Saturday, August 21, 2021

How to be a CISO?

Being a Certified Information Systems Security Professional (CISSP) and Certified Infirmation Security Manager (CISM) for more than 10 over years. I have been wondering recently, on the quality of being a Chief Information Security Officer (CISO). 

There are many aspects and view on how to be a CISO. EC-Council, one of the leading IT Security training and certification organisation, provide a training and certification program called the Certified Chief Information Security Officer - C|CISO. It is based on the EC-Council CCISO Body of Knowledge, which covers five Information Security Management Domains: 
  • Governance and Risk Management 
  • Information Security Controls, Compliance and Audit Management 
  • Security Program Management and Operations 
  • Information Security Core Competencies 
  • Strategic Planning, Finance, Procurement and Vendor Management
Whereas (ISC)2 seems to have a more interesting view. They have the idea of CISO Mind Map, which contains seven phases.

It start off with the Architecture, the Framework, the Risk Assessments and the Governance. Then the Threat Intelligence and Vulnerability Assessments fits into the Security Operations and finally to have continuing Education.

Architecture
It is the foundation for the CISO. He got to make sure he understand the enterprise information architecture. How is the network been designed (e.g. where is the DMZ. Are the firewall and control place correctly?). He have to make sure all the part in the architecture fits well and defensible.

Framework
Framework is useful to help in designing the architecture. There are many different types of framework, from ISO to NIST. Each framework helps to serve a specific purpose, which guide and protect your infrastructure. CISO need to find the right frameworks that fits the architecture in place.

Risk Assessments and Governance
CISO going to be identifying risks, eliminating or mitigating them, together with the Governance Committee. CISO need to based on the architecture, the frameworks, the control objectives and the use of risk assessments to present a clear picture on how secure they are, to the Governance Committee.

Threat Intelligence and Vulnerability Assessments
Threat intelligence constantly feeding from multiple sources. Vulnerability assessments are using those threats and make determinations if there are really a problem. CISO need to work on the taken threat intelligence, the vulnerability assessments to risk assessed and come to conclusion.

Security Operations
CISO needs to have great business impact analysis. The foundation of that is to make sure business continuity and disaster recovery are well taken care of. Security Operation also includes the managing of critical systems based on their threat intelligence and vulnerability assessments.

Education
CISO needs to present education budget. He need to show that education is not optional, highlight why his team needs to have certain courses, why these certifications are important and why constant training is required. 


Related Links:

No comments: