As the CISO of a multinational corporation, which of the following least likely belongs to one of your responsibilities? (Wentz QOTD)
A. Formulate the corporate strategy
B. Report to the CFO as your supervisor
C. Support delivery of products and services
D. Establish an information security management system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Formulate the corporate strategy.

Typically, the CEO is in charge of formulating the corporate strategy, or the grand strategy, with inputs from the board and support from the senior management team.

The CISO is not the primary role in developing the corporate strategy but the information security strategy that aligns with the corporate strategy to create value and fulfill the organizational vision and mission. Besides, he has to position the security function (department), determine its organization, roles, and responsibilities, integrate security into organizational processes, support continuous delivery of products and services (the so-called “business continuity”), and protect information assets to enforce security. An information security management system (ISMS) ensures security policies are developed and implemented effectively.

The reporting line of the CISO varies across organizations and has pros and cons, but it’s not impossible for the CISO to report to the CFO or other senior officers.

• The arrangement that a CISO reports to the CIO may lead to a conflict of interest.
• The arrangement that a CISO reports to the CFO may consume more time to communicate technical stuff.
• The arrangement that a CISO reports to the audit function will adversely affect its independence.

Reference

• What is Security Function
• Information Security Functions & Responsibilities
• Managing a security function: diagnostic version 1 Digest
• Corporate security
• Roles of Security Management in the Organisation
• How to organize your security team: The evolution of cybersecurity roles and responsibilities
• The Marriott data breach
• ICO fines Marriott International for failing to keep customers’ personal data secure
• What is Corporate Strategy?
• Who has the responsibility for developing a company’s strategic plan?
• How to Develop Your Corporate Strategy (CEOs Share Best Tips and Tools)
• Strategic Planning in Diversified Companies
• How to Evaluate Corporate Strategy

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

作為一家跨國公司的CISO，以下哪項最不可能是您的責任？ (Wentz QOTD)
A. 制定企業戰略
B. 向您的主管CFO報告
C. 支持產品和服務的交付
D. 建立資訊安全管理系統 (ISMS)