How to Cheat at Managing Information Security

The purpose of this chapter is to:
Review typical positions of the information security function and the benefits of each
Define the role of the security function
Discuss the qualities of a good CISO
To be a chief information security officer (CISO), you must demonstrate certain key qualities to an employer. At the interview for my last position, I sat down, miscalculating the touch-down so the arm of the chair slid neatly into my pants pocket with a ripping sound. My Top-Shelf consultancy suite was now complete with air-conditioning.
I immediately announced, I ve ripped my trousers so my interviewers would know the exact source of the sound that had so obviously come from my seat. Then I said, Now you can see that I m not talking out of the seat of my pants.
Now that s the voice of experience!
No two organizations are the same; they are always different culturally and in terms of size, industrial sector, and staff. Consequently, there is no right (but probably plenty of wrong) answer to the question, Where should we position the head of security and the security team(s) in an organization? Separation of the position of the operational security teams away from the head of security is often a purposeful and commercial decision.
This chapter reviews how organizations, both big and small, set up their security functions. It is based on my observations gained during 10 years experience in security consulting at both a strategic and a technical detailed level to...