Why CISO (chief information security officer) is Important to Organisation ?

Being the senior most cyber security executive, the Chief Information Security Officer (CISO) ensures the safety of data and privacy information of that organization. In this ever evolving digital era, when innumerable cyber attacks are happening, data breach puts a heavy dent on the business, thus making it extremely important to invest in this role. In this article, we will explore RB members’ thinking on the responsibilities of the CISO and the essential skills, traits and experience required for becoming a CISO. Next we comprehend the reporting structure of CISO and CISO – CIO alignment. Finally, we wrap up with a 12-month plan for this role.  

This role focuses on four main objectives specifically protecting from, detecting, responding to and managing any information security incident that happens within the organisation while assisting core business objectives of that organisation at an overall level simultaneously.

Fig 1.1- CISO 
If we talk about the first objective, i.e. prevention or protection of any cyber security incident, CISO fulfills this by working closely with the IT to implement and manage IT infrastructure with regards to information security. He develops & executes the IT security strategy and embeds/implements the same in all projects and initiatives across all functions. He does this by establishing and maintaining the Enterprise Security Architecture including Identity and Access Management that provides IT team with tools and technologies to control user access to critical information within the organisation.

In order to achieve the second objectiveof identifying or detecting cyber risk, the CISO monitors ongoing operations to hunt and discover cyber security threats. In case any threat is found, it becomes his prime duty to report these to the management as soon as possible.

Thirdly, to respond to a cyber security incident, when such a scenario happens, CISO has to minimize its impact and ensure that the organization's operations return to normal state as soon as possible. The Computer Emergency Response Team (CERT) helps CISO in fulfilling this objective. Global information security program is run to address major risks and finally Disaster Recovery Testing is done to ensure that the organisation recovers data, restores business critical applications and continues operations after the incident.

The last objective of management of information security deals with establishing governance, creating awareness, following compliance and conducting risk management in the organization with regards to security. With the help of necessary training programs, he enlightens the organization.

about the importance of IT-Security. Then he establishes security related policies and guidelines and ensures that the entire organization adheres to these. These policies are actually aligned with the IT strategy and overall company goals. He does this effectively by preparing draft Security Guidelines and standards and sharing these with the management for their consent post which these are published to all employees. 

These standards help monitor organizational compliance. The compliance function is fulfilled by setting up to date Information Security Risk & Security Control Framework, Security Architecture, Security Standards and Security Awareness. To create IT-security concepts, he applies Information Security principles, embeds risk management and conducts regular risk assessments. Further, he measures the effectiveness of the security programs through rigorous and ongoing measurement of the operation.

He also advises the Board in all information security related issue. An additional responsibility for Insurance member 4’s CISO is to demonstrate the status and results of the security function to the Board of Directors, with help of his reporting manager - Chief Information Officer (CIO). 

This role includes maintaining an externally focused, collaborative, externally-benchmarked information security program. He is responsible for collaboration and interaction with multiple internal and external stakeholder groups and guiding & controlling the global CISO community. 

For this, the CISO must have a strong network of professional connections to ensure leading edge adoption is part of the thinking and planning that drives vision and strategy in a fast changing technological and threat environment. Further, he identifies the Information Management Risk Portfolio, evaluate the risks and propose mitigation measures. 

In case of Insurance member 2, CISO works directly with lines of business, audit, corporate risk, legal and other key stakeholders to assess security risks and establish security risk profiles, risk tolerance levels and mitigation strategies company-wide. 

He initiates and fosters partnerships with IT staff, IT executives, business partners, and industry peers as well as appropriate law enforcement and related government agencies. He hires and retains team of security professionals responsible for delivering security and privacy products and services. 

He also oversees the development of security awareness programs, communications and training. Lastly, he is responsible for the optimization of the annual security initiatives and investments.


CISO’s cyber security priorities for the next 12 months are very much in line with its core business objectives and are mentioned below.  

Under the threat protection function of CISO, the first and foremost priority is to minimise exposure to risk along threat landscape and ensure basic security controls (management, operational & technical) are working effectively. 

Fig 1.2- Responsibilities
The plan to fulfill this is by continuously improving, modernizing and ultimately achieving operational excellence in security frameworks and physical security capabilities across all levels of security which will help to meet the demands of overall technology strategy ultimately enabling measurement & reporting of risk based upon internal Indicators of Compromise (IoC). 

For the telecommunication member, to create a cohesive and sound security culture among CISO’s of major operating companies is an important priority. While on the other hand, one of the most important priorities for Pharma member 2 is to transfer company's data & privacy information from a physical data center to cloud servers while the conglomerate member focuses on application of internet of things with risk-based security approach