Chief Information Security Officer Research Articles

The Roundup

The Roundup

Security at the data level

It is not a matter of whether organisations will be hacked and their defences breached, but when. Responsible Chief Information Security Officers (CISOs) should assume the perimeter is permeable and security efforts need to trickle right down to protecting individual data on the network. It is not a matter of whether organisations will be hacked and their defences breached, but when. These days, you should assume the perimeter is permeable. This means that security efforts need to trickle right down to protecting individual data on the network. Tracey Caldwell looks at methods for securing data in transit and at rest. And she explores how you can achieve a good balance between network and data security and between the conflicting demands for data security and data sharing.

The Efficacy of Cybersecurity Regulation

Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do – and should – deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the state legislatures. My analysis suggests that a blend of these two modes of regulating is superior to either method alone.Federal regulation of cybersecurity through HIPAA, Gramm-Leach-Bliley, and the Federal Trade Commission's enforcement heavily involves private organizations subject to the regulation in the establishment of the actual practices and standards to which those organizations are held. By contrast, the state cybersecurity laws – a form of disclosure-based regulation that de facto achieves directive regulation – detail specific standards developed without industry input.This Article compares the efficacy of those two modes of regulating using a mixed-methods empirical approach. Qualitative data based on interviews with Chief Information Security Officers (CISOs) at leading multinational corporations details the practical effects of how regulation drives cybersecurity practices. Analysis of quantitative data describing security breach incidents reveals that a blend of the two types of regulation is substantially more effective at preventing such incidents than is either method alone. These results provide insight into ways to mitigate the risks of deliberate regulatory capture while still leveraging the unique knowledge private entities have about what are the most salient cybersecurity threats and defenses.

Cybersecurity Management In the States: The Emerging Role of Chief Information Security Officers

Forward by John Bruel and John Lainhart: On behalf of the IBM Center for The Business of Government, we are pleased to present this report, 'Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers,' by Marilu Goodyear, Holly T. Goerdel, Shannon Portillo, and Linda Williams. The importance of safeguarding information created and shared on computers and the internet has increased significantly in recent years, as society has become increasingly dependent on information technology in government, business, and in their personal lives. Both corporations and government have responded by creating a new role in their organizations to lead the safeguarding efforts - chief information security officers. The role of these officers is still under development. Do they safeguard best by using law enforcement techniques and technological tools? Or are they more effective if they serve as educators and try to influence the behaviors of technology users? This report is a significant contribution to the discussion of the roles and responsibilities of chief information security officers (CISOs) in state governments across the United States. It identifies both strategies and activities used by successful state CISOs, and thereby provides a good road map to success for all state CISOs.The report cites the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has been championed since its inception by the New York state chief cybersecurity officer as one key cybersecurity collaboration success. The MS-ISAC initiative has yielded measurable results and provided a means of consistent communication across sectors in society. The report also emphasizes that while a technical education remains important for CISOs, state cybersecurity officials need to be proficient in nontechnical skills as well, including collaboration, communication, managerial, organizational, policy alignment, and political skills. Finally, the report emphasizes the need for state cybersecurity officials to devote increased attention to data management as the defined system/network perimeter has dissolved and the future success of cybersecurity relies on the CISOs, chief information officers, data owners, records managers and archivists to jointly focus on data management to achieve effective business processes. This report also emphasizes the importance of effective IT governance - We hope that you find this report both timely and informative. We believe its insights and recommendations are relevant to CISOs at all levels of government.

Threats Escalate: Corporate Information Technology Governance Under Fire

In a previous publication The Board’s Responsibility for Information Technology Governance, (with Kara Altenbaumer-Price) we examined: The IT Governance Institute’s Executive Summary and Framework for Control Objectives for Information and Related Technology 4.1 (COBIT®); reviewed the Weill and Ross Corporate and Key Asset Governance Framework; and observed “that in a survey of audit executives and board members, 58 percent believed that their corporate employees had little to no understanding of how to assess risk.” We further described the new SEC rules on risk management; Congressional action on cyber security; legal basis for director’s duties and responsibilities relative to IT governance; major sources of IT risk; schematic for an IT governance framework; suggested fundamental questions every board should ask; examined board structure, composition and required IT governance skills; litigation risks and a recital of recent cases; mitigating risk through insurance; and the importance of business continuity planning. As the result of the proliferation of cyberattacks during 2010 and 2011, the SEC’s Division of Corporation Finance announced new disclosure guidance for cybersecurity issues during October, 2011. It has become apparent that newly-disclosed attacks on Information Technology infrastructure have reached crisis proportions. Therefore, a focus on IT governance must be a major priority of management and every corporate board. Issues involving Information Technology are uniquely complex and involve engineering skills that quickly become obsolete in this era of rapid technological change. Here, suggestions are offered about the value of a Chief Information Security Officer and recommendations are made for improving cybersecurity. An examination of recent threats will hopefully assist in bringing a greater understanding of their nature and increased focus on IT governance to the agenda in every boardroom.

Risk assessment and management of information assets

Assessing and managing the risks associated with IT and information assets is one of the most challenging tasks facing a Chief Information Officer or Chief Information Security Officer. Yet, with so many day-to-day pressures on time and resources, it is perhaps not surprising that it often does not get their full attention. However, with frequent reports of new vulnerabilities, hacking attacks and data breaches, it is an essential activity. This article explains what information security risk assessment and management is, and why it is necessary. It identifies some popular frameworks for carrying out an assessment and discusses their common features including identifying assets, threats and vulnerabilities, impact and likelihood. It summarises the process of undertaking a risk assessment and how the identified risks are subsequently managed and monitored. It also identifies some of the pitfalls and challenges that organisations may face and looks at ways of making the process meaningful to the business.

