The Chief Information (Security) Officer* is a top level executive who is responsible for defining and executing a plan for identifying, cataloging, and protecting information assets throughout a company or government agency. Seems like a pretty important job, right? So why is it that so many public and private companies don’t have one? Sure, there might be a CTO, or legal team who claims that part of their mission within the company is data, but that simply isn’t enough.

In today’s world, just about every industry must maintain a certain amount of personal information about their customers even if the soul purpose is to be able to reliably discern one customer from another. In more extreme cases such as social networks, paid services providers, banks, or healthcare providers, the amount of PII (personally identifiable information) amassed in information systems becomes a huge liability for the company and consumers demand that this information be kept safe from criminals. Who bares the responsibility for this data? The CEO? Probably not, most CEOs are concerned with company performance, products, and marketing – in other words, making money for the company or share holders. How about the CTO? Perhaps, but when you’re also responsible for maintaining the availability of your product delivery platform, the focus on confidentiality and integrity of the data maintained within the platform is often lost to availability of products and services to consumers. Furthermore, data does not typically sit stagnantly on systems, it gets consumed by both customer facing applications and internal application such as trend calculation and other business intelligence purposes that are likely not under the authority of the CTO.

By the position title alone, we can determine that the CI(S)O reports up to the CEO and is a peer to other “C” level executives such as the CFO (Chief Financial Officer), CP/DO (Chief Product/Development Officer), CTO (Chief Technology Officer), and COO (Chief Operating Officer). Generically, and as I’ve already stated, the CI(S)O is responsible for identifying, cataloging, and protecting ALL information assets, whether this data is externally or internally sourced. As such, the CI(S)O must interface with other executives in order to identify, document, and classify data assets.

It feels like a good place for a quick tangent on data classification; each information asset within the company must be evaluated against a set of defined criteria to ensure that the level of protection applied to said assets is consistent with the risk associated with the loss or theft of the data. Incidentally, the responsibility for defining the classification levels and assigning appropriate properties to each level falls on the CI(S)O.

Once all information assets have been identified, solutions must be devised and implemented to ensure the data remains protected no matter where it travels or rests within the company’s (and partners) technical infrastructure. Partnerships with other executives are key to achieve this goal:

• The CI(S)O must interface with the CTO to ensure that solutions for network security/monitoring, host/server security, configuration/patch management, identity management, access controls, desktop security, and overall network and host health monitoring are in place. Please note that this is not an exhaustive list, just some key items to demonstrate the importance of the CI(S)O’s ability to interface with other executives and influence changes in other organizations within the same company.
• The CI(S)O must interface with the CFO to ensure that appropriate data retention policies are in place, and that software, hardware, and communications paths used to transport or store sensitive employee data have appropriate levels of confidentiality, integrity, and non-repudiation.
• The CI(S)O must interface with the COO to ensure that appropriate physical security controls, security awareness and security policy training programs, and employee accountability are in place.
• The CI(S)O must interface with the CP/DO on implementing a robust software security lifecycle for applications and products that collect or display sensitive information.

By no means is this meant to be an exhaustive list of CI(S)O responsibilities, but rather a select few to demonstrate that information security cannot be shared across multiple executive owners. With something as critical as securing consumer and corporate data against an ever growing number and diverse set of threats, accountability at the highest levels of the company is key to creating and enforcing good security policies, procedures, and solutions.

*For the purposes of this article, I’ve assumed that the titles Chief Information Officer and Chief Information Security Officer are one and the same. The CI(S)O’s roles is to ensure the security of information assets.

Wade’s Bio: An IT Security professional in the Washington DC area, Wade works for a large Web Application Service Provider as a Senior Engineer on the IT Security Assurance Team. You can find Wade on Twitter @wadew (you can also see him on our NovaInfosec Twits list), and can read more of what he has to say on his blog at WadeWoolwine.com.

o o o o o

Many thanks to Wade for this excellent post. We hope that you’ll follow Wade’s lead and contact us about becoming a guest poster for NovaInfosecPortal.com.

oneguynick @grecs I moved to NOVA in Jan. Can your recommend other people to follow in our community near here? Want to get more involved.

