Welcome, to the Cybersecurity Leadership and Management Course. Today, we will discuss cybersecurity leadership. The Chief Information Security Officer, the Information Systems Security Officer. My name is Cicero Chimbanda. I am your instructor for this course. Cybersecurity leadership, the CISO, and the ISSO. The key elements that we will describe in this course are: the role of the CISO or the ISSO, the responsibilities of the CISO or the ISSO, and the industry-based CISO and the ISSO. Essentially we will be discussing, the roles and responsibilities of the Chief Information Security Officer or the Information Systems Security Officer. The success is the aligning of the organization strategy, the fulfilling of the obligational regulatory systems from the legal side, delivering operational excellence. These are the components that will build a successful leader, as he aligns the business strategy to the cybersecurity program. Let's begin. We will begin by defining the role of a CISO or the ISSO. But first, let's ask and answer the question. Is it CISO? Or is it ISSO? Well, the functions are the same. The titles adopted by larger organizations are more readily CISO, the Chief Information Security Officer. Although we do see Information Systems Security Officer, used interchangeably for that title of the head of cybersecurity. You typically see this in organizations that are governmental or non-for-profit organizations will use the Information System Security Officer. Again, other titles that you might see in an industry for larger organizations are Chief Security Officer, Head of Cybersecurity, or even President of Cybersecurity. Again, some smaller to medium companies, will use Vice President of Cybersecurity, Cybersecurity Executive, Information Security Director, or Cybersecurity Lead or Director. These are some of the titles you might see out there. Now it really depends on the type of business, and the overall security knowledge of the organization. ISO 27001, essentially does not require for a Chief Information Security Officer, to be appointed. But it is best practice, and recommended for the success of your cybersecurity program to have somebody who's appointed where the buck stops. The industry acceptable definition of a Chief Information Security Officer is the senior level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected within the Information Security Governance. That's according to ISO 27001 Certification , and also NIST. Defining the role of the Chief Information Security Officer. It starts by looking at the executive management model as we've seen in a previous chapter. You have the executive management refers to the leadership, the organization structure. While management recommends a security strategy, governance ensures security strategies are aligned with the business objectives, and consists with regulations. The reporting structure for a Chief Information Security Officer is as follows: typically you have a VP, the director, the manager, the contributor, and the entry-level. We discussed this in the previous chapter. Larger organizations will have the CISO reporting to the CEO. The CISO will lead the cybersecurity governance committee, which is also called the task force. We will discuss this in detail in subsequent chapters. The CISO typically as mentioned, will report to the CEO or the Board in larger organizations. The VP or lead of cybersecurity will report to a cybersecurity risk officer or a Chief Compliance Officer. I'm sorry, that's Chief Risk Officer or Chief Compliance Officer. You also see the VP of cybersecurity report to the Chief Financial Officer. These are typically your medium companies. The smaller companies do though have a director of IS or manager. They will typically report to the CIO or the CTO, and sometimes there will be double roles where the IS Director will also be the IT director. That is now where you want to grow and mature so that the role of the head of information security reports to the CEO or the board, abilities of the Chief Information Security Officer. It is important to convey that the chief alignment component for the Chief Information Security Officer is to deliver security, trust, and stability of the infrastructure of the program, and you do this by protecting your data. Data is protected by confidentiality, integrity, and availability, the CIA triad. The alignment of bringing in security, trust and stability will bring that organization strategy, make sure that you're meeting your regulatory systems obligations, and making sure that operational excellence is achieved. This is done with the skill sets that we're talking about in this course. Leadership will bring that strategy alignment, and management, which we'll talk in subsequent chapters, will bring that data, integrity, confidentiality, and availability. What are some of the roles or responsibilities for the Chief Information Security Officer? It starts with security operations management. The SOC is where your personnel will reside and delivering real-time analysis, immediate threats, attacks, this is your triage, bringing security and stability. Intel, keeping informed of current and developing security threats, helping the board understand potential security issues that may arise in the business strategy decisions. Protecting data. Data loss and fraud prevention, building trust, and security. Making sure internal staff doesn't misuse or steal data. The architecture of the security, making sure the planning, the buying, the rolling out of hardware and software is designed and with best practice in