Addressing Information Risk in Turbulent Times

Turbulent times exacerbate many existing information risks and create new security management challenges. Discussions and interviews with chief information security officers from a broad range of large firms about how they addressed the challenges of the economic downturn provide both actionable ideas and clues for future research.

Security through Information Risk Management

Managing information risk means building risk analysis into every business decision. Chief information security officers widely agree that action plans must include risk categorization, communication, and measurement.

Getting on the board

Despite the fact that information security is making its way up corporate agendas, there are still very few, if any, chief information security officers that are making it on to the board. Wendy M. Grossman investigates why this is

Cybersecurity, Capital Allocations and Management Control Systems

The design and use of management control systems can play a key role in dealing with cybersecurity issues that have arisen in tandem with the emergence of the Internet. Efficient management control systems will reduce a firm's likelihood of suffering significant losses from cybersecurity breaches. Drawing on and extending the extant agency-based capital budgeting literature, this paper demonstrates the relevance of the study of management accounting controls to problems arising in the cybersecurity setting. The main finding is that firms can use an information security audit (which is an integral part of a management control system) along with adjustments to the compensation payments to the agent and the investment decision rules, to mitigate a Chief Information Security Officer's inherent empire building preferences. The paper also identifies additional research areas where management accountants with expertise in management control systems can contribute to the academic literature and practice surrounding cybersecurity issues.

The Chief Information Security Officer: An Analysis of the Skills Required for Success

The aim of this study is to determine a set of skills needed for a Chief Information Security Officer (CISO) in a competitive business today. To this end, a review of the literature and IT security executive interviews were conducted to identify a set of relevant skills. This list was then compared to a set of job listings for CISOs. Ultimately, a set of skills were developed that organizations can use when defining the CISO position and seeking new CISOs.

Silver Bullet Talks with Ed Amoroso

Gary McGraw interviews Ed Amoroso, AT&T's chief information security officer. Their conversation ranged widely, from system design to privacy.

My way: Interview with Michael Barrett

Michael Barrett, chief information security officer at PayPal, oversees the information systems and services that protect the integrity and confidentiality of PayPal information. Barrett is leading PayPal's partnership with online giants Yahoo! and eBay in a major technology infrastructure safety upgrade to deploy new email authentication technology. Interview by Miya Knights.

Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other

The chief executive officer (CEO), chief information officer (CIO), and chief information security officer (CISO) walk into a bar. The CEO orders a light beer. The CIO normally orders his full-bodi...

Executive and board roles in information security

Corporate information in all its forms is a business asset and needs to be recognised as such. This implies that the ultimate responsibility for security must be accepted by the business and not merely delegated to a chief information security officer (CISO) or equivalent role. The CISO may have delegated responsibility for establishing and managing many of the technical solutions that contribute to information security, but overall governance and assurance of the security's effectiveness must reside with business management. It is with the CEO and the board that the buck stops and, in today's IT enabled and IT dependent world, ignorance and denial are no longer options.

Embedding Information Security into the Organization

Risk and business have always been inseparable, but new information security risks pose unknown challenges. How should firms organize and manage to improve enterprise security? Here, the authors describe how chief information security officer (CISOs) are working to build secure organizations.

Evaluating information security investments using the analytic hierarchy process

In today's information-based economy, organizations must avoid costly information security breaches. Unfortunately, organizations cannot make all of their information 100% secure all of the time. There are economic, as well as technical, impediments that prevent perfect information security. Accordingly, organizations usually prepare an annual fixed (limited) budget for the maintenance and improvement of their information security systems. Two key issues confront the chief information security officer (CISO) of an organization: how to spend this limited information security budget most effectively, and how to make the case to the organization's chief financial officer (CFO) for an increase in funds to further enhance the organization's information security. The primary objective of this article is to show how to use the analytic hierarchy process (AHP) to address these two information security issues.

Information Security Governance Reporting

Imagine you are the Chief Information Security Officer (CISO) and your boss, the CIO or CEO, is asking some simple questions: “How secure are our information systems? Is security getting better or worse? How do you know that?” You could describe the successful installation of the newest firewalls, the performance of the intrusion detection systems, the centralized deployment of up-to-date antivirus solutions, the application of software patches on all network devices, and the popularity of your security awareness program. But that is not an answer to the questions. Your boss wants to know not only what you have done to lower the risk, but also how effective you have been. It is all about process, metrics, and trend monitoring. and money, of course!

Information Security Governance Reporting

Imagine you are the Chief Information Security Officer (CISO) and your boss, the CIO or CEO, is asking some simple questions: “How secure are our information systems? Is security getting better or worse? How do you know that?” You could describe the successful installation of the newest firewalls, the performance of the intrusion detection systems, the centralized deployment of up-to-date anti-virus solutions, the application of software patches on all network devices, and the popularity of your security awareness program. But that is not an answer to the questions. Your boss wants to know not only what you have done to lower the risk, but also how effective you have been. It is all about process, metrics, and trend monitoring. And money, of course!