Governance

GOV057

The CISO leads and oversees information security

The CISO’s role is based on good practice in the security industry and in governance. The role ensures that information security is managed at the senior executive level. Without a CISO, your organisation is unlikely to be able to effectively manage information security.

The CISO’s high-level responsibilities

Your CISO, if you have one, has the following high-level responsibilities. 

Ensuring the flow of communication supports security objectives

Your CISO facilitates communication between security, ICT, and business personnel to ensure your organisation's security objectives are aligned.

 This communication responsibility includes:

  • interpreting information security concepts and language into business concepts and language
  • ensuring that business teams consult with information security teams to determine appropriate security measures when planning new business projects.

Providing strategic guidance

Your CISO provides strategic guidance on information security. They’re responsible for:

  • developing your organisation's information security programme at the strategic level
  • overall management of information security within your organisation.

Ensuring your organisation complies with requirements

Your CISO ensures that your organisation complies with:

  • national policy, standards, regulations, and legislation for information security
  • internal policies and standards for information security.

Making sure training is implemented

Your CISO makes sure that an information security awareness and training programme is developed and maintained.

Lead information security personnel

  • Oversee the management of information security personnel within your organisation.

Advising and coordinating

Your CISO is best placed to:

  • advise ICT project leaders on the strategic direction of information security within your organisation
  • provide a recommendation to the accreditation authority on whether to accept residual risks associated with the operation of your organisation’s systems
  • coordinate the use of external information security resources to ensure that a consistent approach is applied across your organisation.

Your organisation’s responsibilities with the CISO role

Control your information security budget to ensure that your CISO has enough funding to support information security projects and initiatives.

Do not expect your CISO to necessarily be a technical expert on information security matters. Rather, expect they will use their knowledge of national and international standards and good practice to communicate with technical experts in your organisation.

Appointing a CISO

Your organisation should appoint a CISO or assign the role to someone who already works for your organisation.

The person you appoint to the CISO role should:

  • be a member of your senior executive team or an equivalent management position (you don’t need to create a new dedicated position)
  • be qualified and experienced enough to bring accountability and credibility to information security management
  • report directly to the agency head on matters of information security within the organisation.

Before your CISO begins their role, your organisation must:

  • clear them for access to all classified information processed in your organisation’s systems
  • be able to brief them on any compartmented information in your organisation’s systems.

Managing conflicts of interest

If your CISO holds another role, such as also being your chief information officer (CIO) or a manager of a business unit, conflicts of interest might arise when operational imperatives conflict with security requirements. Good practice separates these roles.

When your CISO holds multiple roles, you should:

  • clearly identify potential conflicts of interest
  • implement a mechanism to allow independent decision making in areas where conflict may occur.

If your organisation outsources the CISO function, you should identify and carefully manage conflicts of interest, availability, and response times, so that your organisation is not disadvantaged. Be alert to possible conflicts of interest when the CISO deals with other vendors.

Your responsibilities as a CISO

If you’re a CISO, you should take responsibility for the following tasks.

Develop and maintain your organisation’s information security programme

  • Develop and maintain a comprehensive and strategic information security and security risk management programme aimed at protecting your organisation’s official and classified information.
  • Lead the development of a communications plan for information security.
  • Create and facilitate your organisation’s information security risk management process.

Ensure compliance with policies and standards

  • Ensure your organisation complies with its information security policies and standards.
  • Ensure your organisation complies with the New Zealand Information Security Manual (NZISM) by facilitating a continuous programme of certification and accreditation based on security risk management.
  • Ensure information security metrics and key performance indicators are implemented.

Coordinate and align security with business objectives

  • Facilitate information security and business alignment, and communication about these matters through a steering committee or advisory board which meets formally and regularly, and comprises key business and ICT executives.
  • Coordinate business and information security teams working on information security and security risk management projects.
  • Work with business teams to facilitate security risk analysis and management processes.
  • Ensure methods for identifying acceptable levels of risk are consistent across your organisation.

Work with ICT project leaders and managers

  • Provide strategic guidance on your agency’s ICT projects and operations.
  • Liaise with architecture teams to ensure security and organisation architectures are aligned.

Work with vendors

  • Coordinate your organisation’s use of external information security resources, including contracting and managing the resources.

Control budgeting

  • Control the information security budget.

Coordinate disaster recovery

  • Coordinate the development of disaster recovery policies and standards so that your organisation’s critical functions are supported, and information security is maintained in the event of a disaster.

Oversee training

  • Oversee the development and operation of your organisation’s information security awareness and training programmes.

Provide security advice

  • Provide authoritative security advice and be familiar with national and international standards and good practice.

Page last modified: 4/05/2022