Executive Security Management
Executive security management involves acting as the
enterprise control function for implementing and verifying the
implementation of enterprise protection designed to meet the duty to
protect by adequately protecting the things that have to be protected.
Specifically, it is the task of the chief information security officer
(CISO) to apply the power and influence of their position to effectively
control the protection program.
The major role of the CISO is in defining the
organizational governance architecture for security and implementing an
effective control scheme over organizational perspectives and business
processes that implement that architecture. An indirect effect of this
activity produces the control architecture, technical security
architecture, protection processes, protection mechanisms, and content
and its business utility, however the CISO rarely has direct control
over any of theses things. The role of the CISO also extends to direct
responsibility over business and people life cycle issues.
Governance architecture: Typically, the
governance structure of the security function is reflective of the
overall governance structure of the enterprise.
Structure: The CISO should have links into
all of the relevant governance functions within all business units and
at the enterprise level into cross-cutting functions that apply to many
or all business units. These links should allow influence and feedback
associated with the different aspects of the protection function.
Influence: The CISO must understand how to
apply influence and have the power and mandate required to exert that
influence as appropriate, however, this influence is almost always
applied in a gentle manner using reasoning and liking before force and
acting on behalf of the executive committee to implement the duties to
Feedback: The positional power of the CISO
must grant the ability to examine almost any information at the
enterprise from a standpoint of understanding protection effectiveness.
This must include access to audit reports and the capacity to influence
audits, access to protection settings down to the smallest detail,
access to evidence of various sorts, and access to people and their
ability to understand and report on events. This is more often a people
feedback mechanism than a technical feedback mechanism at the CISO's
Organizational perspectives and business processes: The CISO typically cuts across many
different business perspectives. [Drill-Down] These include but are
not limited to:
Management: Protection management deals
with the management structure of organizations and how they control
their operations. The basic concept is that an organization is like a
truck - and the management steers it. If the truck is out of control,
it will crash. If it is in control, it will be highly competitive in
Policy: Policy is a governance issue.
Properly defined policies identify organizational values and associate
responsibility with assuring that those values are attained and
retained. Policy normally provides the means for decision making and
power, provides an authorized means of appealing decisions, and
identifies other governance issues and bodies tasked with making
day-to-day operational decisions. [Drill-Down]
Standards: Standards are commonly used to
identify specific requirements associated with specific circumstances.
They provide the means by which economies of scale may be attained in
the reuse of well-developed and previously understood results.
Standards also commonly provide easy interoperability. [Drill-Down]
Procedures: Procedures are the
instantiation of standards in specific, realizable, terms.
Documentation: Documentation is used to
support policy, standards, procedures, and all other aspects of
Audit: Audit is the means by which
management gets necessary feedback about the effectiveness of controls.
For this reason, internal audit is normally a top-level management
function, and external audit is normally performed at the ongoing
request of top management as an independent verification that internal
audit is doing the job properly. [Drill-Down]
Testing: Testing is the means by which
asserted behavior is verified.
Technical Safeguards: Technical safeguards
provide automated means by which protection is affected. [Drill-Down]
Personnel: Personnel carry out the
protection activities. Given proper guidance, knowledge, and controls,
people doing their jobs properly will result in effective protection.
Incident Handling: When incidents occur, if
they are detected, the organization's response results in the
reassertion of control that was partially lost during the incident. A
better response capability provides the means for regaining control more
quickly and with less damage along the way.
Legal: Generally, legal requirements
include laws, regulations, and liability issues and can have criminal
and civil implications toward individuals and organizations.
Physical: There is no effective protection
without physical protection. Physical protection generally involved
preventing or mitigating the effects of physical events that disrupt
normal operations of information systems.
Awareness: People are far more effective in
playing their part in information protection when they are kept aware of
what their part is. Awareness programs are used to provide assurance
that awareness is kept up-to-date.
Knowledge: For individuals with substantial
responsibility for both carrying out and helping to define protection in
an organization, education is needed in order to provide them with the
deep knowledge required to make proper decisions. For people with
specific responsibilities for information protection, training in the
proper way to carry out their duties is important to success.
Organization: Organizational structure and
culture create an atmosphere that can be more or less conducive to
effective information protection.
Business life cycles: Business life cycles
include critical elements of due diligence that are under the purview of
the CISO and the CISO must typically be involved in all major changes to
business structure including but not limited to mergers, breakups, going
public or private, large-scale terminations, and restructuring.
People life cycles: The CISO is typically
strongly involved in the definition of people life cycles and heavily
involved when large-scale personnel changes are underway.
The CISO or equivalent business executive who is
tasked with governing the enterprise security process is an executive
level individual with great responsibility, regularly reporting to the
CEO and the board of directors, and intimately involved with and
understanding the issues underlying large-scale business decisions. As
such this individual is a key member of the enterprise executive