This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.

1. Emerging Need of a Chief Information Security Officer (CISO) Dr. Maurice Dawson, Dr. Darrell Burrell, Dr. EmadRahim, & Mr. Stephen Brewster

2. Purpose The purpose of this submission is to present an argument and discussion on the subject concerning the roles and responsibilities of the Chief Information Security Officer (CISO). Five steps to an effective strategic plan is also included. The paper shall discuss the author’s view as written and the view from the Defense and Aerospace Industry to include further discussion as to how to properly implement information security. A key component to every good security team is the Chief Security Officer. This administrative role is primarily responsible for all information security within the organization. The security directives, policy, and responsibilities are strictly managed under the CISO position. The CISO’s three most primary objectives are: Ensure business continuity and disaster recovery (Barr, 2007) Enforcing security policy (Barr, 2007) Aligning security strategy with business goals (Barr, 2007)

3. Engagement The CISO must engage the C-Suite Colleagues, such as the Chief Executive Officer (CEO), in order to gain support of security objectives within the company. The CISO must procure security funds for training and technologies though communications with the CEO. The CEO ensures that proper funding is allocated for training, personnel, and technology. The CISO must motivate and lead teams and bring about a security aware culture within the organization. CISOs are constantly testing and evaluating the effectiveness of company security policies, procedures, and practices. This allows for the CISO to divert procured funds to resolve high priority risk. In order for the CISO to reduce security administration costs, the CEO must provide solutions to business barriers which prevent the merge of security functions. Likewise, in order for the CEO to maintain a level security funding the CISO must present performance metrics.

4. Skill sets The CISO maintains a set of skills in which lie the foundation of his/her performance. These skill sets include budgeting, team building, crisis management, and vendor management. Often times CISOs are required to obtain their Masters in Business Administration in order to better integrate organizational business goals with security objectives (Barr, 2007). The budget is critical to any security plan. The CISO must use budgeting skills to reflect a positive return on security investments. “Approximately 42 percent of organizations polled in the 2007 Computer Security Institute Computer Crime and Security Survey said they used Return On Investment (ROI) to measure their information security investments” (Fitzgerald, 2008). There has been a 39 percent increase from the previous year. However, this increase is 55 percent less than reported in 2004. The Internal Rate of Return (IRR) measures were reportedly used by 21 percent of the respondents, and Net Present Value was reported by 19 percent of the respondents (Fitzgerald, 2008).

5. Skill sets The CISO must develop security policy analysis of Commercial Off The Shelf (COTS) technology, and personnel that provide the CEO with multiple financial options. The CISO is responsible for developing a security team. The CISO has to see beyond the documented skill sets of potential team candidates and assess the interoperability of the potential employee (Barr, 2009). The CISO must manage and periodically review risk to company assets from probable threats and vulnerabilities. However, risks are never alleviated, only reduced. Thus, in a time of crisis a CISO must remain calm, decisive, and authoritative as not to tarry. Vendor management allows for the CISO to produce project management metrics such as earned value management information (Barr, 2009). Also, the CISO must negotiate all customer Service Level Agreements (SLA) between their current organization and outsourced companies. The role of the CISO is both rewarding and complex. The CISO must perform as an administrator, yet also put forth efforts managing the implementation and development of security controls. This role is critical in order to align the business objectives of an organization with that of the security objectives. Financial, personnel, vendor, security, and company direction are all influenced by the CISO. Organizational culture is implemented from top down, from C-Suite Colleagues to the workstation employee. Therefore the culture of any organization can only obtain security practice standards through the effective leadership of the CISO.

6. Developing Talent National Defense University [applied] Information Resource Management College (IRMC) National Security Agency (NSA) & Department of Homeland Security (DHS) Centers of Academic Excellence [research]

7. Sample Curriculum

8. Integrated Steps to Developing a Security Plan Presented by Sarah Scarlet is a paper detailing the five steps to an effective strategic plan as it relates to Information Assurance (IA) or Information Systems (IS) security

9. Step 1 The first item is to begin with the business’s big picture plan (Scarlet, 2005). What this means is to start out what is overall goal for the business. What is the intended function of the organization so one can develop a plan that is aligned with this particular function. With this stated think of business plan that be aligned and changed as original plans morph themselves. In the creation of this business plan the functional leaders from business need to be involved from the beginning to ensure that support is obtained. This allows insight to budgets which directly affect what the IA department may be able to due to in planning for future requirements. Knowing what the budget is shall help prioritize mission capabilities over a three year cycle. However once the budget is known for the three year cycle is best to look at this budget quarterly to track progress and see if the budget has changed.

10. Step 2 The second step is to perform risk assessment as it relates to potential threats to the system. Below is a diagram specifying the displaying potential threats, threat agents, and areas of potential harm as they relate to systems. These items will be protected through the technical security requirements.

11. Step 3 The third step is to set measurable goals (Scarlet, 2005). Goals are useless if one cannot properly measure their effectiveness. There needs to be a strategic plan which is the long term objective and a tactical plan which covers the short term objectives. A short term plan could detail software patches. A key items is to find metrics than can measure how well you can meet those objectives over time (Scarlet, 2005).

12. Step 4 The fourth step is to recognize there is no correct time frame (Scarlet, 2005) Scarlet discusses this in relation to non military government organizations however many military organizations are usually bound by budgets set forth by Congress which have strict timelines for program funding. In the government there is a cycle for major funding which all goals and objectives must be stated and categorized according to mission need. From this point is when the allocation is found and from here various milestones are created from previous stated mission needs, goals, and or objectives.

13. Step 5 The last step is to stay flexible as it is more important to know what is truly flexible than how far your plan stretches out (Scarlet, 2005). With this stated this is very true and applicable in the military setting as one may have to prioritize goals. When prioritization of goals occur in military programs some items may be pushed out further and other brought in. This is generally up to the Program Manager (PM) to make this item occur as they are generally the ones responsible for managing the program.

14. Summary As the C-Suite continues to grow it is essential that emerging roles such as Information Assurance (IA), Software Assurance, Network Security, Physical Security, and Telecommunications Security has an executive voice.

15. References Barr, J. (2009). Essential CSO Skills. Faulkner information services. Retrieved January 26, 2010, fromhttp://wf2dnvr6.webfeat.org/ Barr, J. (2007). Profile: Today’s CSO. Faulkner information services. Retrieved January 25, 2010, fromhttp://wf2dnvr6.webfeat.org/ Benson, R. J., Bugnitz, T., and Walton, B. (2004). From Business Strategy to IT Action: Right Decisions for a Better Bottom Line. Wiley. Fitzgerald, M. (2008, June 23). Security and business: financial basics [Web log message]. Retrieved fromhttp://www.csoonline.com/article/394963/security-and-business-financial-basics?page=1

16. Please contact Dr. Maurice Dawson Jr. at dr.mauricedawson@yahoo.com Any Questions