to the Cyber C-Suite
As you’re probably already aware, the ‘C’ in the C-suite stands for Chief.
It’s important to understand the scope of all the Chief roles and responsibilities in your own organization because if you don’t actually know who is accountable, responsible and liable for protecting your organization from cyber attacks, breaches of legislation and breaches of contract, how can you be certain it’s not you?
...and if it is you, you’re better off finding out before you see your name in lights on News at 10...
Not all internal governance structures are the same. Not all roles and responsibilities are the same across the supply chain. So, let’s look at the leadership roles in organisations where cyber security responsibilities are either very clear or hiding in plain sight.
Chief Executive Officer (CEO)
The CEO is seated at the highest level of an organisation.
They are accountable for success, setting strategy, directing the organisation to achieving its vision and enabling informed decision-making.
Successful CEOs demonstrate effective leadership, governance and communication skills.
Although cyber security responsibilities may well be delegated, the buck stops here for accountability.
Chief Operating Officer (COO)
The COO is usually second-in-command to the CEO, overseeing the organisation’s day-to-day operations such as HR, training, recruitment and corporate culture.
Relevant cyber security responsibilities include addressing the ongoing starters and leavers process. This includes ensuring appropriate pre-employment checks are carried out, vetting is completed and employment contracts are appropriate for the legal and regulatory requirements of the supply chain.
It also includes ensuring relevant (standard and role-specific) information, data protection and cyber security training is in place for starters and all staff members.
A process should also be in place to ensure all leavers and their line managers follow the correct procedures during their exit, to avoid data theft and loss of devices. HR is also a key part of internal cyber security investigations into staff members, including legal and court proceedings.
Chief Financial Officer (CFO)
The CFO works closely with the CEO. They are responsible for the finances of the organization as well as management of risk, mandatory internal and external reporting and compliance with legislation, regulation and standards.
The CFO is often the senior risk owner within the organization and as they are familiar with external and internal reporting requirements, from the perspective of the struggling cyber security leader, they can often be your best and most empathetic ally – depending on individual personality traits of course.
Additionally, from the perspective of influencing the board to provide a cyber security budget, the CFO will be keen to ensure the integrity of their financial assets remains intact.
Chief Marketing Officer (CMO)
The CMO is responsible for brand management, marketing and advertising as well as overseeing the organisation’s marketing strategy.
GDPR and the protection of personal data should be a key area of concern for the CMO.
Also, they will - or should - be interested in developing an effective PR policy in the event of a high-profile data breach or significant security incident.
The following roles are often combined. Technological and information security requirements and solutions have evolved rapidly in recent years. Chiefs’ terms will vary according to which sector they operate in, the size and culture of the organisation and its appetite for risk.
Chief Information Officer
The CIO is responsible for ensuring technological strategic alignment with business objectives and demystifying cyber security terminology for the Board.
Chief Technology Officer
The CTO is responsible for ensuring the organisation meets its technological requirements for both short-term goals and longer-term strategic objectives.
Chief Information Security Officer
The CISO is responsible for the protection of the organisation’s information and technology assets.
The CISO role is still frequently referred to as a new Chief role, but the requirement to protect information and technology assets is not new.
The potential overlap between the CIO, CTO and CISO is a real issue. The concept of being accountable and responsible for protecting information is not new. Someone has always been accountable and responsible for information security within your organization, so you do need to check areas of potential overlap. Roles and Responsibilities should be clearly defined within each job specification with appropriate training and development plans established for each role.
Other Chiefs are Available!
Depending on the nature of your organization you may also have the following:
Chief Compliance Officer
Chief Security Officer
Chief Digital Officer
Chief Risk Officer
Chief Data Officer
Chief Medical Officer
Chief Analytics Officer
Chief Experience Officer
It's not an optional extra
We’ll be covering Security Governance in more detail in our NCSC CT online Cyber Security Leadership and Governance training course, but just in case you’re on the UK government’s GCloud framework and thought cyber security governance was an optional extra, take a look at this clause in the framework.
A clearly identified, and named board representative (or a person with the direct delegated authority) who is responsible for the security of the cloud service.
This is typically someone with the title:
'Chief Security Officer' [CSO]
'Chief Information Officer' [CIO] or
'Chief Technical Officer' [CTO]'
It’s always worth reviewing your all contractual security requirements to check you’re not blindly operating in breach of legislation, regulation or contractual requirements.
Someone in your organisation is accountable for cyber security – and if you don’t know who it is, it might be you!
There are numerous variations of Chiefs found in the C-suite, including the more traditional roles of CFO, CTO and CISO as well as company-specific roles such as Chief Medical Officer.
Cyber security affects everyone in the organisation so it’s vital that the Board clarifies and communicates the roles and responsibilities of everyone in the organisation including the Board, staff members, suppliers and partners.
Security governance isn’t an optional extra – if it’s your head on the block it’s better to find out before there’s a high-profile career-destroying incident, rather than after!