Being a CISO: A Bird’s-Eye View

October 4, 2017 | Views: 3995

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is a CISO?

A CISO is the information security officer of an organization, who must tell organizations to create security policies, manage those policies, information, assets, and risks associated with them, and create security programs and awareness plans.

What is the profile of a CISO?
There is not one ‘cut and dry’ way to become a CISO in a public or private organization. Many professionals start from computer security and work their way up. From pre and postgraduate training that allows you to get the necessary technical knowledge, the appropriate profile seems to be 50% technical. That means that the individual understands the subject of computer security and 50% of leadership and management experts, lead people, plans, and actions. Those actions lead to completed and accepted goals.
A CISO should know the technical parts because they must be able to talk to administrators and security analysts, as well as managers of the organization, without problems. In technical language and managerial language, your communication should be clear and effective.
Is the same true for information security (INFOSEC) and computer security (ITSEC)?
It is often thought that information security is only about the preventive and reactive controls, or about the configuration of the IDS/IPS, the antivirus, or the spam filter. We talk about a risk scenario and the treatment of risks to security, and it is an accuracy that will take space to improve their understanding, given the security of information, has an articulating arm to the management of computer security and cybersecurity.
Information security is responsible for protecting the information assets in all its formats. The 14 domains, for example, simplify ISO 27.001: 2013, from information assets, electronic or paper, people, and processes into detective, preventive, dissuasive, reactive, compensatory controls.
Considering and understanding how fast technology is advancing in the information age, cloud computing, smart cities, the internet of things, industry 4.0 and from the other point of view malware as a service, it is imperative that organizations take steps to be precise, clear in the search to take better care of information assets and in recent cases we have seen the information of citizens.
Information security, part of convincing top management, on how important it is an effective safeguard of information assets, in precise clear language, in business language. Without the support of the business, any policy will be insufficient, let’s not forget that those who are responsible for complying with the policies are the people and if they do not have the mandate or the motivation to do so frankly do not open awareness campaign to achieve it.
What is the triad?
Next, as a complement identifies the pillars that deliver the management of information security and which means as a contribution to the service in the quest to generate value for the organization.
  • Confidentiality: Information labeled as private, confidential, sensitive or reserved should operate under the right people. It is a guarantee that must exist in a service of the nature of the Undersecretariat since documents must maintain their character and recipient, and only be received by the person corresponding to the moment of his evacuation.
  • Integrity: The information cannot be modified without authorization. Preserving its initial format.
  • Availability: Officials must be able to enter information and work on it when they need it.
And… two more.
  • Authenticity and non-repudiation: The service must generate guarantees that only authorized users and owners use their credentials, thus avoiding possible problems of misuse of organizational accounts.
  • Traceability: Should the service be able to trace the processes, or determine the “what? when? or how?” of the critical processes of the organization? Yes! It improves the response times of formal processes or administrative documents.
Finally, being a CISO is not a simple task. It is one which requires a constant effort and a dedication to studies as well as certification in the best practices of the market. Always be pending to the threats of the environment since these never rest.
KEYWORDS: Information Security, IT Security, ISO 27001: 2013, Security Officer, Best Practices
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Awesome article and great information. Thank you!

  2. Quite informative. Thanks for sharing.

  3. Good article. Thanks for sharing.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?