 |
| Image from Pixabay |
My list of topics for this blog includes the sentence: “Business
security officers do exist”. Behind this sentence is the observation that many
colleagues do not know this. So it is high time to explain what types of
information security officers we have and what their role is.
Let me start with myself and my peers in the IT
department. Not because we are so terribly important, but because that's the
best way to explain it. You can put many labels on me: my official position goes
by the meaningless name of staff advisor, I usually call myself an information
security advisor and the title information security officer also suits me. But
what do we actually do? We are accountable for the information security of
everything that the IT department delivers (applications and technical
infrastructure, such as networks, servers and workstations). So we’re
accountable, but the responsibility for each individual product lies in the
line organization – team, department, unit, in other words: team manager,
department head, director. As information security officers, we help the organization
in fulfilling their responsibility; we assist them with advice, we help with
risk analyses and in determining whether they comply with legislation and
regulations and we respond to reports of the type: “Maybe you should look into
this”.
Based on our accountability, we also have an opinion
about anything and everything. If we notice that something is not as it should
be, we dive into it. Our opinion doesn’t come without obligations. So we act corrective,
but we also act regulatory. We write and implement security standards for the IT
department that give substance to the applicable policy. We try to deliver
actionable standards; for this we seek coordination with the people who will
eventually have to act upon the standards.
Let’s now talk about the business security officers, the
BSOs, because they are the real topic of this post. They are part of the
various organizational units and see to it that the security policy is also
implemented and complied with there. The BSOs deal with integral security, so
in addition to information security, they also deal with physical security. An
employee from such an organizational unit, who needs to bring an issue to the
attention of 'security', can knock on the door of his own BSO. However, many
people don't even know that these BSOs exist. They search the intranet or in
the internal telephone directory for someone to contact and they often end up on
our doorstep. Sometimes, they come directly to me personally, because as a
blogger, I’m a bit more visible. That's okay – I'd rather have a report that
doesn't land in the right place immediately, than no report. But it would of
course be a good thing if the BSOs would also get some more name recognition.
[In the internal version of this blog a link to a list of BSOs is included.]
And finally, there’s the CSO and the CISO, respectively chief security officer and chief information security officer . The
first is about integral security, the second specifically about information
security. They create the security policy for the entire organization (based on
'higher' policies) and support the organization in implementing and complying
with policies, frameworks and guidelines. This is only the short version of the
job descriptions, by the way.
The message of this story: if you need to tell something which
is security-related, first look for a contact close to home and turn to your
own BSO. If you still can't figure it out, my colleagues and I are of course happy
to push you in the right direction. And it goes without saying – if a BSO needs
advise from the IT department, they are most welcome.
And in the big bad world…
- shadow IT is becoming an increasing problem for organizations.
- This phishing page “from” the Greek tax authorities steals your password as soon as you type it.
- Ransomware gangs in the US mainly target hospitals.
- the European Commission demands better protected smartphones and doorbells.
- you can – legally speaking – continue to use your old, vulnerable router (but it is not smart).
- Asian people smugglers force their 'customers' to commit cyber scams.
- US Customs misleads travelers by pretending unlocking your phone for investigation is obligatory.
.jpg)
No comments:
Post a Comment