The Role of the Chief Information Security Officer (CISO) in Organizations

In an increasingly connected and digital world, information is seen as a business enabler and source of sustained competitive advantage. Thus, information security is becoming critical to protect these information assets, which is why organizations’ information security strategy has been aligning with their strategic goals. This paper aims to study organizations’ general information security environment, analyse the CISO’s role in them and understand where they should be positioned on the organizational structure. Interviews were conducted on experienced information security consultants, information systems and information security directors, which allowed to conclude that organizations in Portugal still need to increase their maturity when it comes to information security, and that this may be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being considered that it should have a close and independent relationship with organizations’ boards

The Chief Information Security Officer: An Exploratory Study

The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predominantly coming from outside the firm. Also, CISOs who are hired to fill newly created positions tend to report to the CEO whereas replacement hires for existing positions tend to report to the CIO. These findings have implications for both academics and practitioners

Scoping the ethical principles of cybersecurity fear appeals

Fear appeals are used in many domains. Cybersecurity researchers are also starting to experiment with fear appeals, many reporting positive outcomes. Yet there are ethical concerns related to the use of fear to motivate action. In this paper, we explore this aspect from the perspectives of cybersecurity fear appeal deployers and recipients. We commenced our investigation by considering fear appeals from three foundational ethical perspectives. We then consulted the two stakeholder groups to gain insights into the ethical concerns they consider to be pertinent. We first consulted deployers: (a) fear appeal researchers and (b) Chief Information Security Officers (CISOs), and then potential cybersecurity fear appeal recipients: members of a crowdsourcing platform. We used their responses to develop an effects-reasoning matrix, identifying the potential benefits and detriments of cybersecurity fear appeals for all stakeholders. Using these insights, we derived six ethical principles to guide cybersecurity fear appeal deployment. We then evaluated a snapshot of cybersecurity studies using the ethical principle lens. Our contribution is, first, a list of potential detriments that could result from the deployment of cybersecurity fear appeals and second, the set of six ethical principles to inform the deployment of such appeals. Both of these are intended to inform cybersecurity fear appeal design and deployment

How do security managers motivate employees' security behavior - Leadership perspective

In today’s digital world, there are several possible threats to organizations. Because of these possible threats, it is important to be as aware as possible and prepared for attacks to occur. Large and small organizations should have a good team of employees and a good leader to carry the organization through possible threats and attacks. Cybersecurity is not just about technology but a mix of different aspects involving people and policy. For an organization to succeed in the field of cybersecurity, the organization needs to have committed and skilled managers at the top. This study examines how security managers seek to motivate and influence employees' security behavior and which leadership styles they adopt to do so. There is a need for research that specifically addresses the approaches that security managers can adopt to motivate their employees toward security behavior. To find this out, the research approach I used was a qualitative interview study with semi-structured interviews and a systematic literature review approach. I interviewed eight security managers in various organizations from Norway and abroad. The interviews were transcribed and then coded into different categories. I also used a systematic literature review approach to look at previous studies on this topic and create a literature background for my study. The findings show a variation in the leadership styles adopted by the different security managers and the approaches used to motivate employees. I created a table with an overview of the leadership styles I found in my study, including the different approaches related to the leadership styles. There are differences in the approaches that are used to motivate in relation to the adopted leadership styles, but also similarities across the styles. This study contributes to promoting approaches that can help various organizations and security managers to motivate and influence their employees' security behavior. It can also help raise awareness of how necessary it is to motivate your employees, especially in cybersecurity

Assessing Information Security Competencies of Firm Leaders towards Improving Procedural Information Security Countermeasure: Awareness and Cybersecurity Protective Behavior

