that of a corporpate bully. We propose a new security paradigm: to succeed, CISOs and Operational Security Managers need to become security cheerleaders, developing effective ways of communicating with employees and engaging them in security initiatives. We also identify a key responsibility for CEOs: to remove the blockages that prevent information se...
Research Purpose The purpose of this research is to describe the responsibilities of Texas Chief Information Security Officers (CISOs). This research should give stake holders, and policy makers a better understanding of Chief Information Security Officers’ responsibilities. In addition, it provides information security professionals a landscape of CISOs’ responsibilities. A comprehensive review of the literature was used to develop a framework with five descriptive categories: managerial, legal, technical, career development, and information security. Method This research via a survey, developed from the conceptual framework, gathered data the responsibilities of CISOs. An open records request was sent to all state offices in Texas. The survey was distributed to 100 CISOs. After carefully sifting through the responses received for the open records request, a total of 100 names of CISOs or titles similar to that were obtained. As a result the survey was administered to a total of 94 potential respondents. A total of 27 individuals responded to the survey, and out of 27 respondents only eleven explicitly identified as Chief Information security Officers. Results The results of this survey show that CISOs overwhelmingly support several managerial, legal, and information security responsibilities as extremely important. Extremely important responsibilities include risk management (77%), incident response (77%), information security polices (74%), procurement and contracts (70%), ethics (81%), data security (89%) and network security (70%). Survey results also revealed that respondents alluded to software development as not part of CISO responsibilities (66%).
Information Security Governance for the Non-Security Business Executive
Journal of Executive Education, 2013
Information security is a critical aspect of information systems usage in current organizations. Often relegated to the IT staff, it is in fact the responsibility of senior management to assure the secure use and operation of information assets. Most managers recognize that governance is the responsibility of executive management. The primary objective of governance can be achieved when the members of an organization know what to do, how it should be done, as well as who should do it. The focus on governance has expanded to include more aspects of the organizational hierarchy to include information systems and information security. This article offers value to the executive by first defining governance as it is applied to information security and exploring three specific governance-related topics. The first of these examines how governance can be applied to the critical aspect of planning both for normal and contingency operations. The next topic describes the need for measurement programs and how such metrics can be developed for information security assessment and continuous improvement. Finally, aspects of effective communication among and between general and information security managers is presented.
The Chief Information Security Officer and the Five Dimensions of a Strategist
2017
The modern organisation operates within a sophisticated and evolving security threat landscape that exposes its information infrastructure to a range of security risks. Unsurprisingly, despite the existence of industry 'best-practice' security standards and unprecedented levels of investment in security technology, the rate of incidents continues to escalate. Furthermore, a review of security literature reveals an apparent lack of strategic perspective in the field of information security management (ISM) which results in a number of strategic challenges for ISM function in organisations. The level of sophistication and dynamism of threat requires organisations to develop novel security strategies that draw on creative and lateral thinking approaches. Such a security campaign requires the Chief Information Security Officer (CISO) to function as a 'strategist'. However, there is little or no evidence in security literature to show that the security leader is required to function as a strategist. In this research, we set out to identify the specific competencies required by CISOs to become effective strategists by performing a systematic literature review of both security and strategic management literature. We thematically analysed and coded the characteristics extracted from strategic management literature into the five dimensions of the strategist. We discuss these macro competencies in the context of ISM, and argue that CISOs with these five dimensions of a strategist will be able to overcome the existing strategic challenges facing ISM in organisations.
Does CIO risk appetite matter? Evidence from information security breach incidents
International Journal of Accounting Information Systems, 2018
After a series of recent high-profile information security breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/ her role in information security risk management. However, little is known in the academic literature about how a CIO's appetite for risk affects the effectiveness of information security management. We address this gap by examining how a CIO's risk appetite is associated with information security breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of breach incidents. Furthermore, we find that this association is stronger if the company's chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and breach incidents varies depending on breach type and the strategic position of the company and is moderated by the CIO's power.
Exploring the Factors Influencing Top Management Involvement in Information Security
2017
Organizations that rely heavily on ICT face bigger challenges to safeguard their information assets. Organizations need to be vigilant to cope with ever growing information security risks and threats due to technological advancement. All employees, from the senior management to the junior subordinate, have the responsibility to protect organizational information from such threats. Top management members are accountable to play imperative roles in steering information security programs to ensure the confidentiality, integrity and availability (CIA) of organizational valuable assets are protected. They should be more involved to allow information security to become an intrinsic part of corporate governance. However, information security is often viewed as technical and operational issues rather than business issues, thus it is delegated to IT and security team. This conceptual study aims to explore this current phenomenon by investigating the factors influencing top management in governing information security implementation in organizations. Qualitative research approach is proposed for this study by interviewing the members of top management in the Malaysian public sector organizations. The understanding of the influencing factors would assist in formulating a dedicated information security training and awareness framework tailored for the top management. Since most information security awareness programs are designed for lower and middle level employees, this study aims to fulfil this gap by focusing on specific training guidelines for the top management. The proposed framework will help public sector organizations to produce, or improve existing, competency development programs. It will help the members of top management to exercise due diligence and understand their roles and responsibilities as the key driver in governing information security implementation in their organizations.