Chapter 6

The Cyber Security Officer’s Position, Duties, and Responsibilities

Abstract

The objective of this chapter is to define the role that the cyber security officer will play in a corporation or government agency. In this case, it is the role of the cyber security officer in an international corporation. The duties and responsibilities of a cyber security officer vary depending on the place of employment. However, in this case, we are assuming the cyber security officer has the perfect position because it is one all cyber security officers should strive to attain in order to “do it right the first time.”

Keywords

Cellular phones; Cyber security officer; Management blank check; Mission statements; Project management; Quality statements; Risk management; Vision statements

Responsible, who wants to be responsible? Whenever something bad happens, it’s always, who’s responsible for this?

Jerry Seinfeld1

Chapter Objective
The objective of this chapter is to define the role that the cyber security officer will play in a corporation or government agency. In this case, it is the role of the cyber security officer in an international corporation. The duties and responsibilities of a cyber security officer vary depending on the place of employment. However, in this case, we are assuming the cyber security officer has the perfect position because it is one all cyber security officers should strive to attain in order to “do it right the first time.”

Introduction

The role of the cyber security officer is more demanding now than ever before, owing to advances in technology, especially in miniaturization and mobility; more national and global network interfaces to his or her corporation; and more sophisticated attacks. The challenges have never been greater but they will be over time.

Where It Began and Its Evolution and Revolution

We began with only physical security, as after all, the ENIAC and other computers did not connect to the world. A guard, a paper-authorized personnel access list, an alarm, and such were all that were needed in those early days. But as the computer evolved over time, so did the profession of the cyber security officer.
The security profession at that time was primarily made up of retired or former law enforcement or military personnel, who had no interest in computer security. They knew physical security, investigations, and personnel security. This new thing called a computer was best left to the computer scientists and engineers.
As systems evolved, so did the departments responsible for their support. Departments that were once engineering departments perhaps became information resource management departments and later became known as information technology (IT) departments. The protection of this new technology stayed with the IT people. However, the computer security positions within the IT departments also evolved.
As the microprocessor and its related technology developed, the once-separated telecommunications and computer staffs began their integration. Consequently, the “computer security” profession began to also consider the protection of information as it flowed through telecommunications links. As the Internet evolved, the need for protecting information as it was displayed, such as on Web sites, also became an important task for those responsible for protecting the hardware, software, and firmware.
Information and related systems are some of a business’s most valuable assets, one can argue, second only to the employees. In fact, although no one in management within a business would ever prioritize assets to place information and systems above the employees—at least not publicly—people can always be replaced, and replaced at less cost and adverse impact to the business, than trade secrets and information networks. However, that will probably remain an unspoken issue because of the sensitive nature of valuing machines over humans.
When we think about it, though, information really is business’s No. 1 asset. After all, employees can be terminated, even replaced by computers, and the business survives. In fact, profits may even increase because of lower labor costs. However, eliminate an intranet or national or global information infrastructure connection and the business could be lost.
Today, the cyber security officer position is generally still part of the IT department’s function. Now, the cyber security officer is responsible for the protection of information and the systems that store, process, transmit, and display that information. The cyber security officer profession has matured into a separate profession, and in most large-to-medium companies, it is more than a part-time job or additional responsibility these days. In smaller businesses it remains mostly a part-time job or is outsourced with other security-related functions.
Information systems of various types, such as cellular phones, notebook computers, personal digital assistants, and fax machines, are all used to process, store, transmit, and display information. These devices are becoming more and more integrated into one device. Couple this phenomenon with the hard copies being produced, and one finds that information may be protected on an intranet but leaked through a cellular phone or printed on paper and then taken out of the business’s facilities.
Case Study
Cellular phones are becoming smaller and smaller. Digital cameras are also being installed into these cellular phones. Since management wants their employees to have the latest high-technology devices that help support the business in the most efficient and effective way possible, employees are issued cellular phones. The cellular phones with digital cameras integrated into them allow employees to digitally send photographs as part of their business communications processes. It also provides the opportunity for the employee to photograph sensitive documents, facilities, and such and send the photos directly to unauthorized sources. Thus, there is now another method of performing “Netspionage” (network-enabled espionage). As a cyber security officer, do you have policies, etc., in place to mitigate this new threat?
The cyber security officer position must evolve to be responsible not only for protecting information and systems related to, or the responsibility of, the IT department, but also for protecting all of the business’s information assets. It is ridiculous to have the business security professional responsible for the security of company assets, including hard-copy documents, people, and facilities, and leave the protection of automated information and systems essentially to IT people. These positions must be integrated to provide a holistic asset protection approach. This may be accomplished through the evolution of the cyber security officer professional into more than a “computer protector” and the security manager into more than a physical security manager. Here in 2016, we are slowly, grudgingly getting there, but ever so slowly, except when it comes to management fixing blame, of course.
The cyber security officer position is evolving, but no real, permanent, standardized “home” has been identified for the cyber security officer position. It depends on the structure and culture of the corporation in which he or she is employed. We do see signs of this changing as this evolution continues, from guard, computer scientist, engineer, IT specialist, computer security specialist, to information security (InfoSec) to cyber security officer, with some indications of change to corporate information assurance officer or corporate information security officer or cyber security officer. In some cases, the evolution of the profession has already led to making the cyber security officer a part of executive management in the position of a vice president. Of course this varies, as can be expected, by the culture of the corporation.
Still, the evolution must continue until all information and systems are integrated into a total business cyber security profession. This requires the combining of business (corporate) security, for example, physical security and personnel security, and the cyber security officer responsibilities. It is the best way to safeguard all business assets in a holistic and cost-effective manner, but again, based on the corporate culture.

The Cyber Security Officer in a Global Corporation

If you are chosen as the new cyber security officer for a global corporation, you should have determined the history of that position:
• When was it established?
• Why?
• What is expected of you as the cyber security officer?
• What are your responsibilities and duties?
• What are you accountable for?
• What happened to the last one? (You want to know so you can understand the political environment in which you will be working.)
As you begin your new job as the corporate cyber security officer, you must clearly determine what is expected of you. Again, this information should have been asked during your interview process for two reasons:
• So you know what you were getting into by accepting the cyber security officer position and
• So you can better prepare for the position with a more detailed cyber security program prior to beginning your first day at work.
You need a detailed plan prior to beginning your employment because you will be behind schedule from the moment you walk in the corporate door. That is because putting together a cyber security program from the start is a tremendous project. More likely than not, in today’s world, you will probably be inheriting someone else cyber security program.
As the new cyber security officer, it is important to review the program you are inheriting, its philosophy, and the logic behind its policies and procedures. Never change anything unless you can make it better based on risk analysis methodology, not just different, as that costs money. Furthermore, there may be very good reasons it is what it is, or the chief executive officer or corporate information officer (CIO) would not have approved it the way you inherited it.
You must also determine the answers to the following:
• What is important and requires protection?
• What is being protected?
• In what manner?
• Is a staff needed?
• If so, how many?
• With what qualifications, for what positions?
• What are the tasks to be performed?
• What are the mandatory, best practices, and optional requirements to be met?
• What processes and functions are necessary to meet those requirements?
• What are the necessary budget allocations?
• What metrics management techniques are required?
and the list goes on.
On top of all this is the need to learn about the corporate culture, normal corporate policies and procedures, and all that comes with just joining a company. As the new cyber security officer, you cannot afford to waste any time in your 24/7 duties. You must understand and learn your new environment, the key players, and the issues that must be addressed first. Often, cyber security officers tend to isolate themselves from the rest of the corporation and consider it almost a “me against them” situation. In today’s corporations this will get you nowhere but possibly out the corporate door. As a cyber security officer, you and your staff must integrate your functions into the corporate mainstream and integrate yourselves into the processes of the business. “Teaming” with others in the corporation is the only way to succeed in today’s information-based, information-supported, and information-dependent modern corporations.
The cyber security officer must eventually get into a proactive mode to be successful, that is, identifying problems and solutions before they come to the attention of management. Cyber security-related problems will undoubtedly get management’s attention when they adversely affect costs and/or schedules. Adverse impacts on costs and schedules run contrary to the cyber security program goal, objectives, etc.
When a cyber security officer is in the position of constantly putting out fires, the proactive cyber security program battle is lost. If that battle is lost, the results are adverse impacts on costs and schedules. The goal of a cost-effective cyber security program cannot be attained.
As the cyber security officer, you have been told that you are expected to establish and manage a cyber security program that works and is not a burden on the corporation. You are told to establish a program that you believe is necessary to get the job done. You have the full support of management because they have come to realize how important their information and systems are to the corporation maintaining its competitive advantage in the global marketplace. This honeymoon will last maybe about six months—if you are lucky. So, you must take advantage of it. To do so, you must have a fast start and then pick up speed.
Based ideally on a “management blank check” and your prior experience (or for the inexperienced cyber security officer, the information gained from reading this book), you have evaluated the corporate environment and have decided that the overall goal of the cyber security program is to:

Administer an innovative cyber security program that minimizes risks to these valuable assets at least impact to costs and schedules, while meeting all of the corporation’s and customers’ reasonable expectations.

If that is what is expected of you, then that is your primary goal. Everything you do as the cyber security officer should be focused and directed toward meeting that goal. That includes incorporating that philosophy into your:
• Cyber security strategic plan,
• Tactical plan, and
• Annual plan.

Cyber Security Officer Duties and Responsibilities

As a global corporation’s cyber security officer, you have certain duties and responsibilities. These include the following:
Managing people, which includes:
Building a reputation of professional integrity;
Maintaining excellent business relationships;
Dealing with changes;
Communicating;
Influencing people in a positive way;
Building a teamwork environment; and
Developing people through performance management, such as directing and helping the cyber security staff to be result-oriented.
Managing the business of the cyber security program, which consists of:
A commitment to results;
Being customer/supplier focused;
Taking responsibility for making decisions;
Developing and managing resource allocations, such as budgets;
Planning and organizing;
Being a problem-solver;
Thinking strategically;
Using sound business judgment; and
Accepting personal accountability and ownership.
Managing cyber security processes, which includes:
Project planning and implementation;
Persistence of quality in everything;
Maintaining a systems perspective; and
Maintaining current job knowledge.

Goals and Objectives

Remember that your primary goal is to administer an innovative cyber security that minimizes information protection risks at the least impact to costs and schedules, while meeting all of the corporation’s and customers’ reasonable expectations.
You must have as your objectives at least the following:
• Enhance the quality, efficiency, and effectiveness of the cyber security program.
• Identify potential problem areas and strive to mitigate them before they adversely affect processes, and especially before management and/or customers identify them.
• Enhance the company’s ability to attract customers because of the ability to efficiently and effectively protect their information.
• Establish and manage the InfoSec organization as the leader in the widget industry.

Leadership Position

As a cyber security officer, you will be in a leadership position. In that position, it is extremely important that you understand what a leader is and how a leader is to act.
According to the definition of leadership found in numerous dictionaries and management books, it basically means the position or guidance of a leader, the ability to lead, the leader of a group; a person that leads; or the directing, commanding, or guiding head, as of a group or activity.
As a cyber security professional and leader, you must set the example: create and foster an “information protection consciousness” within the company.
As a corporate leader, you must communicate the company’s community involvement, eliminate unnecessary expenses, inspire corporate pride, and find ways to increase profitability.
As a team leader, you must encourage teamwork, communicate clear direction, create a cyber security environment conducive to teaming, and treat others as peers and team members, not as competitors.
As a personal leader, you must improve your leadership skills, accept and learn from constructive criticism, take ownership and responsibility for decisions, make decisions in a timely manner, and demonstrate self-confidence.

