Any organization’s cybersecurity program, and the resulting compliance with control requirements, becomes at risk if everyone thinks, or assumes, that “someone else” owns the implementation or ongoing management of specific cybersecurity roles and responsibilities. A successful cybersecurity program is unlikely to be sustained if defined stakeholders are not held accountable for fulfilling their assigned responsibilities.
Once your organization gets management buy-in to invest in a cybersecurity program, your organization should ensure that key roles and responsibilities are defined, documented, and assigned to appropriate personnel. This can be done by name, but it is preferable to complete this exercise based on job title as job titles generally change less frequently than the names of personnel filling those positions. Once control assignments are made, they should be communicated to each control owner to help ensure each person responsible for a cybersecurity program control is aware of their responsibility for any related tasks. Without this responsibility and associated accountability, gaps in processes may present unnecessary risks to information assets within your environment.
While there are many roles attributed to maintaining a comprehensive cybersecurity program, arguably two of the most crucial roles are the Board of Directors and the Chief Information Security Officer (CISO). Other critical groups include executive management, business unit management, IT management, IT operations personnel, and IT support personnel.
The Board, or other appropriate executive-level committee, should provide management with expectations, along with accountability, for the oversight, coordination, and assignment of responsibility for the effectiveness of the cybersecurity program. Cybersecurity expertise should be maintained by the Board. If needed, the Board should engage external experts with the appropriate experience to assist with oversight responsibilities.
The Board should review assessment reports that describe the effectiveness of the cybersecurity program regularly (e.g., at least annually). Recommendations for corrective actions should be discussed whenever required. The Board should ensure annual self-assessments evaluate your organization’s ability to meet defined cybersecurity requirements. The Board should approve the prioritization of remediation activities, including resource allocation, based on assessment results.
The Board should be responsible for maintaining a process to formally discuss and estimate potential expenses associated with cybersecurity incidents and data breaches as part of the budgeting process. The Board should also ensure that management takes appropriate actions to address changing cybersecurity risks or significant cybersecurity issues. If your organization does not have a Board of Directors, an executive-level committee is sufficient to fulfill these “Board” responsibilities.
The Role of a Chief Information Security Officer (CISO) in Cybersecurity
A CISO, or similarly titled role with the same responsibilities, needs to be appointed for your organization. The CISO should be assigned the responsibility and accountability for effectively managing the organization-wide cybersecurity program. This includes developing, documenting, approving, maintaining, and communicating control requirements within policies, plans, and procedures. As one person is not likely to be successful by themselves, this role also needs to be assigned the necessary resources, be they personnel, tools, or budget dollars, to support their success.
The CISO is typically responsible for the following:
The CISO should also be responsible for providing supplemental cybersecurity awareness training to role-based personnel while championing the overall awareness training program content for all personnel within your organization. This includes ensuring cybersecurity team personnel are knowledgeable and competent in their applicable areas of responsibility. Cybersecurity team personnel should be provided with the opportunity to stay current with new ways to address threats, and vulnerabilities, along with other cybersecurity and compliance-related developments.
The CISO should be assigned responsibility and held accountable for, developing, approving, communicating, and testing your organization’s Incident Response Plan. This should include defining escalation processes to ensure timely and effective incident handling and response activities. These responsibilities also include making continuous improvements to support all incident management activities.
Consider engaging a virtual CISO (vCISO) that may share time supporting more than one organization. This can be a cost-effective way to have a CISO-level resource to support your organization without paying the high salary cost of a full-time CISO.
The CISO should be responsible for the protection of information assets. This includes carrying out specific cybersecurity processes and procedures which have been clearly defined for your organization. The CISO should provide a cybersecurity program report at least annually that includes, but may not be limited to the following:
The CISO should be responsible for monitoring and analyzing security alert information that is pertinent to your organization. After initial analysis, the CISO should distribute appropriate security alerts, details on the organization’s susceptibility to the alerts, along the results of their analysis to appropriate internal personnel.
In the past, the office of the CISO was considered to be a technology function. Today, the CISO role has become a strategic and integral part of the organization’s leadership team. A CISO is not an auditor. A CISO is not a network engineer. Your CISO should be a pivotal role that is ultimately responsible and accountable for the success or failure of your program. Your CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations.
