JEFF HOWELL
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources

Management and Cyber Security

Executive Responsibility
Liability for data breaches that impact customers leads directly to the C-suite. Executives have an ethical, professional and, in many cases, legal obligation to personally know the strength of their company’s cyber defenses, as well as the company strategy for countermeasures and responses to attacks and breaches. However, a survey conducted as recent as 2017 (post infamous breaches including Target, Sony and Equifax) revealed that only 40% of executive teams had a good understanding of their cyber security protocols and capabilities (Sweeney, 2017). The lack of understanding includes both tactical and strategic gaps.  Methods of resolving the tactical gaps include annual vulnerability assessments and incident response tests (Khiabani, 2014). However, a more impactful method for closing the gap is for the C-suite, specifically the CEO, to establish a stronger rapport and working relationship with CISO (Sweeney, 2017).  While the CISO has the responsibility to identify risks and implement protocols, it is the line of business (LoB) executives’ responsibility to understand and implement security procedures across the business.

Responsibility of the CEO
 The CEO, as the top executive in the company, has the responsibility to manage risk which includes cyber security
risks.  The CEO needs to model the importance of cybersecurity by having direct involvement with senior security executives who drive the cyber security strategy throughout the organization. (Kaplan, et al., 2011).  CEO’s must continually educate themselves and the Board of Directors (BoD) on cyber security as this risk is inherently dynamic. 
Responsibility of the CISO 
​ The role of the modern day CISO is to provide the leadership and guidance necessary for an organization to manage the risks to the confidentiality, integrity and availability of the organization's intellectual property and information technology assets (Wild, 2017). This includes security policies, procedures, controls, and the ISSP (Information Systems Security Plan), plus creating and building the security organization to support the company.
References:
Kaplan, J., Sharma, S., & Weinberg, A. (2011, June). Meeting the cybersecurity challenge. Retrieved July 7, 2018, from https://www.mckinsey.com/business-functions/digitalmckinsey/our-insights/meeting-the-cybersecurity-challenge

Khiabani, H. (2014, April 7). Incident Response Exercise Planning Be Ready – Be Prepared. Retrieved July 7, 2018, from https://www.sans.org/readingroom/whitepapers/incident/incident-handling-annual-testing-training-34565

Sweeney, B. (2017, April 24). Cybersecurity Is Every Executive's Job. Retrieved July 7, 2018, from https://hbr.org/2016/09/cybersecurity-is-every-executives-job

Wild, A. (2017). What is the Role of the CISO? Retrieved July 1, 2018, from http://www.infosectoday.com/Articles/CISO_Role.htm#.WzknwtJKjb1
Jeff Howell  -  San Carlos, CA  -  Privacy Statement - email Jeff
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources