What is a (v)CISO

A Chief Information Security Officer (CISO) plays a crucial role in managing the overall security of an organization. The individual is part of the executive that often reports directly to the CEO or in some cases, the CFO or CIO. It is common for New Zealand businesses to outsource this capability to a trusted security organisation as it can reduce costs over a full time executive role and they are often trained experts; this is referred to as a Virtual CISO (VCISO).

What a CISO does

Any good CISO will implement a working plan that consists of the following nine items:

  1. Assess the Current State of Security: When a CISO first begins their role, they will begin by assessing the current state of security in the organisation, including understanding the existing assets: policies, procedures, and technologies in place. This will help you identify the gaps in the security posture and provide a foundation for your future efforts.
  2. Develop a Security Strategy: Based on the results of your assessment, develop a comprehensive security strategy that aligns with the organisation's goals and objectives. This strategy should include plans for preventing, detecting, and responding to security incidents.
  3. Conduct Risk Assessments: Regularly conduct risk assessments to identify and prioritize potential threats to the organisation. Use this information to inform your security strategy and allocate resources where they are needed most.
  4. Implement Security Controls: Implement the appropriate security controls to mitigate identified risks and protect the organisation from security incidents. This may include implementing firewalls, intrusion detection systems, and encryption technologies.
  5. Create a Security Awareness Program: Develop and implement a security awareness program that educates employees on how to identify and prevent security threats. This will help to reduce the risk of human error, which is one of the biggest contributors to security incidents.
  6. Conduct Regular Penetration Tests: Regularly conduct penetration tests to identify and remediate vulnerabilities in the organisation's systems and applications. This will help to prevent security incidents before they occur.
  7. Develop an Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to be taken in the event of a security incident. This will help to ensure a quick and effective response in the event of a security breach.
  8. Continuously Monitor and Review: Continuously monitor and review the security posture of the organisation to ensure that it remains effective and up-to-date. This may include regular security audits, threat intelligence updates, and security tool upgrades.
  9. Foster a Culture of Security: Foster a culture of security throughout the organisation by promoting the importance of security and making it a priority. Encourage employees to report security incidents and actively participate in security awareness training that is tailored and suitable for your business vertical.