Key Message: Today’s CISOs need a broader approach for structuring their organizations to better manage expanding cybersecurity risks.Executive Summary
“Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives?” 
In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations based on inputs from CISOs, policies, frameworks, maturity models, standards, codes of practice, and lessons learned from major cybersecurity incidents.
Four Key Functions
Traditional strategies and functions that are typically used by information security teams and their leaders are no longer as effective in dealing with today’s cyber risk environment. In observing this environment and working with CISOs, we identified four key functions performed by the information security team:
We used the following sources to add details to the four key functions:
We used the following process to develop the candidate CISO organizational structure:
We also identified activities or sub-functions that could be performed by parties other than the CISO. Even when that happens, the CISO still retains governance, oversight, and leadership responsibility. This can be enacted, in part, by effective performance measurement.
We defined the following four organizational units, reporting to the CISO. The CISO also has a deputy and an Information Security Executive Council, serving in an advisory role:
Information Security Executive Council
We recommended merging security engineering (development/acquisition) and security aspects of IT Operations (security of applications, hosts and networks, information, physical access controls) into one unit based on DevOps and other current experiences.
Given the demand for rapid development/acquisition and release of new capabilities, it is increasingly critical that development staff be tightly coupled with IT ops staff.
Additional resources on this topic include CERT’s work in software assurance and the Resilient Technical Solution progress area within CERT-RMM.
Here are a few suggested next steps:
 Allen, Julia et al. Structuring the Chief Information Security Officer Organization. Software Engineering Institute, Carnegie Mellon University. 2015.
SEI Webinar and slides: Structuring the Chief Information Security Officer (CISO) Organization, December 2015.
SEI blog: Structuring the Chief Information Security Officer Organization, February 2016.
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. April 2013
U.S. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity Version 1.0. U.S. National Institute of Standards and Technology, February 2014.
National Initiative for Cybersecurity Education (NICE). The National Cybersecurity Workforce Framework Version 1.0. National Initiative for Cybersecurity Education, March 2013.
SANS. “Critical Security Controls Version 5.0.” SANS, 2015.
Caralli, Richard A.; Allen, Julia H.; White, David W. CERT® Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.
U.S. Department of Energy. Cybersecurity Capability Maturity Model (C2M2) Version 1.1. U.S. Department of Energy and U.S. Department of Homeland Security, February 2014.