Executive Security Management

Executive security management involves acting as the enterprise control function for implementing and verifying the implementation of enterprise protection designed to meet the duty to protect by adequately protecting the things that have to be protected. Specifically, it is the task of the chief information security officer (CISO) to apply the power and influence of their position to effectively control the protection program.

The major role of the CISO is in defining the organizational governance architecture for security and implementing an effective control scheme over organizational perspectives and business processes that implement that architecture. An indirect effect of this activity produces the control architecture, technical security architecture, protection processes, protection mechanisms, and content and its business utility, however the CISO rarely has direct control over any of theses things. The role of the CISO also extends to direct responsibility over business and people life cycle issues.

  • Governance architecture: Typically, the governance structure of the security function is reflective of the overall governance structure of the enterprise.

    • Structure: The CISO should have links into all of the relevant governance functions within all business units and at the enterprise level into cross-cutting functions that apply to many or all business units. These links should allow influence and feedback associated with the different aspects of the protection function.

    • Influence: The CISO must understand how to apply influence and have the power and mandate required to exert that influence as appropriate, however, this influence is almost always applied in a gentle manner using reasoning and liking before force and acting on behalf of the executive committee to implement the duties to protect.

    • Feedback: The positional power of the CISO must grant the ability to examine almost any information at the enterprise from a standpoint of understanding protection effectiveness. This must include access to audit reports and the capacity to influence audits, access to protection settings down to the smallest detail, access to evidence of various sorts, and access to people and their ability to understand and report on events. This is more often a people feedback mechanism than a technical feedback mechanism at the CISO's level.

  • Organizational perspectives and business processes: The CISO typically cuts across many different business perspectives. [Drill-Down] These include but are not limited to:

    • Management: Protection management deals with the management structure of organizations and how they control their operations. The basic concept is that an organization is like a truck - and the management steers it. If the truck is out of control, it will crash. If it is in control, it will be highly competitive in delivering results.

    • Policy: Policy is a governance issue. Properly defined policies identify organizational values and associate responsibility with assuring that those values are attained and retained. Policy normally provides the means for decision making and power, provides an authorized means of appealing decisions, and identifies other governance issues and bodies tasked with making day-to-day operational decisions. [Drill-Down]

    • Standards: Standards are commonly used to identify specific requirements associated with specific circumstances. They provide the means by which economies of scale may be attained in the reuse of well-developed and previously understood results. Standards also commonly provide easy interoperability. [Drill-Down]

    • Procedures: Procedures are the instantiation of standards in specific, realizable, terms.

    • Documentation: Documentation is used to support policy, standards, procedures, and all other aspects of protection.

    • Audit: Audit is the means by which management gets necessary feedback about the effectiveness of controls. For this reason, internal audit is normally a top-level management function, and external audit is normally performed at the ongoing request of top management as an independent verification that internal audit is doing the job properly. [Drill-Down]

    • Intelligence: Intelligence (and counter-intelligence) covers outward facing and inward facing understanding of the external and internal environment and countering of such understanding by unauthorized others. It includes several areas, without limit, including threat identification and assessment, offensive and defensive influence operations, and operations security.

    • Testing: Testing is the means by which asserted behavior is verified.

    • Technical Safeguards: Technical safeguards provide automated means by which protection is affected. [Drill-Down]

    • Personnel: Personnel carry out the protection activities. Given proper guidance, knowledge, and controls, people doing their jobs properly will result in effective protection.

    • Incident Handling: When incidents occur, if they are detected, the organization's response results in the reassertion of control that was partially lost during the incident. A better response capability provides the means for regaining control more quickly and with less damage along the way.

    • Legal: Generally, legal requirements include laws, regulations, and liability issues and can have criminal and civil implications toward individuals and organizations.

    • Physical: There is no effective protection without physical protection. Physical protection generally involved preventing or mitigating the effects of physical events that disrupt normal operations of information systems.

    • Awareness: People are far more effective in playing their part in information protection when they are kept aware of what their part is. Awareness programs are used to provide assurance that awareness is kept up-to-date.

    • Knowledge: For individuals with substantial responsibility for both carrying out and helping to define protection in an organization, education is needed in order to provide them with the deep knowledge required to make proper decisions. For people with specific responsibilities for information protection, training in the proper way to carry out their duties is important to success.

    • Organization: Organizational structure and culture create an atmosphere that can be more or less conducive to effective information protection.

  • Business life cycles: Business life cycles include critical elements of due diligence that are under the purview of the CISO and the CISO must typically be involved in all major changes to business structure including but not limited to mergers, breakups, going public or private, large-scale terminations, and restructuring.

  • People life cycles: The CISO is typically strongly involved in the definition of people life cycles and heavily involved when large-scale personnel changes are underway.

The CISO or equivalent business executive who is tasked with governing the enterprise security process is an executive level individual with great responsibility, regularly reporting to the CEO and the board of directors, and intimately involved with and understanding the issues underlying large-scale business decisions. As such this individual is a key member of the enterprise executive management team.

For more details and in-depth coverage of these issues, download and read "Enterprise Information Protection"