Information Security Organization and Governance
CISO Workshops • Kartause Ittingen • Warth, Switzerland July 2, 2013
As the nature of information security threats continues to change, the demands on the information security/risk function of major corporations have also changed. Today’s CISO has to be able to handle a myriad of challenges from the continued technical developments, to increasing regulatory and compliance engagement, and Board level briefings and scrutiny. In the wake of rising cyber attacks, from hacktivists, financially-motivated criminals, and state-sponsored APTs, along with the challenges of mobile, the cloud, etc., it is clear that a different type of security organization is required. Firms are experimenting with different governance structures, controls, and different flexible response capabilities.
Two years ago, we discussed changing human behavior and the need to create a security culture, and last year we explored emerging threats, especially cyber threats. In this workshop, we will discuss what this means for the design of the security organization and it governance. Specifically, we will address questions such as:
- How is your information security organization structured? How different is it than three years ago? How has it changed, grown, and shifted within the firm? How are your biggest current security concerns reflected in your current or planned organization?
- How are your security budgets set and how has security spending changed? Are your sources of funding different now?
- How do you build up the organizational capability and resources that you need? What are the frameworks and best practices you have encountered? How do you assess maturity of your Information Security Organization? How do you make decisions around what you consider outsourcing?
- How do you balance global governance and local execution/engagement?
- How do you assess the appropriateness and usefulness of standard frameworks for Information Security Management (such as the ISO 27000 family)?
- Who does your information security organization report to? Has that changed? What is the level of board scrutiny you get? Who are the other key stakeholders and how do you interact with them?
- How has the tenor and level of your discussion with the rest of the business changed? Who are the groups you coordinate with now that you did not or did much less three years ago?
- With the emergence of Security Operations Centers (SOCs) and the changed nature of CSIRTs, etc., how are they integrated into your structure and who do they interact with?
- How is the talent you need in your organizations changing? Do you do modeling and analysis? Cyberforensics? How are such efforts integrated into your security organization and what new skills do they require?
- Who handles communications about info security incidents? Externally? Within the corporation?
- How do you build a robust security leadership team with the right leadership capability for the challenges of today and tomorrow? What is your responsibility as a senior leader?