What is a CISO?
is the information security officer of an organization, who must tell organizations to create security policies, manage those policies, information, assets, and risks associated with them, and create security programs and awareness plans.
What is the profile of a CISO?
There is not one 'cut and dry' way to become a CISO in a public or private organization. Many professionals start from computer security and work their way up. From pre and postgraduate training that allows you to get the necessary technical knowledge, the appropriate profile seems to be 50% technical. That means that the individual understands the subject of computer security and 50% of leadership and management experts, lead people, plans, and actions. Those actions lead to completed and accepted goals.
A CISO should know the technical parts because they must be able to talk to administrators and security analysts, as well as managers of the organization, without problems. In technical language and managerial language, your communication should be clear and effective.
Is the same true for information security (INFOSEC) and computer security (ITSEC)?
It is often thought that information security is only about the preventive and reactive controls, or about the configuration of the IDS/IPS, the antivirus, or the spam filter. We talk about a risk scenario and the treatment of risks to security, and it is an accuracy that will take space to improve their understanding, given the security of information, has an articulating arm to the management of computer security and cybersecurity.
Information security is responsible for protecting the information assets in all its formats. The 14 domains, for example, simplify ISO 27.001: 2013, from information assets, electronic or paper, people, and processes into detective, preventive, dissuasive, reactive, compensatory controls.
Considering and understanding how fast technology is advancing in the information age, cloud computing, smart cities, the internet of things, industry 4.0 and from the other point of view malware as a service, it is imperative that organizations take steps to be precise, clear in the search to take better care of information assets and in recent cases we have seen the information of citizens.
Information security, part of convincing top management, on how important it is an effective safeguard of information assets, in precise clear language, in business language. Without the support of the business, any policy will be insufficient, let's not forget that those who are responsible for complying with the policies are the people and if they do not have the mandate or the motivation to do so frankly do not open awareness campaign to achieve it.
What is the triad?
Next, as a complement identifies the pillars that deliver the management of information security and which means as a contribution to the service in the quest to generate value for the organization.
- Confidentiality: Information labeled as private, confidential, sensitive or reserved should operate under the right people. It is a guarantee that must exist in a service of the nature of the Undersecretariat since documents must maintain their character and recipient, and only be received by the person corresponding to the moment of his evacuation.
- Integrity: The information cannot be modified without authorization. Preserving its initial format.
- Availability: Officials must be able to enter information and work on it when they need it.
And... two more.
- Authenticity and non-repudiation: The service must generate guarantees that only authorized users and owners use their credentials, thus avoiding possible problems of misuse of organizational accounts.
- Traceability: Should the service be able to trace the processes, or determine the "what? when? or how?" of the critical processes of the organization? Yes! It improves the response times of formal processes or administrative documents.
Finally, being a CISO is not a simple task. It is one which requires a constant effort and a dedication to studies as well as certification in the best practices of the market. Always be pending to the threats of the environment since these never rest.
KEYWORDS: Information Security, IT Security, ISO 27001: 2013, Security Officer, Best Practices