If your CISO is doing a good job setting policies, the SANS policy guidance suggests that he or she will be:
Identifying all of the assets that need to be protected
Identifying all of the vulnerabilities and threats and the likeliness of the threats happening
deciding which measures will protect the assets in a cost-effective manner
Communicating findings and result to the appropriate parties (i.e. you and the board)
Monitoring and reviewing the process for improvement along the way
The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either. As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT department.
As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT department.
“If I could have a CEO boot camp, I’d say, ‘Make sure you put security top of mind to all of your direct reports: your CFO, your CIO, your HR people, your sales people and so on,’” Pescatore says. “For most businesses today, the product is information and security is key. So you have to make sure that your top reports understand that security is part of their evaluation. It’s not just the CIO’s responsibility. It is part of life for every one of your direct reports.” The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either.
wHAT I wISH my CEO KNEw AbOuT SECurITy…
“Information security is not simply an IT issue. Information security is the responsibility of every employee beginning with the CEO. Awareness, detection and remediation is also everyone’s responsibility. We can invest in tools that will mitigate the risk, and tools to audit how well we are mitigating the risks, but at the end of the day, it is the individual users who most significantly impacts the security of information at an organization. If we start with the idea that the management of the investment we have in information is of paramount importance, we will make decisions that ensures its security throughout all levels of the organization. In this way, the products, policies, procedures and audits you put in place will not be sidestepped, downgraded or ignored for the comfort of the end user.”
Tony Hildesheim, Vice President of Information Technology
Washington State Employees Credit Union