What is the role of the CISO in terms of data security?

Data security and protection have become major challenges for businesses of all sizes and in all sectors. Viruses, ransom demands, phishing... Today, organizations are under attack from all sides, and the rise of remote working has not helped anything. According to a Proofpoint study published in December 2020, 91% of French organizations have suffered at least one major cyberattack in the last twelve months.

Faced with the multiplication of computer attacks, too many businesses are not sufficiently prepared. In fact, only 14% of CISOs (information security managers) interviewed think that their company is ready to deal with a cyberattack. It is imperative for all organizations to strengthen their cybersecurity strategy in order to be able to face increasingly virulent cyber threats and better protect their data. This is the role of the information systems security manager.

The RSSI: guarantor of data security

Today, the digital transformation of businesses is a reality in which the CISO plays a strategic role. While its missions may vary from one company to another, its role is to protect the company and its data by implementing an information system security approach and managing risk management. It must therefore guarantee the confidentiality, integrity, availability and traceability of company data.

This involves the implementation of various actions in collaboration with all employees.

Here are its various missions.

Define information security policy

The information systems security manager leads the development, implementation and monitoring of the security policy. The aim is to protect all company data and information in the face of multiple IT risks.

To accomplish this mission, he must:

• carry out audits and regularly check the security system;
• analyze risks, malfunctions and opportunities for improving security systems;
• develop the information systems security policy;
• define a computer risk prevention plan, and participate in the drafting of a business continuity plan (PCA) and/or a business resumption plan (PRA) as well as operational maintenance (MCO, which mainly covers the data backup strategy);
• develop security measures and standards based on the company's activity and its exposure to IT risks (teleworking, BYOD (bring your own device), data transfers and storage, etc.);
• choose and implement the most appropriate tools and devices to manage company security (antivirus, antispam, firewalls, backup system, data encryption, authentication, etc.).

Implement and monitor the application of the security policy

Once the information system security policy is defined, the CISO must ensure that it is properly implemented and applied in all departments of the company.

To do this, he must:

• ensure that employees comply with established safety norms and standards;
• check that the General Data Protection Regulation (GDPR) is respected within the company;
• manage all security incidents and propose solutions to quickly restore the functioning of services;
• determine the actions to be taken to repair the damage caused by a security incident and implement the business recovery plan (PRA);
• establish and analyze the causes of incidents and strengthen the measures already in place;
• ensure the proper functioning of the security measures in place by regularly testing them to detect weaknesses;
• verify that subcontractors and suppliers comply with the security standards imposed by the company by carrying out audits;
• assess the effectiveness of all security measures implemented and inform management.

Raise employee awareness of cyber risks

The protection of company data necessarily involves raising staff awareness of cyber risks. This mission is an important part of the role of the CISO.

Indeed, the CISO must know how to communicate with all employees in order to explain to them what cyber threats are and their impact on the company. It must popularize technical terms and support employees in the implementation of good practices.

To do this, he designs and updates security standards for company personnel, such as the information system security policy (PSSI), the information systems use charter, the various procedures to follow in the event of a cyberattack as well as a guide to best practices. It can also organize or even conduct internal training courses to inform employees, prepare them and make them more vigilant to the various threats (phishing, ransom, viruses, etc.) to which they are exposed and thus make it possible to reduce or even eliminate risky behavior.

Stay up to date

The world of cybersecurity, whether in terms of means of protection or cyberattacks, is constantly progressing, and at high speed. It is therefore imperative for the information systems security manager to stay constantly informed about the multiple developments in network security and protection.

He must therefore receive regular training throughout his career, and ensure technological, regulatory and legal monitoring. The objective is to know the new risks, the latest solutions in the field of information system security and the evolutions of French and European law and laws concerning data protection.

Conclusion

The information systems security manager plays a key role in the protection of company data because he is the one who defines, coordinates, monitors and improves the information systems security policy.

According to Jean-François Louapre, Vice President of the Club of Information Security Experts (CESIN), the role of the CISO has evolved. It is no longer a purely technical role, but it now has “a role of influencer, support and facilitation within companies.” He must know how to convince and explain to business managers how to succeed in finding the right balance between innovation and risk management in order to guarantee data security.