While we haven’t talked about in a little while, we created NovaInfosec Twits for this very reason; to promote a stronger community and information sharing in the local security community through Twitter.

As we mentioned before, it can be hard to find local security professionals by doing a search on Twitter. There’s no guarantee that local security professionals have the word ’security’ or ‘infosec’ in their names or descriptions, making it unlikely that you will be able to find them when doing a search on Twitter.

NovaInfosec Twits solves this problem by keeping a list of Twitter accounts and short bios of local security professionals. You can go to the NovaInfosec Twits page on Twitter to see who’s who in the local security community, or you can visit this page to see the list.

If you’d like to be added to the list, message us @grecs and say that you would like to be added to the list. Then follow @novainfosec. We’ll then follow you back.

If you would like to post tweets to the novainfosec group, all you need to do is dm novainfosec and your post will automatically be retweeted. You can also use a service like twitter100 to track everybody.

While many people aren’t aware of NovaInfosec Twits (much like our Calendar), we think that it’s a good step toward promoting a strong, local security community. If you’d like to be a part of this, please consider adding your name to the list, or passing this post along to a friend!

We’ve also added some standard hashtags. The idea is to help organize tweets somewhat. For example, adding #con to the end of a tweet lets others know it relates to conferences and appending #edu shows the tweet is about training. Beyond this tagging feature, we’ve also added an automated retweet capability. Once you are part of the NovaInfosec Twits group, all you need to do is direct message (dm) novainfosec and your post will automatically be retweeted.

Lastly, @rybolov pointed out in one of his tweets the formation of another Twit directory focused on government agencies and associated organizations. So we thought that it would be convenient to include a list of related Twit directories on the page as well. Right now we just have the original Security Twits and rybolov’s tweeted GovTwits directories but we hope to grow it. If you know of any other groups, please message @grecs or Contact Us.

Well that is about it. For more information head on over to the NovaInfosec Twits page. Oh, and if you want to add me to your Twitter feed, I am over here. Additionally, feedback is always encouraged – again just message @grecs or Contact Us.

There seems to be quite the little NoVA information security (NovaInfosec) community growing on Twitter, which truthfully has made for some fascinating discussion over the last few weeks. However there are a few challenges:

• It’s really hard to find each other. Searches via Tweet Scan on the “novainfosec” keyword result in everything from complaining about physical security to debating homeland security to emo song lyrics.
• Not a whole lot of of NovaInfosec folks are yet on Twitter, and if they are, see bullet No. 1.
• Even if you find a NovaInfosec person and add them, unless they use Twitter Karma, they may not even know you’re following them due to Twitter’s unreliable and sporadic notification system.

What’s the solution? Twitter Packs, while a great tool, can be a bit daunting if you’re really trying to dig into one niche area, and really at this point only Twitter power users know about the packs. It was suggested to me yesterday that a separate list of “NovaInfosec Twits” (really, guys, it’s not an insult — Twitter users = Twits) that the NovaInfosec community could manage itself would be a great tool. I agreed:

NOVAINFOSEC TWITS LIST IS HERE

So, what now? Click on the names above to view the NovaInfosec Twits’ (I swear this is what it’s called…) Twitter pages, and if you’re on Twitter, add them to your follower list. If you’re not on Twitter, sign up. Whether it be Twitter or Pownce or Jaiku, micro-blogging is on fire right now, and based on research thus far the NovaInfosec network hasn’t spread as widely to the other two services — yet. If you’re new to Twitter, read this blog post on the must-haves for newbies. Send this list to your own NovaInfosec networks and recruit more NovaInfosec Twits. Comment below if you have any corrections or additions.

Oh, and if you want to add me to your Twitter feed, I am over here. Feedback is always welcome.