You are the new CISO of an international trading company and just got on board recently. Which of the following is the first and most concern for you?
A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies
Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B, The role and responsibility (R&R) of CISO.
This post is the justification of the Information Security Governance Practice Question.
This question is designed based on Topic 1.2 (Evaluate and apply security governance principles) in Domain 1 of the CISSP exam outline.
Information Security is an emerging discipline and the CSO or CISO role enlisted in the senior management team is a trend. However, the title or name of the security function doesn’t necessarily determine the role and responsibility (R&R) well. One may be appointed as a CISO, while he or she is practically authorized to do things just like a middle information security manager. That’s why R&R is the first and most concern for a CISO to get things rolling.
A strategy is an approach or a high-level plan, usually prepared or developed by senior management. Strategy management divides into two parts: strategy development(formulation) and strategy implementation(execution). It’s impossible to implement a strategy (through an information security program) without its existence or before it is developed.
Information security strategy should align with business goals and corporate or business strategy; it comprises the (future) desired state, current state, and a roadmap with resource and constraint considerations to fill the gap between the desired and current state.
An information security program is a means to implement the information security strategy. A program-specific policy is usually developed to support the associated information security program.
The business mission/vision, goals, and upper-level strategy should be reviewed, and the business and security requirements should be elicited to develop an information security strategy and ensure strategic alignment.
The following is a generic reference process:
- Clarify and confirm R&R; communicate to redefine or modify it if necessary
- Review business mission/vision, goals and upper-level strategy, and elicit business and security requirements
- Develop an InfoSec strategy (Answer D is lack of a strategy)
- Implement the InfoSec strategy (through InfoSec program and policies)