Cybersecurity threats are a serious issue faced by many organizations in this new information era. Therefore, security leaders play a significant role not only to ensure that all their employees are practicing good security behavior to protect organizational information assets but also to ensure that security technology has been installed properly to protect network infrastructure. This study aims to examine cybersecurity protective behavior (CPB) among employees in the organization and focus on the role of leadership competencies and information security countermeasure awareness. The questionnaires were distributed via email and self-administered, and the study managed to obtain 245 responses. Partial Least Squares-Structural Equation Modeling (PLS-SEM) analysis was used to analyze the final data. Confirmatory factor analysis (CFA) testing shows that all the measurement items of each construct were adequate in their validity individually based on their factor loading value. Moreover, each construct is valid based on its parameter estimates and statistical significance. The research findings show that Procedural Information Security Countermeasure (PCM) awareness strongly influences CPB compared to a leader's information security competencies (ISI). Meanwhile, ISI significantly influences PCM awareness. This study adapts the theory of leadership competencies in the context of cybersecurity, which is particularly beneficial to any industry in improving organizational information security strategic plans

Rational Cybersecurity for Business

Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your busines

Managing Risk and Information Security: Protect to Enable (Second Edition)

Computer scienc

Unveiling the Potential of Open-Source Intelligence (OSINT) for Enhanced Cybersecurity Posture

Never before has it been more important to increase internal cybersecurity posture to prevent malicious activity, and organizations are forced to mobilize their resources to prepare for tomorrow's threats. Throughout the past few years, the usage of open-source intelligence (OSINT) has made its way from the military landscape into public, private, and commercial organizations. Using OSINT, organizations can tailor their countermeasures to the tactical, operational, and strategic procedures of potential cyber threat actors by benefiting from the knowledge within openly available sources. Leveraging the enormous information sharing on online platforms using OSINT also requires organizations to navigate the increasing information overload. Nevertheless, many are using ad hoc and unstructured approaches, contradicting the systematic fundamentals of the intelligence profession. Therefore, this study investigated how organizations can implement and use OSINT to improve cybersecurity posture using OSINT's advantages. A semi-systematic literature review (SSLR) highlighted a scant focus on organizational aspects of OSINT, whereas the focus has primarily relied on technical considerations. Interviews with nine representatives of different private, public, and commercial organizations helped understanding how each applied OSINT to extract as much value as possible from the CTI capability. During data collection and analysis, this thesis adopts the intelligence cycle, a well-known cyclic representation of the intelligence acquisition process. The thesis extends the theory by integrating several intelligence cycle theories and offers a more dynamic and comprehensive representation of the intelligence process. Through an inductive conceptual framework (ICF), the thesis highlights how OSINT can become a valuable tool to ensure organizations encounter the cyber threat landscape by considering relevant information about threat actors. The study emphasizes the significance of establishing an understandable definition of OSINT within one's organization and identifying intelligence requirements aligned with available resources. Determining the organization's motivation, prioritizing dialogue and feedback, and continuously evaluating the intelligence requirements are essential to leveraging OSINT's advantages. This new framework is one of the main contributions of this thesis, visualizing how the research findings all contribute to a coherent utilization of OSINT as a cybersecurity-enhancing tool. By guiding organizations through the entire intelligence cycle, they will likely experience a greater understanding of their own capabilities and potential cyber attackers

Stuck in Pilot Purgatory: Understanding and Addressing the Current Challenges of Industrial IoT in Manufacturing

The Industrial Internet-of-Things (IIoT) is one of the most hyped concepts embedded in the Industry 4.0 paradigm. IIoT can provide a multitude of benefits to firms, such as enhanced productivity and better insight into company operations. Despite these benefits, manufacturing companies are considerably struggling to realize the potential of IIoT. Several consulting companies, such as McKinsey and Deloitte, coined the term “pilot purgatory” to define the state of being in which most IIoT projects get stuck. Based on a series of interviews with 12 experts in the field, this study identifies and addresses IIoT-specific challenges in manufacturing. Our study provides two main contributions. First, our analysis provides a broad, practice-based overview of IIoT challenges by considering both the technological, organizational and environmental contexts of manufacturing firms, following the TOE framework as a theoretical lens to structure the results. Second, we derive specific management guidelines for each of the identified challenges