The CISO advises the executive team on how the organisation needs to meet the various security and privacy requirements to do business in their given industry and territories of operations. The CISO oversees a team that together has a 360 degree view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimise the risks to the organisation.
Here is a clear and coherent CISO job description :
Provide leadership, vision, management to the various engineering and operations teams across the central IT Division (on a dotted line basis); to the decentralized technical teams within departments; and to the <COMPANY> as a whole.
Lead programs and processes to monitor the emergence of new threats and vulnerabilities, assessing impacts and driving responses as appropriate.
Ensure that clear and timely business advice is provided to executive management on key information security and assurance issues.
Establish an information security and risk management functional capability and framework across the organization.
Ensure that information security and risk is adequately represented on relevant business and governance forums and is known, well-integrated, and addressed across the enterprise.
Ensure the delivery of the following key areas:
Information Security Oversight
- Provide leadership, vision, and direction on information security to the information security staff, across the central IT division, and enterprise-wide.
- Oversee and coordinate all aspects of alignment of the <COMPANY>’s Information Security Management System (ISMS) with ISO 27001.
- Build sound business relationships across the enterprise to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
- Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives. Utilize the metrics to prioritize key initiatives and respond to negative trends.
- Create, manage, deliver to the staff, and review effective information security awareness training.
- Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.
Information Risk Management
- Drive and maintain the information security management system, including information risks across the enterprise.
- Align with the <COMPANY>’s risk management strategy and build out information security specific elements, collaborating with appropriate business management heads and committees to get buy-in and build momentum.
- Collaborate with application owners to understand and address (as appropriate) the risk position around key business applications.
- Design a threat assessment framework. Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
- Ensure ongoing analysis of information security threats, vulnerabilities, and market trends. Determine potential impact on the organization’s risk posture.
- Oversee the development and maintenance of an information security policy set, including standards and processes that fit the organization at all levels. Seek and confirm management approval as required.
- Ensure Agency-wide implementation of policies, reflecting varying departmental needs where necessary.
- Manage the process to administer policy exceptions, ensuring that they are subject to appropriate controls, both before and after approval.
- Ensure that strategic information security and risk guidance is provided to third-party suppliers in accordance with internal frameworks, and ensure compliance with required controls.
- Conduct information security risk assessments across the enterprise at suitable intervals. Ensure that key risk issues are understood, communicated, and tracked on the risk register.
- Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
- Ensure that internal and external audits are supported in development of an annual strategic audit plan.
- Develop and maintain an effective information security architectural approach, ensuring that the approach is implemented in accordance with appropriate standards.
- Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
- Liaise with the relevant parties to ensure that appropriate controls are implemented to prevent recurrence of information security incidents.
- Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
- Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.
- Ensure the consistent application of security standards across global technical infrastructure.
Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, most notably the Security Systems Unit in the Infrastructure Services Section, the CISO has an oversight role for the following functions:
- Establish processes to respond in a timely and proactive manner to significant information security breaches.
- Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
- Oversee the close management and analysis of security information and events.
- Respond appropriately to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
- Ensure that processes are in place and that staff is appropriately skilled to respond to security incidents.
- Lead the effort to maintain an effective and timely program to manage identity and access privileges.