CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS

CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

Structuring the Chief Information Security Officer Organization

Key Message: Today’s CISOs need a broader approach for structuring their organizations to better manage expanding cybersecurity risks.

Executive Summary

“Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives?” [1]

In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations based on inputs from CISOs, policies, frameworks, maturity models, standards, codes of practice, and lessons learned from major cybersecurity incidents.

PART 1: FOUR KEY FUNCTIONS

Four Key Functions

Traditional strategies and functions that are typically used by information security teams and their leaders are no longer as effective in dealing with today’s cyber risk environment. In observing this environment and working with CISOs, we identified four key functions performed by the information security team:

Protect, Shield, Defend, and Prevent: proactively protect, shield, and defend the organization from cyber threats and prevent cybersecurity incidents from occurring when possible.
Monitor, Detect, and Hunt: monitor ongoing operations and actively hunt for and detect adversaries.
Respond, Recover, and Sustain: be prepared to respond to and recover from disruptions of business and IT operations. Address cybersecurity when doing other types of contingency and disaster recovery planning.
Govern, Manage, Comply, Educate, and Manage Risk: Tools and technology are not enough. Ensure there is an integrated set of policies, oversight, risk management, process improvement, and measurement to support the first three functions.

PART 2: DEPARTMENT, FUNCTIONS, SUB-FUNCTIONS, AND ACTIVITIES

Sources

We used the following sources to add details to the four key functions:

topics typically addressed in a large organization’s information security policy
U. S. National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
NIST Framework for Improving Critical Infrastructure Cybersecurity
National Initiative for Cybersecurity Education (NICE) The National Cybersecurity Workforce Framework
SANS Critical Security Controls (Top 20)
CERT Resilience Management Model (CERT-RMM)
U.S. Department of Energy Cybersecurity Capability Maturity Model (C2M2)

Process

We used the following process to develop the candidate CISO organizational structure:

Considered, as inputs:

observations and experiences from CISOs and the information security community
major cybersecurity incidents
the current and expanding operational risk environment

Mapped all sources to the four functions
Grouped the mapping by function into sub-functions and activities, resulting in departments
Organized departments into a candidate organizational structure

We also identified activities or sub-functions that could be performed by parties other than the CISO. Even when that happens, the CISO still retains governance, oversight, and leadership responsibility. This can be enacted, in part, by effective performance measurement.

PART 3: CANDIDATE ORGANIZATIONAL STRUCTURE

Four Organizational Units

We defined the following four organizational units, reporting to the CISO. The CISO also has a deputy and an Information Security Executive Council, serving in an advisory role:

Program Management: project management office; governance, risk, and compliance; workforce and supplier management; interface with the business
Security Operations Center: situational awareness, ongoing monitoring, security helpdesk, computer incident response
Emergency Operations and Incident Management: mobilizes for high impact incidents; planning for incident response, business continuity, disaster recovery; tests, exercises, and drills; incident post mortems; investigations
Security Engineering and Asset Security, which includes:
- Security Engineering
- Identity and Access Management
- Applications Security
- Host and Network Security
- Information Asset Security
- Physical Access Control

Information Security Executive Council

Serves as an advisory group for the CISO
May have an internal and an external council
Makes sure the information security functions is aligned with business objectives
Ensures policy and compliance obligations are met
A key activity to ensure effective governance
Members may include:
- Chief Operating Officer
- Chief Information Officer
- Chief Financial Officer
- Legal/Privacy
- Human Resources
- Communications / Marketing
- Business Unit VPs
- Engineering VP
- Information Technology VP

PART 4: SECURITY ENGINEERING AND OPS; NEXT STEPS

Integrating Across the Life Cycle

We recommended merging security engineering (development/acquisition) and security aspects of IT Operations (security of applications, hosts and networks, information, physical access controls) into one unit based on DevOps and other current experiences.

Given the demand for rapid development/acquisition and release of new capabilities, it is increasingly critical that development staff be tightly coupled with IT ops staff.

Additional resources on this topic include CERT’s work in software assurance and the Resilient Technical Solution progress area within CERT-RMM.

Next Steps

Here are a few suggested next steps:

Map your current CISO organizational structure to the one proposed here – the four functions, departments, sub-functions, and activities.
Determine what steps to take based on identified gaps – which organizational units can continue as is, which ones need to change (expand, contract), and what new ones need to be created
Develop an implementation roadmap and plan to address gaps. Use some of the sources identified above.

Resources

[1] Allen, Julia et al. Structuring the Chief Information Security Officer Organization. Software Engineering Institute, Carnegie Mellon University. 2015.

SEI Webinar and slides: Structuring the Chief Information Security Officer (CISO) Organization, December 2015.

SEI blog: Structuring the Chief Information Security Officer Organization, February 2016.

NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. April 2013

U.S. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity Version 1.0. U.S. National Institute of Standards and Technology, February 2014.

National Initiative for Cybersecurity Education (NICE). The National Cybersecurity Workforce Framework Version 1.0. National Initiative for Cybersecurity Education, March 2013.

SANS. “Critical Security Controls Version 5.0.” SANS, 2015.

Caralli, Richard A.; Allen, Julia H.; White, David W. CERT® Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.

U.S. Department of Energy. Cybersecurity Capability Maturity Model (C2M2) Version 1.1. U.S. Department of Energy and U.S. Department of Homeland Security, February 2014.