Coming from a technical team, organizational security might be seen as a domain that only focuses on paper-based policies (sometimes, just copy-paste templated policies), budgets and risk assessment results. There’s also a gap between highly technical security members who have been doing hands-on security and those management guys who may have their MBAs but whose background is not even in IT. However, it is important to emphasize that technical security needs organizational security to exist and vice versa.

In big organizations, a separate C-level position is appointed for cybersecurity. The Chief Information Security Officer (CISO) is responsible for the over-all cybersecurity operations in the organization. He/she usually reports to the Chief Information Officer (CIO) or Chief Technology Officer (CTO).

What does it mean to have a CISO? 

The CISO will have a seat and say on the management level – may it be ManCom (Management Committee) or ExeCom (Executive Committee). He/She will be able to provide insights and expert opinions regarding the organization’s cybersecurity posture vis-à-vis the organization’s business strategy. It is very important to have a person who can voice out and be heard about what the technical members think is the best security for the organization. Without a CISO, it may be difficult for management to understand expensive spending on cybersecurity tools. You might be defending a multi-million peso Unified Threat Management (UTM) firewall and the management will only see it as an additional cost. Since management does not understand the value of the UTM firewall, they decided instead to provide a budget for a home firewall. It’s also a firewall, but way cheaper!

Also, the CISO is ultimately accountable if any security incident happens in the organization.

The Governance Team

Aside from the  Technical Team, the Governance Team reports to the CISO too but they focus on organizational security. They primarily draft policies that the organization must follow. Some of these policies include but not limited to:

• Password Policy
• Time of Day Restrictions
• Classification of Information
• Acceptation Use Policy (AUP)
• Internet Use Policy (IUP)
• E-mail Usage Policy (EUP)
• Disposal and Destruction
• Privacy Policy

They also align with the Technical Team on how they can properly articulate the security requirements in the policy. On the other end, they are also responsible for making sure that these policies are understood by the stakeholders very well.

For more details about policies and policy templates, I highly recommend you visit SANS.org. They have a ton of templates and guides on how to create, modify and implement security policies. Here is the link: https://www.sans.org/security-resources/policies/

Further Reading:

Structuring the Chief Information Security Officer Organization by Allen, J. et al (2015) Retrieved from:
https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf