Chief Information Security Officers (CISOs) are responsible for ensuring various aspects of their organization’s cyber and information security. Traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. The continuous occurrence of highly publicized, global cyber intrusions illustrate the inadequacy of reactive controls- and practices-based approaches, which may be necessary but are not sufficient for protecting and sustaining their organization’s critical cyber assets.
A CISO should be responsible for governing, managing, and performing. How does a CISO make sense of these and select those functions that are most applicable for his or her organization’s mission, vision, and business objectives?
In assisting a large, diverse, U.S. national organization in answering this question, we considered the following inputs:
- Sources describing the expanding operational risk environment with respect to IT operations, cybersecurity, business continuity, and disaster recovery.
- Numerous discussions over several years with CISOs and security professionals
- In- depth analysis of recent, large-scale, high-impact cybersecurity incidents including the identification of what worked well and what did not from these inputs and our experience developing and applying the CERT Resilience Management Model.
- Protect, Shield, Defend, and Prevent
- Proactively protect, shield, and defend the enterprise from cyber threats, and prevent the occurrence and recurrence of cybersecurity incidents commensurate with the organization’s risk tolerance.
- Ensure that the organization’s staff, policies, processes, practices, and technologies monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible.
- Respond, Recover, and Sustain
- When a cybersecurity incident occurs, minimize its impact and ensure that the organization’s staff, policies, processes, practices, and technologies are rapidly deployed to return assets to normal operations as soon as possible. Assets include technologies, information, people, facilities, and supply chains.
- Govern, Manage, Comply, Educate, and Manage Risk
- Ensure that the organization’s leadership, staff, policies, processes, practices, and technologies provide ongoing oversight, management, performance measurement, and course correction of all cybersecurity activities.
This function includes ensuring compliance with all external and internal requirements and mitigating risk commensurate with the organization’s risk tolerance