Every CISO wonders about the following questions:
- What key functions does my office cover?
- How should I structurally organize these functions?
- Who should I seek advice, input and guidance from within the organization?
- How can I identify gaps in my program and fill them?
On Feb 22, 2016, Nader Mehravari and Julie Allen, both from the Software Engineering Institute at Carnegie Mellon Univerity, released a blog post and white paper to help provider answers to these questions.
Key Functions
4 Key Functions of CISO (Mehravari and Allen, 2016)
Organizational Chart
Four Organizational Units of the CISO Office (Mehravari and Allen, 2016)
Advisory Group for the CISO
- chief operating officer
- chief information officer
- chief financial officer
- legal/privacy
- human resources
- communications / marketing
- business unit VPs
- engineering VP
- information technology VP
Identifying and Closing Gaps
- Map your current CISO structure to our recommended structure, departments, sub-functions, and activities
- Determine which organizational units can continue as is, which need to change (i.e., expand or contract), and whether new units need to be created
- Develop an implementation roadmap
The Bottom Line
- Read the blog posting and more detailed whitepaper
- Adapt recommendations and apply process outlined in the “Identifying and Closing Gaps” section
Robert Rost 