Providing Cyber Security Service and Support

As the cyber security officer and leader of a cyber security service and support organization, you must be especially tuned to the needs, wants, and desires of your customers, both internal (those within the company) and external (those who are outside the company and are usually the company’s customers).
To provide service and support to your external customers, you must:
• Identify their information protection needs;
• Meet their reasonable expectations;
• Show by example that you can meet their expectations;
• Treat customer satisfaction as Priority 1;
• Encourage feedback and listen;
• Understand their needs and expectations;
• Treat customer requirements as an important part of the job;
• Establish measures to ensure customer satisfaction; and
• Provide honest feedback to customers.
To provide service and support to your internal customers; you must:
• Support their business needs;
• Add value to their services;
• Minimize security impact to current processes; and
• Follow the same guidelines as for external customers.
As the corporate cyber security officer, you will also be dealing with suppliers of cyber security products. These suppliers or vendors are valuable allies because they can explain to you the many new cyber security-related problems being discovered, and how their products mitigate those problems. In addition, they can keep you up-to-date on the latest news within the cyber security officer profession and about the latest InfoSec tools available. Furthermore, you can make yourself available to beta test new cyber security products and provide feedback so the final products will meet your needs.
In dealing with suppliers of cyber security-related products, you should do the following:
• Advise them of your needs and what types of products can help you;
• Assist them in understanding your requirements and the products that you want from them, including what modifications they must make to their products before you are willing to purchase them;
• Direct them in the support and assistance they are to provide you;
• Respect them as team members;
• Value their contributions;
• Require quality products and high standards of performance from them;
• Recognize their needs also.

Use Team Concepts

It is important that as the cyber security officer, you understand that the cyber security program is a company program. To be successful, the cyber security officer cannot operate independently, but as a team leader, with a team of others who also have a vested interest in the protection of the company’s information and information systems.
It is important to remember that if the cyber security program and its related functions are divided among two or more organizations (e.g., other asset protection such as physical security of hardware under the security department), there will naturally be a tendency for less communication and coordination—and of course political turf battles. The cyber security officer must be sensitive to this division of functions and must ensure that even more communication and coordination occur between all the departments concerned.
The cyber security procedures must be sold to the management and staff of the corporation. If they are presented as a law that must be followed or else, then they will be doomed to failure. The cyber security officer will never have enough staff to monitor everyone all the time, and that is what will be needed. For as soon as the cyber security officer’s back is turned, the employees will go back to doing it the way they want to do it. Everyone must do it the “right security way” because they know it is the best way and in their own interests, as well as in the interest of the corporation.
In many global corporations today, success can be achieved only through continuous interdepartmental communication and cooperation and by forming specialists from various organizations into integrated project teams to solve company problems. The cyber security officer should keep that in mind. Teaming and success go together in today’s modern corporation.

Vision, Mission, and Quality Statements

Many of today’s modern corporations have developed vision, mission, and quality statements using a hierarchical process. The statements, if used, should link all levels in the management and organizational chain. The statements of the lower levels should be written and used to support the upper levels and vice versa.
The following examples can be used by the cyber security officer to develop such statements, if they are necessary. It all depends on the culture of the corporation and the processes in place. It seems that these types of statements are “politically required” but given lip service as they are thrust on the employees by some outsourced marketing firm or internal marketing group.

Vision Statements

In many of today’s businesses, management develops a vision statement. As stated earlier in this book, the vision statement is usually a short paragraph that attempts to set the strategic goal, objective, or direction of the company.
The corporation may have a vision statement and require all organizations to have statements based on the corporate statement. Remember that a vision statement is a short statement that:
• Is clear, concise, and understandable by the employees;
• Is connected to ethics, values, and behaviors;
• States where the corporation wants to be (long term);
• Sets the tone; and
• Sets the direction.
The following is an example of a vision statement: The corporate vision is to maintain its competitive advantage in the global marketplace by providing widgets to our customers when they want them, where they want them, and at a fair price.
The cyber security officer may report to the CIO, and the CIO’s vision statement: In partnership with our customers, we provide a competitive advantage for the IWC widget by continuous maximization of available technology and innovative information management concepts to enhance productivity and cost-effectively support increased production of corporate products.
The cyber security vision statement may be: We provide the most efficient and effective cyber security program for the corporation, which adds value to our products and services, as a recognized leader in the widget industry.

