Up until current times organizations have been somewhat lax in information security and filling the roles needed for a functional information security department. If the roles were filled at all this was done in something of a haphazard manner with no common method of communication between different parts of the organization. This has effectively created silos of information security functions. The danger here is that an organization can have all of the proper policies, security devices, and applications in place yet a lack of communication can effectively neuter these efforts because no one person can see the overall security picture. Mark Hatton wrote in SecurityWeek on July 1, 2014 an article titled Sooner or Later You'll Get Hacked and Hire a CISO about this exact silo situation that occurred at Target stores in 2013 and caused the largest breach of customer credit and debit card information to date, over 110 million individual accounts. Target had all of the security pieces in place, including being compliant with the Payment Card Industry (PCI) standard, yet even when these preparations worked as needed the lack of an overall security picture resulted in a failure. Mr. Hatton proposes that the greatest need for an organization to have a CISO is to have a single role in charge of security. This allows visibility of all aspects of security to flow into one place and direction given on how the organizations security position will be addressed. Target hired a well-known CISO as of July 16, 2014 and he stated that there was a strong team and commitment from leadership to become the leader in retail information security. Hopefully others in the industry will use this as a lesson learned and follow suit.
Tuesday, November 4, 2014
Week 11 - Who's in charge of security
When looking at the information security function in an organization it is important to understand the roles that must be fulfilled for security policies to be created, implemented, and enforced. Larger organizations require multiple positions to be defined in the information security department, and these are arranged in a typical hierarchy. At the top is the chief information security officer (CISO), which is often the highest ranked information security role in a company. Reporting to the CISO is the security manager that is responsible to day-to-day activities of the information security department. In larger companies it is possible that there would be multiple security managers depending on the activities that are required for organizational security. Multiple roles report to a security manager. The first is the security technician, which is a hands-on role that works with security hardware and applications protecting the organization. This role generally has specialization in a specific hardware or security application and, depending on the organization’s requirements, a different specialist will be needed for each technology deployed. A second role reporting to the security manager is the security administrator. This role is responsible for the administration of security devices and applications that protect the organization. There can be some overlap in the duties of the security technician and the security administrator roles. The final role reporting to the security manager is the security officer. This role ensures the physical security of the organization and may be charged with patrolling the facility and ensuring visitors are correctly supervised during a visit. All of these positions from CISO on down usually require certification in a security area and most of the certifications require a substantial amount of effort to obtain and maintain.
Up until current times organizations have been somewhat lax in information security and filling the roles needed for a functional information security department. If the roles were filled at all this was done in something of a haphazard manner with no common method of communication between different parts of the organization. This has effectively created silos of information security functions. The danger here is that an organization can have all of the proper policies, security devices, and applications in place yet a lack of communication can effectively neuter these efforts because no one person can see the overall security picture. Mark Hatton wrote in SecurityWeek on July 1, 2014 an article titled Sooner or Later You'll Get Hacked and Hire a CISO about this exact silo situation that occurred at Target stores in 2013 and caused the largest breach of customer credit and debit card information to date, over 110 million individual accounts. Target had all of the security pieces in place, including being compliant with the Payment Card Industry (PCI) standard, yet even when these preparations worked as needed the lack of an overall security picture resulted in a failure. Mr. Hatton proposes that the greatest need for an organization to have a CISO is to have a single role in charge of security. This allows visibility of all aspects of security to flow into one place and direction given on how the organizations security position will be addressed. Target hired a well-known CISO as of July 16, 2014 and he stated that there was a strong team and commitment from leadership to become the leader in retail information security. Hopefully others in the industry will use this as a lesson learned and follow suit.
Up until current times organizations have been somewhat lax in information security and filling the roles needed for a functional information security department. If the roles were filled at all this was done in something of a haphazard manner with no common method of communication between different parts of the organization. This has effectively created silos of information security functions. The danger here is that an organization can have all of the proper policies, security devices, and applications in place yet a lack of communication can effectively neuter these efforts because no one person can see the overall security picture. Mark Hatton wrote in SecurityWeek on July 1, 2014 an article titled Sooner or Later You'll Get Hacked and Hire a CISO about this exact silo situation that occurred at Target stores in 2013 and caused the largest breach of customer credit and debit card information to date, over 110 million individual accounts. Target had all of the security pieces in place, including being compliant with the Payment Card Industry (PCI) standard, yet even when these preparations worked as needed the lack of an overall security picture resulted in a failure. Mr. Hatton proposes that the greatest need for an organization to have a CISO is to have a single role in charge of security. This allows visibility of all aspects of security to flow into one place and direction given on how the organizations security position will be addressed. Target hired a well-known CISO as of July 16, 2014 and he stated that there was a strong team and commitment from leadership to become the leader in retail information security. Hopefully others in the industry will use this as a lesson learned and follow suit.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment