It’s a tough job, but somebody has to do it.
In many organizations, an information security officer position is responsible for facilitating the development, implementation, and oversight of all information/cybersecurity activities. This position can go by many different names: Chief Information Security Officer (CISO), Information Security Officer (ISO), or Chief Security Officer (CSO), to name a few.
No matter what you call the individual in charge of information/cybersecurity, the thing that matters to companies both big and small is having a knowledgeable, experienced leader in charge of all aspects of organizational security management.
That leader’s responsibilities make up a long and critical list (see below). Is anything missing from your information/cybersecurity leader’s list? Here are some of the key responsibilities* that should be on it:
- Oversee, verify compliance, and enforce all activities necessary to comply with the regulatory requirements and the organization’s policies and procedures.
- Create and maintain formal organizational and operational information/cybersecurity policies and procedures.
- Manage the information/cybersecurity risk management program and proactively evaluate the effectiveness of the program, making changes as needed on an ongoing basis through compliance and vulnerability management activities.
- Ensure plans for training, testing, and monitoring workforce compliance are developed, implemented, maintained, and regularly reviewed.
- Perform or oversee technical and nontechnical assessments to validate compliance with information/cybersecurity policies and procedures.
- Document security-related activities and completed assessments and retain in accordance with federal and state record retention requirements.
- Ensure security activities (e.g., implementing controls, correcting nonconformities) are coordinated in advance and communicated throughout the entire organization.
- Assess program effectiveness annually.
- Manage the organization’s information/cybersecurity education, training, and awareness programs. Ensure the workforce receives initial training (upon hire) and annual refresher training.
- Facilitate the security incident/breach response team.
- Ensure that all systems undergo a security review annually or when changes that could impact system security occur.
- Ensure that new systems undergo a thorough security review prior to being put into production to ensure that the confidentiality, availability, and integrity of data are properly maintained.
- Assist Human Resources, when necessary, on matters pertaining to workforce background investigations and disciplinary action related to noncompliance with security policies and procedures.
- Ensure that all service providers, contractors, consultants, etc., have undergone a vendor risk assessment prior to any information exchange or access to information systems.
- Assist in the administration and oversight of vendor agreements.
- Provide annual “State of the Information/Cybersecurity Program” briefings to senior leadership and the board of directors/trustees on the overall posture of the information/cybersecurity program, including areas of risk that require attention and an overview of incidents that occurred during the last year and what actions were taken to prevent reoccurrence.
- Participate as a member of the incident management, crisis management, business continuity, and disaster recovery teams.
- Work with and advise facility management on matters related to physical and environmental security.
- Work with senior leadership to ensure the information/cybersecurity program is properly staffed and receives adequate funds needed to successfully maintain the program.
- Provide clear direction and visible management support for security initiatives.
- Manage security measures designed to reduce the risk of identity theft/insider threats.
*Based on numerous industry standards and not intended to be an all-inclusive list of responsibilities of person(s) responsible for information/cybersecurity.