Mission Statements

Remember that mission statements are declarations of the purpose of a business or government agency. Below are samples:
Mission statement: The corporate mission is to design, manufacture, and sell high-quality products, thereby expanding our global market share while continuing to improve processes to meet customers’ expectations.
CIO mission statement: The mission of the corporate information office is to efficiently and effectively manage information and provide low-cost, productivity-enhanced, technology-based services that will assist IWC in maintaining its competitive advantage in the marketplace.
Cyber security program mission statement: Administer an innovative program that minimizes information protection risks at the least impact to cost and schedule, while meeting all of IWC’s and customers’ information and information systems assets requirements.

Quality Statement

Remember that quality is what adds value to your company’s products and services. It is what your internal and external customers expect from you.
Quality statement: To provide quality widgets to our customers with zero defects by building it right the first time.
CIO quality statement: To provide quality information management services and systems support while enhancing the productivity opportunities of the IWC workforce.
Cyber security program quality statement: Consistently provide quality cyber security professional services and support that meet the customers’ requirements and reasonable expectations, in concert with good business practices and company guidelines.2

Cyber Security Principles

The cyber security officer’s duties and responsibilities are many and sometimes quite complex and conflicting. However, as the corporate cyber security officer, you must never lose sight of the three basic principles:
• Access control;
• Individual accountability; and
• Audit trails.
This triad of principles must be incorporated into the cyber security program. For just as a three-legged stool requires three strong and level legs to be useful, the cyber security program requires these three strong principles. Without all three, the cyber security program will topple, just as a two-legged stool will topple.

Project and Risk Management Processes

Two basic processes that are an integral part of a cyber security program are project management and risk management concepts.

Project Management

As the cyber security office and organizational manager and leader for the corporation, you will also provide oversight on cyber security-related projects that are being worked by members of your staff.
The criteria for a project are as follows: Formal projects, along with project management charts, will be initiated where improvements or other changes will be accomplished and where that effort has an objective, has beginning and ending dates, and will take longer than 30 days to complete.
If the project will be accomplished in less than 30 days, a formal project management process is not needed. The rationale for this is that projects of short duration are not worth the cost (in terms of time needed to complete the project plan, charts, etc.) of such a formal process.

Risk Management

To be cost-effective, the cyber security officer must apply risk-management concepts and identify:
• Threats to the information and information systems of the corporation;
• Vulnerabilities (information systems’ weaknesses);
• Risks; and
• Countermeasures to mitigate those risks in a cost-effective way.

Cyber Security Officer and Organizational Responsibilities

As the cyber security officer, you will be managing and leading a cyber security organization. You will be responsible for developing, implementing, maintaining, and administering a company-wide program. The following is an example scenario for the development of your organizational responsibilities.
You have evaluated the corporate environment and found that a centralized cyber security program is required to cost-effectively jump-start the program and its associated processes. Your evaluation of what is needed led you to consider the following program-related functions for development:
• Management of all functions and work that are routinely accomplished during the course of conducting the organization’s business in accordance with corporate policies and procedures;
• System access administration and controls, including the direct use and control of system access software, monitoring its use, and identifying access violations;
• Access violation analyses to identify patterns and trends that may indicate an increased risk to systems or information;
• Computer crime and abuse inquiries where there are indications of intent to damage, destroy, modify, or release to unauthorized people information of value to the company (Note: this function was coordinated and agreed to by the Director of Security as long as his investigative organization manager was kept apprised of the inquiries and copies of all reports sent to that manager);
• Disaster recovery/contingency planning, which includes directing the development and coordination of a company-wide program to mitigate the possibility of loss of systems and information and ensure their rapid recovery in the event of an emergency or disaster;
• An awareness program established and administered to all system users to make them aware of the information systems protection policies and procedures that must be followed to adequately protect systems and information;
• Evaluation of the systems’ hardware, firmware, and software for impact on the security systems and information;
• Where applicable, conduction of risk assessments, with the results reported to management for risk decisions;
• Conduction of systems’ compliance inspections, tests, and evaluations to ensure that all users and systems are in compliance with IWC’s CIAPP policies and procedures.

