As a decision-maker responsible for corporate network and information security, the Chief Information Security Officer (CISO) has clearly recognized that when dealing with the rapidly evolving network environment faced by today’s enterprises, traditional security measures and personnel structures that were once very effective have become increasingly Powerless, large-scale enterprise network incidents continue one after another. How to define and establish an efficient CISO team structure for the enterprise has become a more important challenge than the security technology itself.
There are many documents that describe the CISO responsibilities in detail from various angles, forming various theoretical systems. So how can CISOs understand and choose the most suitable theory and architecture model for their own company based on their own situation? Based on the well-known CERT flexible management model [Caralli 2011], the main responsibilities of CISO are the following four aspects:
- Protection, Shield, Defend & Prevent (Protect, Shield, Defend & Prevent)
- Monitoring, discovery and tracking (Monitor, Detect & Hunt)
- Response, recovery and maintenance (Rsponse, Recover & Sustain)
- Governance, management, compliance, education and risk management (Govern, Manage, Comply, Education & Manage Risk)
In the previous article, we described an ideal CISO organizational structure and the relevant sub-functions of each department in the structure based on these four functions of CISO. Today we continue to use these four functions as the basis and combine relevant policies, standards and operations. Standardize, discuss and further decompose these four functions into sub-functions and their specific work content, and make corresponding relations with each department in the organizational structure.
The relevant policies, standards and operating specifications for reference are as follows:
- CERT Resilience Management Model, version 1.1 [Caralli 2011]
- U. S. National Institute of Standards and Technology Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations [NIST 2015]
- U.S. Department of Energy Cybersecurity Capability Maturity Model (C2M2) [DOE 2014]
- U. S. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity [NIST 2014]
- National Initiative for Cybersecurity Education (NICE) The National Cybersecurity Workforce Framework Version 1.0 [NICE 2013]1 and the Office of Personnel Management extensions to it [OPM 2014]
- SANS Critical Security Controls [SANS 2015]
For each reference model, we map its specific discussion topics to one of the four main functions of CISO: protection, monitoring, response, and governance. Each function is expressed as a sub-function with one or more supporting activities (ie, the next detailed level of supporting functions). When constructing this mapping relationship, we also added the "outsourcing" attribute, which means that this sub-function can not be performed by the CISO team. The CISO only retains the supervision responsibility and can be outsourced to other internal departments or third parties within the enterprise.
The ideal CISO functions and resources are as follows:
Function 1: Protect, Shield, Defend & Prevent (Protect, Shield, Defend & Prevent)
Function 2: Monitoring, Detect & Hunt (Monitor, Detect & Hunt)
Function 3: Response, Recover & Sustain (Rsponse, Recover & Sustain)
Function four: governance, management, compliance, education and risk management (Govern, Manage, Comply, Education & Manage Risk)
About Holographic Network Control: Holographic Network Control Technology integrates four advanced technologies, NG-DLP, UEBA, NG-SIEM, and CASB, and combines machine learning (artificial intelligence) to discover and reconstruct invisible user-device-data in the network in real time "Interactive relationship, launching an information security risk perception platform centered on user behaviors, providing an intelligent traceability system without perception and blind spots for enterprise information security management, efficiently and accurately auditing the past, monitoring the present, and preventing the future, greatly improving IT security operation and maintenance and security personnel respond to accidents, capture the evidence chain, hold accountability, and restore the ability and efficiency of IT systems.