Chief Information Security Officer (CISO) is a formal position reporting directly to the Board. In large or regulated organisations this is clear and nothing new. From the independence and reporting perspective in recent years we hardy see any organisation that did not recognise the need to deal with the information security on the Board level.
Still there are many challenges for CISO s. Rapidly changing technology, evolution of business models, shortage of talent and cost of information security architecture (people, processes and technology) is keeping CISOs busy and even awake at night in smaller organisations where CISO is taking on also some of the operational roles of combating advanced persistent threats (APT) that may compromise information their organisation.
There is one positive trend however speaking in favour of CISO and that are constant news of systems, companies and governments being compromised and blackmailed based on the information security attacks. This trend is helping CISO and CIO rationalise investments in information security however that is far from enough to stay afloat and successfully manage information and wider corporate security.
Perhaps we could in the past observe the information security management only as subdomain of operational risk management however today that may not be enough.
We help CISO in focusing on the right things and with the right resources at the right time. Typical challenges we are addressing together with CISOs are:
- Information Security Strategy
- Diagnostic reviews of Security capabilities (eg. SOC – Security Operations Centre)
- Information Asset Management and Corporate Architecture Management for Information Security
- Remediation of open Audit findings
- Specific cases