Emphasize that often in large organizations, the information technology (IT) department houses the information security (IS) department and designates a chief information security officer (CISO) or chief security officer (CSO) to operate it.
Advocate to learners that according to the 2019 (ISC) Cybersecurity Workforce study, the fewer the people in an organization, the less likely a CISO or CSO would be handling security duties.
Stress that the CISO most commonly reports directly to the company’s top computing executive, the CIO or vice president for IT. Such a structure implies that the goals and objectives of the CISO and CIO are aligned, but this is not always the case.
Review the core functions that often a CISO or CSO complete daily.
Justify the fact that often a CIO and CISO tend to contradict each other which requires an organization to have to two separate departments to keep the peace.
Outline the best practices listed in Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy,that an organization should implement so that an information security program is positioned for success within any of the following organizational functions:
IT as a peer of other sub functions such as networks, applications development, and the help desk.
Physical security as a peer of physical security or protective services.
Administrative services as a peer of human resources or purchasing.
Insurance and risk management.
The legal department.
Relate that once a structure has been identified, the next challenge that an organization often faces is the establishment of a reporting structure that balances competing needs of each community of interest they will serve. This balance is between keeping information safe and secure while integrating it into the culture through training, awareness, and support services.