Information security is everyone’s job. Every person is responsible for exercising some common sense and cautious skepticism and doing his or her part to protect company data and network resources from exploits and compromise. Most of those people also have their own tasks and objectives and security, unfortunately, is not always a priority.
When push comes to shove, leaders have to take responsibility and the leader when it comes to information security is the CISO. I wrote this blog post about why the CISO has to ultimately be responsible for security:
It’s impossible for any one person to manage every aspect of securing the network, endpoints and data of an entire organization. The top of the security chain of command in most cases is the Chief Information Security Officer, though, so ultimately that responsibility falls on the shoulders of the CISO.
Security is everyone’s job. Each and every employee within a company has to have some basic security awareness and the common sense not to click on suspicious links or open file attachments from unknown sources. Employees should know better than to send sensitive or confidential material unencrypted across the public Internet, or log on to company network resources over a public Wi-Fi hotspot. Employees should also be familiar with the security policies of the company and the standard security measures that are in place on the company network and endpoints.
Security still begins and ends with the CISO.
The exact job description of the CISO will vary from one company to another—depending on the size and industry of the organization. A recent article from Forbes explained, “With today’s security landscape, the CISO needs to be more than the person in charge of making sure the firewall keeps out hackers. Often, the CISO needs to think like a CFO and work with individual departments on developing a security budget, like a lawyer to understand compliance and government regulations the industry must follow, and like an HR manager in order to work closely with staff and ensure they are following security protocols.”
When all is said and done, the CISO is the one who establishes security policies and is responsible for communicating and enforcing strong security measures with the rest of the company. The CISO can’t foresee everything and can’t completely prevent human error or rogue employees willfully violating security policies or circumventing security tools, but the CISO must be vigilant and ensure the organization and its information assets are as secure as reasonably possible.
In most companies there is a hierarchy and a chain of command. The CISO may only directly oversee top-level IT managers, and those IT managers oversee team leaders, who oversee employees. A decision made at the CISO level has to cascade down through multiple levels of organization and the CISO has to be able to trust those that work under him or her to communicate, monitor and enforce security policies and controls and to escalate any issues or potential issues so they can be resolved as quickly as possible.
Read the full post on the RSA Conference blog: Taking Responsibility for Information Security.