As the security landscape is ever-changing, so is the role of the Chief Information Security Officer. Previously a primarily technical role, it has now become more of a strategic business function.
Accordingly, CISOs must take a proactive, pragmatic, business focused approach to security. This paper sets out five major areas of focus for the pragmatic CISO.
First, it is important to understand the extended enterprise and its associated risks. This means taking a data-centric approach, understanding that this data may be inside or outside the organization boundaries. It is imperative not to forget third parties, as they are often a major source of security risk. Then take steps to identify and comprehend security issues by carrying out a high level maturity assessment, benchmarked against peers and best practices. It is essential to increase your visibility of these security issues with scanning and monitoring of events.
Next, build a culture of security across the organization. Ensure that everyone understands that no one is excluded from the responsibility of protecting data. There are no exceptions, not even for senior management. Reinforce this by making sure everyone is thoroughly and regularly trained using a layered security awareness program. Finally, recognize that the chances are that you will be compromised. Plan accordingly and be ready to respond.