Structuring the Chief Information Security Officer Organization

Abstract

Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with todays increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives? This report describes how the authors defined a CISO team structure and functions for a large, diverse U.S. national organization using input from CISOs, policies, frameworks, maturity models, standards, codes of practice, and lessons learned from major cybersecurity incidents.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 07, 2015
Accession Number
AD1046633

Entities

People

  • Brendan Fitzpatrick
  • David Tobar
  • Gregory Crabb
  • Julia H. Allen
  • Nader Mehravari
  • Pamela D. Curtis

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Business Administration
  • Commerce
  • Computer Network Security
  • Computer Networks
  • Computer Security Techniques
  • Computers
  • Cybersecurity
  • Department Of Homeland Security
  • Information Security
  • Information Systems
  • Knowledge Management
  • Management Personnel
  • Organizational Structure
  • Personnel Management
  • Security
  • Software Development
  • Standards

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Defense Acquisition Program Management
  • Systems Analysis and Design

Technology Areas

  • Cyber