Cyber Security Officer’s Formal Duties and Responsibilities

Based on the above and in concert with the executive management of the corporation, the cyber security officer has developed and received approval for formally establishing the following charter of the cyber security officer responsibilities:

Summary of the Purpose of the Cyber Security Officer Position

Develop, implement, maintain, and administer an overall, corporate-wide cyber security program to include all plans, policies, procedures, assessments, and authorizations necessary to ensure the protection of customer, subcontractor, and corporate information from compromise, destruction, and/or unauthorized manipulation while being processed, stored, and/or transmitted by corporate’s information systems.

Accountabilities

• Identify all government, customer, and corporate cyber security requirements necessary for the protection of all information processed, stored, and/or transmitted by corporate’s information systems; interpret those requirements; and develop, implement, and administer corporate plans, policies, and procedures necessary to ensure compliance.
• Evaluate all hardware, firmware, and software for impact on the security of the information systems; direct and ensure their modification if requirements are not met; and authorize their purchase and use within the corporation and applicable subcontractor locations.
• Establish and administer the technical security countermeasures program to support the corporate requirements.
• Establish and administer a security test and evaluation program to ensure that all of corporate’s and applicable subcontractors’ information systems/networks are operating in accordance with their contracts.
• Identify, evaluate, and authorize for use all information systems and other hardware within the corporation and at applicable subcontractor locations to ensure compliance with red/black engineering where proprietary and other sensitive information is processed.
• Direct the use of, and monitor, the corporate’s information systems access control software systems; analyze all systems’ security infractions/violations and report the results to management and human resources personnel for review and appropriate action.
• Identify information systems business practices and security violations/infractions; conduct inquiries; assess potential damage; direct and monitor corporate management’s corrective action; and implement/recommend corrective/preventive action.
• Establish and direct a corporate-wide telecommunications security working group.
• Develop, implement, and administer a risk assessment program; provide analyses to management; modify corporate and subcontractor requirements accordingly to ensure a lowest-cost cyber security program.
• Establish and administer a cyber security awareness program for all corporate information systems users, to include customers and subcontractor users, and ensure they are cognizant of information systems threats and of security policies and procedures necessary for the protection of information systems.
• Direct and coordinate a corporate-wide information systems emergency/disaster recovery/contingency planning program to ensure the rapid recovery of information systems in the event of an emergency or disaster.
• Direct the development, acquisition, implementation, and administration of the cyber security’s software systems.
• Represent the corporation on all cyber security matters with customers, government agencies, suppliers, and other outside entities.
• Provide advice, guidance, and assistance to management relative to cyber security matters.
• Perform common management accountabilities in accordance with corporate’s management policies and procedures.

Summary3

The role of today’s cyber security officer has evolved over time and will continue to evolve. The cyber security officer profession offers many challenges to anyone who wants to match wits with global hackers, criminals, terrorists, and other miscreants. In a business environment such as that of a global corporation, the cyber security officer has specific responsibilities. As a cyber security officer, you should understand the following:
• The cyber security officer position is a leadership position within a company.
• The recently hired cyber security officer must know what is expected of the company’s new cyber security officer and should have a clear understanding of those expectations before taking the position.
• The three primary responsibilities of a cyber security officer are: (1) managing people, (2) managing the cyber security program, and (3) managing cyber security processes.
• The cyber security officer must set forth clear goals and objectives.
• The cyber security officer in the leadership role must be a company leader, team leader, and personal leader.
• The cyber security officer must provide cyber security service and support using team concepts.
• The cyber security officer should develop vision, mission, and quality statements as guides to developing a successful cyber security program.
• The cyber security officer should strive to administer a cyber security program in which all the major cyber security functions are under the responsibility of the cyber security officer.

1 Reader’s Digest, October 2002, p. 73.

2 You will find that the same themes of service, support, cost-effectiveness, customer expectations, etc., continuously run through this book. It is hoped that the constant reinforcement will cause the reader to continuously think of these themes when establishing and managing a cyber security program.

3 Much of the information in this chapter provides details that could be used to fill in the details of the cyber security officer’s portfolio.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset