The responsibilities of the Chief Information Security Officer (CISO) provide a sound template that could guide the priority work of any national level cyber security agency. Whereas national cyber security agencies frequently become overwhelmingly occupied by specific elements of their role such as incident response (IR) or threat detection, the CISO role outlines what a comprehensive approach to cyber security looks like.
As you read these descriptions of the CISO - consider how well the national cyber security agency in your country fulfills these role(s) at the national level.
SANS (2021) describe the CISO as being responsible for:
Technical aspects ranging from securing communications, applications, and business systems to performing risk assessments of IT assets exposed to outsiders on the Internet.
Physical aspects including non-electronic factors such as physical site access as well as drafting policies and procedures for secure daily operations.
Overseeing the organization’s physical and technical security implementation, CISOs are also responsible for security management activities.
Training others for security awareness, purchasing security products, planning for and managing disaster recovery, developing secure business and communication practices, and ensuring all policies are followed.
Ensuring that security breaches are not a result from any of the changes made in order to protect the organization.
The following are also important responsibilities carried out by CISOs.
Act as the organization’s representative with respect to inquiries from customers, partners, and the general public regarding the organization’s security strategy.
Act as the organization’s representative when dealing with law enforcement agencies while pursuing the sources of network attacks and information theft by employees.
Balance security needs with the organization’s strategic business plan, identify risk factors, and determine solutions to both.
Develop security polices and procedures that provide adequate business application protection without interfering with core business requirements.
Plan and test responses to security breaches, including the possibility for discussion of the event with customers, partners, or the general public.
Oversee the selection testing, deployment, and maintenance of security hardware and software products as well as outsourced arrangements.
Ramachandran (2022) suggested the following areas should be considered part of the CISO role:
Enterprise IT Governance and Cybersecurity CISOs should be subject matter experts in both areas collectively and should be able to present the emerging threats and the countermeasures adopted, as well as ROI metrics on cybersecurity initiatives, in simple terms to executive management and the board of directors. With the amount of technological transformation happening, CISOs are expected to advise the management on value delivery, strategic alignment, performance, and resource and risk management metrics.
Strategic Management and Vision With technology being a great enabler for various new business initiatives, and innovation and cybersecurity being one of the very important factors to earn the trust and goodwill in the marketplace, CISOs should be able to translate the business strategy into implementable IT strategy and to play an important role in delivery of cyber-safe products and services.
Compliance with Global laws CISOs need to be on constant watch for various international regulations, such as NYDFS, CCPA, GDPR and FedRAMP. India recently released the Digital Personal Data Protection Bill, with the provisions coming into force anytime by the notification from the central government.
Continuous and Ongoing Learning This cannot be overemphasized, as it is an integral task for every professional in cybersecurity. CISOs need to acquire deep domain knowledge, a mastery of skills related to evolving technology and various associated fields, such as forensic science and cybersecurity laws.
Chief Knowledge Officer CISOs need to continuously update themselves on good practices of cybersecurity and evolving threats and then educate others in simple terms, demystifying the complexity and fear surrounding their fields.
CISO and Agility Many successful CISOs have already incorporated the values emphasized in the manifesto for Agile software development, reproduced below
Individuals and interactions over processes and tools: CISOs nowadays place a high premium on human interaction and people working together. Processes and tools can aid but can never replace human interaction.
Working software over comprehensive documentation: All security software and applications should be working perfectly and should be monitoring all events and warning incidents effectively. Documentation is important, but effective operation is mandatory.
Customer collaboration over contract negotiation: From the CISO’s perspective, stakeholders can include top management, peers, employees, enterprise customers, regulators and government authorities, as well as external vendors and service providers. The CISO needs to effectively collaborate and strive for a win-win relationship with everybody.
Responding to change over rigidly following a plan: It is massively difficult for a CISO to plan for every incident, event, disaster or threat. Therefore, using the collaboration principle stated above, the CISO should be able to respond to all incidents and regulatory changes in a timely and effective manner.
The SANS 'CISO mind map' also provides a good overview of the responsibilities of the CISO:
The question remains - how does your National Cyber Security Agency, National Cyber Security Centre, Cybersecurity & Infrastructure Security Agency, or CERT - compare against the responsibilities of a fully performing CISO function?
Does your cyber security agency have leadership responsibility over government with:
Governance
Security operations
Business enablement
Risk Management
Legal and regulatory
Leadership skills
Identity and Access Management
Security Culture
The question could be broken down more specifically:
It may be appropriate to question where security operations sit best across government. Is it better to have devolved cyber security teams dispersed across many agencies - or within your primary cyber security agency? Would a mixed/hybrid model work depending on what the security operational domain is?
Does cloud computing, big data, and the efforts to create stronger interoperability across government agencies make a more joined approach to cyber security operations more possible and necessary?
Are governance arrangements working adequately between agencies, their third party suppliers, and the central cyber security agency? Does this leave gaps or confusion around who is responsible for different aspects of governance? Are there opportunities to take a more efficient approach that makes better use of scarce national or government resources?
How connected is the national cyber security agency with the business of government and the products and services provided by line agencies? Is the national cyber security agency adequately connected to emerging technology and the accompanying security measures required?
Does the national cyber security agency either own or strongly connected to the owners of 'risk management' for government? Is there is consistent understanding, maturity, and capability across agencies in this discipline?
Does the national cyber security agency have the capability to lead work to understand and respond to changing legal and regulatory settings? Who leads efforts across government to scan the international domain to detect legal and regulatory settings that may impact across government and beyond?
Does the national cyber security agency really lead the cyber security sector across government and enable agencies to undertake sound cyber security measures? Is the national agency leading the development of the discipline and seeking to maintain the right balance between government agencies and third parties?
Is the national cyber security agency leading and coordinating identity and access management across government? Are there opportunities to leverage cross government experiences and capabilities? Are there opportunities to link with national identity initiatives?
Is the national cyber security agency taking active steps to foster an appropriate security culture across government? Is this pitched at all information/classification levels or does it tend to focus on the more classified information?
Conclusion
The roles and responsibilities of CISO's as defined by internationally recognised entities such as SANS and ISACA provide a basis with which to compare the role and responsibilities of national cyber security agencies. An exercise can be undertaken whereby the national cyber security agency adopts the persona of the 'Government CISO'. This can be a very practical and informative way to determine whether your national agency is taking a comprehensive approach and whether assumptions around agency roles responsibility are clear.
A national cyber security agency can for example decide it will focus on a particular security operation without adequate understanding of the value for agencies, the offering of third parties or overall cost/benefits. This can create an imbalanced approach at the national and/or agency level and leave agencies vulnerable and in an unsustainable position. Another scenario is for the national cyber security agency to simply become too disconnected from the 'business of government' and not keep up with the strategic (digital) direction of government, emerging technology, innovation, and transformation - and consequently be required to continually react. It is recommended that a review can be undertaken at the national level to assess how comprehensive the national approach is and what the gaps in roles and responsibilities are.
References:
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2022/the-new-emergent-ciso
Comments