This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Todd Fitzgerald.

What is it?

Chief Information Security Officer. The most senior individual responsible for protecting an organization’s information assets.

Why is it important?

The CISO has overall responsibility for the information security program for an organization. The CISO works closely with executive management and business stakeholders to protect information assets.

Why does a business professional need to know this?

The CISO is charged with providing an efficient and effective security program, which includes retaining skilled cybersecurity specialists and documenting and automating cybersecurity processes and procedures. Business professionals should know and work with the CISO and his or her team to build a secure environment.

The CISO works with management stakeholders to allocate an appropriate budget for cybersecurity; acquire the necessary personnel, tools, and resources; and create and execute plans for improving cybersecurity maturity. The CISO is accountable for identifying and communicating relevant information security threats, balancing the competing needs of business operations and information security, and leading the cybersecurity team as it works towards these objectives. Cybersecurity maturity occurs over time as more investments are made, processes are refined, and tools are integrated into a long-term plan.

The CISO is responsible for ensuring that appropriate policies, standards, procedures, and guidelines exist within the organization to reduce overall risk and comply with regulatory and privacy requirements. Administrative, technical, and operational controls collectively fulfill this objective.

For example, a cybersecurity analyst may be assigned to implement controls that aggregate and correlate security events to detect malicious behavior against critical information assets. The CISO is responsible for warning stakeholders about the risk of potential malicious events, putting monitoring procedures in place, ensuring that oversight and secondary quality controls are present, and creating a monitoring strategy that reflects the organization’s tolerance for risk.