The Chief Information Security Officer: An Exploratory Study

The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predominantly coming from outside the firm. Also, CISOs who are hired to fill newly created positions tend to report to the CEO whereas replacement hires for existing positions tend to report to the CIO. These findings have implications for both academics and practitioners

Web development evolution: the business perspective on security

Protection of data, information, and knowledge is a hot topic in today’s business environment. Societal, legislative and consumer pressures are forcing companies to examine business strategies, modify processes and acknowledge security to accept and defend accountability. Research indicates that a significant portion of the financial losses is due to straight forward software design errors. Security should be addressed throughout the application development process via an independent methodology containing customizable components. The methodology is designed to integrate with an organization’s existing software development processes while providing structure to implement secure applications, helping companies mitigate hard and soft costs

Tech-Savvy on Board: Investigating the Impact of Board of Directors’ IT Professional Experiences on Firms’ IT Investment and Performance

Our study investigates whether having directors with IT professional experiences on board impacts a firm’s IT investment growth and financial performance. We gather data from BoardEx, Compustat, and Harte-Hanks databases for S&P 1500 firms between 2011 and 2017. We include a rich set of controls and fixed effects in the analysis. We also employ a novel strategy to adjust for the remaining selection on unobservables. Our analysis shows that firms with tech-savvy directors have higher investment growth in different categories of IT including software, hardware, communication, and services. We also find these firms experience better performance measured by Tobin’s Q. The findings highlight the importance of board of directors in driving IT investment growth and firm performance

Too Busy to Monitor? Board Busyness and the Occurrence of Reported Information Security Incidents

This paper investigates the association between board busyness (i.e., directors with multiple positions) and the occurrence of reported information security incidents. Building on prior studies of board busyness, this paper argues that directors holding multiple board seats may fail to commit the time and effort necessary to ensure the appropriate information security strategy or investment plans are in place. Our results demonstrate that board busyness is positively associated with reported information security incidents. This effect is larger when independent directors are busy, thus suggesting the importance of the governance role played by independent directors in managing information security risks. The board of directors’ role has been emphasized in anecdotal evidence and IT governance frameworks, but our study empirically demonstrates the board’s relevance in information security strategy and management

Cyber resiliency for digital enterprises: A strategic leadership perspective

As organizations increasingly view information as one of their most valuable assets, which supports the creation and distribution of their products and services, information security will be an integral part of the design and operation of organizational business processes. Yet, risks associated with cyber attacks are on the rise. Organizations that are subjected to attacks can suffer significant reputational damage as well as loss of information and knowledge. As a consequence, effective leadership is cited as a critical factor for ensuring corporate level attention for information security. However, there is a lack of empirical understanding as to the roles strategic leaders play in shaping and supporting the cyber security strategy. This study seeks to address this gap in the literature by focusing on how senior leaders support the cyber security strategy. The authors conducted a series of exploratory interviews with leaders in the positions of Chief Information Officer, Chief Security Information Officer, and Chief Technology Officer. The findings revealed that leaders are engaged in both transitional, where the focus is on improving governance and integration, and transformational support, which involves fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Managerial relevance statement Our findings provide interesting insights for managers particularly those in the role of Chief Information Officers (CIOs), Chief Security Information Officers (CSIOs), and Chief Technology Officers (CTOs). We propose a Cyber Security Strategy Framework (CSSF) which can be used by these information/technology managers to design an effective organizational strategy to develop cyber resilience in their organization. Our framework suggests that managers should focus on transitional and transformational support. The transitional support focuses on improving governance and integration whereas transformational support focuses on the emphasis of fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Our findings provide good evidence showing how leaders can support more effective cyber security initiatives

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history

“Success Is Invisible, But Failure Is Public”: Examining The U.S. Office Of Personnel Management Data Records Breach

In 2015, the U.S. Office of Personnel Management (OPM) suffered one of the largest governmentrelated data breaches in U.S. history. A total of 4.2 million personnel records, 21.5 million background check records, and 5.6 million sets of fingerprints were exfiltrated in a sophisticated, multi-stage cyber espionage operation linked to state-sponsored actors. Such a large data breach invited bipartisan criticism of the agency’s handling of the incidents and thrust the federal government’s cybersecurity preparedness into the limelight. This paper seeks to answer a set of five interrelated questions: 1) What happened in the 2015 U.S. Office of Personnel Management Data breach, and what were the impacts? 2) Did a lack of technical capability hinder OPM’s efforts to detect and block unauthorized access to its network? 3) Were organizational and management weaknesses more to blame? 4) Did the cybersecurity posture at OPM before the incidents change after the events in 2014 and 2015? 5) What can be done by the Office of Personnel Management to prevent or mitigate the damage from similar cyber activities in the future? To answer these questions, this paper first introduces the concept of the “cybersecurity toolkit” to better understand contemporary cyber issues. Second, the OPM case study is discussed, including a timeline of events and key actors. Third, this paper examines the technical, management, and compliance-related factors that contributed to the breaches, including a compilation and analysis of OPM Inspector General cybersecurity audit data from 2007 to 2017. Finally, this paper discusses the short- and long-term impacts of the OPM breach and offers recommendations to improve cybersecurity at OPM and within the federal government.Plan II Honors Progra

Rational Cybersecurity for Business

Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your busines