To ensure independence, the CISO should report directly to the board, a board committee, or other executive leadership role. The CISO should not report to IT management. The reporting structure should demonstrate that the CISO has the appropriate authority to carry out the responsibilities of the position and should avoid conflicts of interest that could interfere with their ability to make decisions in line with the defined risk appetite. Your organization’s size and complexity will play a role in the reporting structure. A smaller or less complex organization may have an information security officer perform the responsibilities of the CISO and report to senior management. A larger or more complex organization may have additional reporting lines for the CISO into other independent functions, such as legal or finance.
Hands-on cybersecurity experience is needed for anyone filling the role of a CISO, but it does not stop there. A CISO should have a demonstrable progression of experience that may cross between lower-level cybersecurity or IT roles from which they have gained experience of “how things work.” That experience is important before they attempt to govern business and IT operations with defined cybersecurity controls.
Finally, and perhaps most importantly, you do not want a CISO that creates or condones an “us versus them” culture. Implementing and maintaining a successful program requires cross-functional, inter-departmental teamwork. The person filling this role must be able to build the necessary relationships to manage upward, downward, and laterally to effectively maintain a successful program for your organization. Some security controls are absolute and non-negotiable. However, if you have a CISO that says “no” more frequently than “yes, and here is how we can do it securely,” you likely have the wrong person filling that role.
Executive management assignment of cybersecurity program responsibilities ensures executive-level visibility into the program and supports opportunities to ask appropriate questions to determine the effectiveness of the program as well as influence strategic priorities. Executive management, including the chief executive officer (CEO), the chief operating officer (COO), and often the chief technology officer (CTO) or chief information officer (CIO), plays a significant role in management at an organization. Executive management develops the strategic plans and objectives for the organization and sets the budget for resources to achieve these objectives. To carry out their responsibilities, executive management should understand, at a high level, the cybersecurity risks faced by your organization and ensure that those risks are included in risk assessments. If executive management is unable to implement an objective or agree on a course of action, they should escalate that matter to the Board for more guidance.
Leadership within your organization’s lines of business or business units also have responsibilities that impact the success of the cybersecurity program. Some examples of these responsibilities include the following:
The specific cybersecurity-related roles within business unit management for your organization may vary depending on your approach to policy control enforcement, risk management, and compliance.
IT management is responsible for overseeing the IT environment. This should include performing the day-to-day technology operations as well as supporting the overall security and resilience of information systems. IT management should be responsible for managing the capacity, performance, and availability of system components used in your organization’s infrastructure. Additionally, IT management should be responsible for supporting business units and functional operations by facilitating enterprise system reporting, product and service development, service delivery, and transaction processing.
Documenting and communicating a Cybersecurity Program Roles and Responsibilities matrix is a great way to establish responsibility and accountability for key functions within your organization.
IT operations personnel are responsible for the day-to-day operation and maintenance of the infrastructure components to support business operations for your organization. The following are some examples of IT operations responsibilities and functions:
IT support personnel should be responsible for providing internal personnel and potentially external users with technical assistance. This likely includes troubleshooting advice for hardware, software, and network performance issues. Support personnel are also helpful resources for supporting cybersecurity events and incident response efforts.
Support personnel should use either human operators or automated systems to record and track incoming issues as they are reported. Tracking requests and issues creates a historical record that provides management with the ability to perform trend analysis. Examples of information to be included in issue tracking include the following:
If the IT support function is outsourced, your organization should include operational as well as cybersecurity-related expectations and responsibilities for the third party in the outsourcing contract or agreement. Responsibilities may include access levels, functions the third party will perform, controls for cybersecurity and confidentiality, and reports or metrics to be provided.
There are likely many other roles that should be supporting your cybersecurity program. Human Resources will play a pivotal role in ensuring that onboarding and offboarding personnel are performed by established controls. The Legal department should be engaged to ensure that regulatory requirements are being addressed. The Finance department will play a role in ensuring appropriate budget allocations are in place for cybersecurity. These are just a few examples of cross-functional roles that support an overall cybersecurity program within your organization.
Depending on the size of your organization, cybersecurity control owners may be dedicated roles, assigned as additional duties to existing roles, or a combination of dedicated roles and additional duties. Your organization should consider developing transition or succession plans for key personnel to avoid potential gaps in cybersecurity control assignments that could result in responsibilities not being assigned, and consequently, not being performed.
Get more help with your cybersecurity program planning with our vCISO experts.