It’s impossible for any one person to manage every aspect of securing the network, endpoints and data of an entire organization. The top of the security chain of command in most cases is the Chief Information Security Officer, though, so ultimately that responsibility falls on the shoulders of the CISO.
Security is everyone’s job. Each and every employee within a company has to have some basic security awareness and the common sense not to click on suspicious links or open file attachments from unknown sources. Employees should know better than to send sensitive or confidential material unencrypted across the public Internet, or log on to company network resources over a public Wi-Fi hotspot. Employees should also be familiar with the security policies of the company and the standard security measures that are in place on the company network and endpoints.
Security still begins and ends with the CISO.
The exact job description of the CISO will vary from one company to another—depending on the size and industry of the organization. A recent article from Forbes explained, “With today’s security landscape, the CISO needs to be more than the person in charge of making sure the firewall keeps out hackers. Often, the CISO needs to think like a CFO and work with individual departments on developing a security budget, like a lawyer to understand compliance and government regulations the industry must follow, and like an HR manager in order to work closely with staff and ensure they are following security protocols.”
When all is said and done, the CISO is the one who establishes security policies and is responsible for communicating and enforcing strong security measures with the rest of the company. The CISO can’t foresee everything and can’t completely prevent human error or rogue employees willfully violating security policies or circumventing security tools, but the CISO must be vigilant and ensure the organization and its information assets are as secure as reasonably possible.
In most companies there is a hierarchy and a chain of command. The CISO may only directly oversee top-level IT managers, and those IT managers oversee team leaders, who oversee employees. A decision made at the CISO level has to cascade down through multiple levels of organization and the CISO has to be able to trust those that work under him or her to communicate, monitor and enforce security policies and controls and to escalate any issues or potential issues so they can be resolved as quickly as possible.
When the proverbial “stuff” hits the fan it is generally the CISO who will be called to the carpet to explain what went wrong. The CISO is probably the first one to resign or be fired in the wake of a major security incident. No amount of finger-pointing or blame-shifting can change the fact that it’s the responsibility of the CISO to ensure major security incidents and data breaches don’t happen.
To take responsibility for information security and manage security effectively, the CISO needs to be a leader rather than a boss. As the saying goes, “A boss says ‘Go!’, a leader says ‘Let’s go!’.”
That’s where effective leadership comes in. The CISO has to select people he or she has confidence in to delegate to. Then the CISO has to strike a balance between doing too much—micro-managing to the point that IT managers can’t do their jobs—and doing too little—being so oblivious about the state of security that he or she doesn’t know what’s going on.