Structuring the Chief Information Security Officer Organization

October 2015 • Technical Note

Julia H. Allen, Gregory Crabb (U.S. Postal Inspection Service), Pamela D. Curtis, Brendan Fitzpatrick, Nader Mehravari, David Tobar

The authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.

Publisher:

Software Engineering Institute

DOI (Digital Object Identifier):

10.1184/R1/6584423.v1

Subjects

Cyber Risk and Resilience ManagementCyber Risk and Resilience Management

Abstract

Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives?

This report describes how the authors defined a CISO team structure and functions for a large, diverse U.S. national organization using input from CISOs, policies, frameworks, maturity models, standards, codes of practice, and lessons learned from major cybersecurity incidents.

Download PDF

Part of a Collection

CERT-RMM and the U.S. Postal Service (USPS)

Cite This Report

SEI

Allen, Julia; Crabb, Gregory; Curtis, Pamela; Fitzpatrick, Brendan; Mehravari, Nader; & Tobar, David. Structuring the Chief Information Security Officer Organization. . Software Engineering Institute, Carnegie Mellon University. 2015. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186

IEEE

Allen. Julia, Crabb. Gregory, Curtis. Pamela, Fitzpatrick. Brendan, Mehravari. Nader, and Tobar. David, "Structuring the Chief Information Security Officer Organization," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note , 2015. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186

APA

Allen, Julia., Crabb, Gregory., Curtis, Pamela., Fitzpatrick, Brendan., Mehravari, Nader., & Tobar, David. (2015). Structuring the Chief Information Security Officer Organization (). Retrieved June 02, 2023, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186

CHI

Julia Allen, Gregory Crabb, Pamela Curtis, Brendan Fitzpatrick, Nader Mehravari, & David Tobar. Structuring the Chief Information Security Officer Organization (). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2015. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186

MLA

Allen, Julia., Crabb, Gregory., Curtis, Pamela., Fitzpatrick, Brendan., Mehravari, Nader., & Tobar, David. 2015. Structuring the Chief Information Security Officer Organization (Technical Report ). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186

BibTex

@techreport{AllenStructuringthe2015,
title={Structuring the Chief Information Security Officer Organization},
author={Julia Allen and Gregory Crabb and Pamela Curtis and Brendan Fitzpatrick and Nader Mehravari and David Tobar},
year={2015},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=446186} }

Ask a question about this Technical Note

Software Engineering Institute