mind. Identity. Access management, which is a security and stability, making sure and ensuring that the authorized people have access to restricted data and systems. Security programs management. This is keeping ahead of security needs by implementing programs or projects that mitigate risks. Things like system patches, for instance, building security and stability. Investigations and forensic procedures, determining what went wrong in a breach, dealing with those responsible. After internal, dealing with vendors, planning, and avoid repeatable crisis. Governance and regulatory policies. Making sure that the regulatory planning and policies operate successfully, getting the fund needed, and making sure that corporate leadership understands the importance of the policies. Lastly, disaster recovery, business continuity, building stability and security. This is the assuring of the design and planning, testing and enhancing your DR and BCP plan. Making sure that your mission critical systems are resilient during and after a disaster or a cybersecurity event. These are some of the responsibilities, but we also wanted to highlight the CISM, Certified Information Security Manager. The ISACA lists governance of the job, nine job practice areas. Number 1, establishing and maintaining information security strategy. Maintaining an information security government's framework. Integrating information security governance into the corporate governance, establishing and maintaining policies, creating the support for investments in information security. Identify internal and external influences. Obtaining commitment from senior management and stake holders, defining the roles and responsibilities and communicating appropriately, and then establishing, monitoring, and reporting metrics that aligns with the strategy. There are a lot of different responsibilities for the chief information security officer listed here. They're not limited to these, there's others. Some might use other terminology, but nevertheless, these are some core responsibilities of the chief information security officer. Let's finish up by talking about industry-based chief information security officer. Well, what do we mean? Before we talk about the industry, let's talk about the size and maturity. As we talked about earlier, a larger, more mature companies have the chief information security officer reporting to the CEO, there is a greater visibility to the board, typically higher salaries are aligned to that role, and the titles typically is a CISO or ISSO, information systems security officer and chief information security officer. The medium or growing will have a title VP or senior reporting to the CIO or CFO or the COO, usually a C-suite, some senior visibility, medium salary to high salary depending on the company in the industry. Smaller beginner models have IT where the information security lead or director reports to IT, there's typically minimal or less business visibility, and that's not where we want to be. We want to mature, we want to grow as we develop the cybersecurity program. In terms of industry-base, we have privately held companies. Usually the decisions are influenced by the business owner or the partner. Publicly traded, decisions are influenced by regulatory or legal obligations, stakeholders demand, and also government or nation-state, decisions are influenced by economic, social, political, or military demands, and then not-for-profit, typically, decisions are influenced by the cause, the donors, or the mission of the non-for-profit. There are leadership styles and skill sets for the chief information security or information system security officer. A term, TISO is more of a technical-oriented CISO, usually from an industry that's technology-based to utility, engineering, really technical-oriented chief information security officer. A BISO, which is a business-oriented CISO, usually business focused, banking, government, health, financial, typically have a BISO policy driven oriented chief information security officer. Then SISO, which is strategically-oriented CISO, typically, companies are innovative, are complex, global. You typically see like pharmaceutical companies will have a strategically-oriented CISO. Again, these are some components of industry-based CISO. But nevertheless, regardless of what industry-base, leadership is a component that is of the utmost important to be successful as a CISO or ISSO. Leadership is defined as we looked at before, the ability and the process to translate vision into desired behaviors that are followed at all levels of the extended enterprise. McKinsey defines leadership as a set of behaviors that leaders exercise the influence organizational members to achieve a higher alignment on the direction that the organization is taking to achieve a better execution of the strategy and for the organization to continuously renew itself. These are some of the skill sets that leaders look for in other leaders. According to NIST: ethical and moral standards, goals and objectives empowering their organization, clear and frequent communication, being flexible and with new ideas growing, and also admitting mistakes, being vulnerable, committing to training. These are some of the competencies that other leaders expect from cybersecurity leaders. Top five leadership expectations by employees is: be specific. I have specificity in expectations. Empowering employees, sharing vulnerabilities and honesty, being authentic and accountable, and showing respect. Some similarities and the expectations. This completes the course. Will see you next time.
