Written by Guest Poster Wade Woolwine

The Chief Information (Security) Officer* is a top level executive who is responsible for defining and executing a plan for identifying, cataloging, and protecting information assets throughout a company or government agency. Seems like a pretty important job, right? So why is it that so many public and private companies don’t have one? Sure, there might be a CTO, or legal team who claims that part of their mission within the company is data, but that simply isn’t enough.

In today’s world, just about every industry must maintain a certain amount of personal information about their customers even if the soul purpose is to be able to reliably discern one customer from another. In more extreme cases such as social networks, paid services providers, banks, or healthcare providers, the amount of PII (personally identifiable information) amassed in information systems becomes a huge liability for the company and consumers demand that this information be kept safe from criminals. Who bares the responsibility for this data? The CEO? Probably not, most CEOs are concerned with company performance, products, and marketing – in other words, making money for the company or share holders. How about the CTO? Perhaps, but when you’re also responsible for maintaining the availability of your product delivery platform, the focus on confidentiality and integrity of the data maintained within the platform is often lost to availability of products and services to consumers. Furthermore, data does not typically sit stagnantly on systems, it gets consumed by both customer facing applications and internal application such as trend calculation and other business intelligence purposes that are likely not under the authority of the CTO.

By the position title alone, we can determine that the CI(S)O reports up to the CEO and is a peer to other “C” level executives such as the CFO (Chief Financial Officer), CP/DO (Chief Product/Development Officer), CTO (Chief Technology Officer), and COO (Chief Operating Officer). Generically, and as I’ve already stated, the CI(S)O is responsible for identifying, cataloging, and protecting ALL information assets, whether this data is externally or internally sourced. As such, the CI(S)O must interface with other executives in order to identify, document, and classify data assets.

It feels like a good place for a quick tangent on data classification; each information asset within the company must be evaluated against a set of defined criteria to ensure that the level of protection applied to said assets is consistent with the risk associated with the loss or theft of the data. Incidentally, the responsibility for defining the classification levels and assigning appropriate properties to each level falls on the CI(S)O.

Once all information assets have been identified, solutions must be devised and implemented to ensure the data remains protected no matter where it travels or rests within the company’s (and partners) technical infrastructure. Partnerships with other executives are key to achieve this goal:

• The CI(S)O must interface with the CTO to ensure that solutions for network security/monitoring, host/server security, configuration/patch management, identity management, access controls, desktop security, and overall network and host health monitoring are in place. Please note that this is not an exhaustive list, just some key items to demonstrate the importance of the CI(S)O’s ability to interface with other executives and influence changes in other organizations within the same company.
• The CI(S)O must interface with the CFO to ensure that appropriate data retention policies are in place, and that software, hardware, and communications paths used to transport or store sensitive employee data have appropriate levels of confidentiality, integrity, and non-repudiation.
• The CI(S)O must interface with the COO to ensure that appropriate physical security controls, security awareness and security policy training programs, and employee accountability are in place.
• The CI(S)O must interface with the CP/DO on implementing a robust software security lifecycle for applications and products that collect or display sensitive information.

By no means is this meant to be an exhaustive list of CI(S)O responsibilities, but rather a select few to demonstrate that information security cannot be shared across multiple executive owners. With something as critical as securing consumer and corporate data against an ever growing number and diverse set of threats, accountability at the highest levels of the company is key to creating and enforcing good security policies, procedures, and solutions.

*For the purposes of this article, I’ve assumed that the titles Chief Information Officer and Chief Information Security Officer are one and the same. The CI(S)O’s roles is to ensure the security of information assets.

Wade’s Bio: An IT Security professional in the Washington DC area, Wade works for a large Web Application Service Provider as a Senior Engineer on the IT Security Assurance Team. You can find Wade on Twitter @wadew (you can also see him on our NovaInfosec Twits list), and can read more of what he has to say on his blog at WadeWoolwine.com.

o o o o o

Many thanks to Wade for this excellent post. We hope that you’ll follow Wade’s lead and contact us about becoming a guest poster for NovaInfosecPortal.com.