CISO is not an easy role to be in. The scope of CISO responsibilities spans almost all aspects of business in the form of risk management. This includes but not limited to security operations, compliance, architecture, business partners, legal, Human Resources, compliance, and overall risk management. The following diagram shows some of these areas.
Managing everything with limited resources and a continuous battle of cost justification takes a lot of discipline. Prioritization, continuous risk assessment, establishing partnerships, and managing expectations are keys to a CISO success. Create an ongoing Plan-Do-Check-Act cycle and delegate as much as you can. Base your strategy on data, and create short-term tactical as well as long-term strategic goals.
This book is an effort to share the knowledge by learning from experiences of successful CISOs who are able to an order to this chaos.
Suggested Actions
- Find Time to Strategize – Don’t get bogged by day-to-day work. Find some time to think about strategy.
- Set Priorities – Set priorities, as it would be difficult to focus on everything at the same time. You can set your priorities with a 3-year roadmap (or something similar).
- Security is Shared Responsibility – Security is everybody’s responsibility. Find partners within your IT organization who can share some responsibilities. For example, network team may help in security operations. Server and desktop teams will have a stake in identity management. Partner with application development for secure coding practices.
- Focus on Risk – Focus on risk and not on specific technologies.
- Strategy and Tactics – Determine short-term and long-term goals that give best value for reducing risk.
- Avoid Complexity – Complexity is enemy of security. There is always a simpler way of doing things. If things look complex to people, most probably they are. Find ways to simplify them.
InfoSec Leaders Handbook 