search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Structuring the Chief Information Security Officer Organization

Technical Note
By
The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
Publisher

Software Engineering Institute

DOI (Digital Object Identifier)
10.1184/R1/6584423.v1
Subjects

Abstract

Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives?

This report describes how the authors defined a CISO team structure and functions for a large, diverse U.S. national organization using input from CISOs, policies, frameworks, maturity models, standards, codes of practice, and lessons learned from major cybersecurity incidents.

SHARE
Download PDF
Part of a Collection

CERT-RMM and the U.S. Postal Service (USPS)
Cite This Technical Note

Allen, J., Crabb, G., Curtis, P., Fitzpatrick, B., Mehravari, N., & Tobar, D. (2015, October 6). Structuring the Chief Information Security Officer Organization. Retrieved April 19, 2024, from https://doi.org/10.1184/R1/6584423.v1.

@techreport{allen_2015,
author={Allen, Julia and Crabb, Greg and Curtis, Pamela and Fitzpatrick, Brendan and Mehravari, Nader and Tobar, David},
title={Structuring the Chief Information Security Officer Organization},
month={Oct},
year={2015},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6584423.v1},
note={Accessed: 2024-Apr-19}
}

Allen, Julia, Greg Crabb, Pamela Curtis, Brendan Fitzpatrick, Nader Mehravari, and David Tobar. "Structuring the Chief Information Security Officer Organization." Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, October 6, 2015. https://doi.org/10.1184/R1/6584423.v1.

J. Allen, G. Crabb, P. Curtis, B. Fitzpatrick, N. Mehravari, and D. Tobar, "Structuring the Chief Information Security Officer Organization," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, 6-Oct-2015 [Online]. Available: https://doi.org/10.1184/R1/6584423.v1. [Accessed: 19-Apr-2024].

Allen, Julia, Greg Crabb, Pamela Curtis, Brendan Fitzpatrick, Nader Mehravari, and David Tobar. "Structuring the Chief Information Security Officer Organization." Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 6 Oct. 2015. https://doi.org/10.1184/R1/6584423.v1. Accessed 19 Apr. 2024.

Allen, Julia; Crabb, Greg; Curtis, Pamela; Fitzpatrick, Brendan; Mehravari, Nader; & Tobar, David. Structuring the Chief Information Security Officer Organization. Software Engineering Institute. 2015. https://doi.org/10.1184/R1/6584423.v1

Ask a question about this Technical Note