Defining the Strategic Role of the Chief Information Security Officer

The level of sophistication and dynamism of the security threat environment requires modern organizations to develop novel security strategies. The responsibility to strategize falls to the Chief Information Security Officer (CISO). A review of the security literature shows there has been little emphasis on understanding the role of the CISO as a strategist. In this research, we conduct a systematic literature review from the disciplines of information security and strategic management to identify specific attributes required by CISOs to become effective strategists. We discuss these attributes in the context of Information Security Management and argue that CISOs with these attributes or capabilities are better positioned to overcome the existing strategic security challenges facing organizations.

[1]  D. Barry,et al.  Strategy Retold: Toward a Narrative View of Strategic Discourse , 1997 .

[2]  Sean B. Maynard,et al.  An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations , 2018, HICSS.

[3]  Pierre Vrignaud,et al.  Development and application of the Leadership Archetype Questionnaire , 2009 .

[4]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[5]  Debi Ashenden,et al.  Information Security management: A human challenge? , 2008, Inf. Secur. Tech. Rep..

[6]  Hilary Austen Johnson,et al.  Artistry for the strategist , 2007 .

[7]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[8]  Paul Williams,et al.  The Board's Role: Executive and board roles in information security , 2007 .

[9]  Michael D Watkins,et al.  How managers become leaders. The seven seismic shifts of perspective and responsibility. , 2012, Harvard business review.

[10]  Julia Hautz Opening up the strategy process – a network perspective , 2017 .

[11]  Doan B. Hoang,et al.  Capability Maturity Model and Metrics Framework for Cyber Cloud Security , 2017, Scalable Comput. Pract. Exp..

[12]  Steve Durbin Information security without boundaries , 2011, Netw. Secur..

[13]  Erastus Karanja,et al.  The role of the chief information security officer in the management of IT security , 2017, Inf. Comput. Secur..

[14]  Myeonggil Choi Leadership of Information Security Manager on the Effectiveness of Information Systems Security for Secure Sustainable Computing , 2016 .

[15]  Manfred F. R. Kets de Vries Decoding the Team Conundrum:: The Eight Roles Executives Play , 2007 .

[16]  H. Gemünden,et al.  Corporate Foresight: Its Three Roles in Enhancing the Innovation Capacity of a Firm , 2011 .

[17]  Andreas Rasche,et al.  ‘Are Strategists from Mars and Ethicists from Venus?’ – Strategizing as Ethical Reflection , 2009 .

[18]  P. Venter,et al.  Making strategy work: The role of the middle manager , 2014, Journal of Management & Organization.

[19]  H H Hinterhuber,et al.  Are you a strategist or just a manager? , 1992, Harvard business review.

[20]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[21]  Steven A. Morris,et al.  Information systems security job advertisement analysis: Skills review and implications for information systems curriculum , 2018 .

[22]  Todd Fitzgerald Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other , 2007, Inf. Secur. J. A Glob. Perspect..

[23]  Vallabh Sambamurthy,et al.  The antecedents of CIO role effectiveness in Organizations:An empirical study in the healthcare sector , 2006, IEEE Transactions on Engineering Management.

[24]  Jason Bennett Thatcher,et al.  The Emerging CIO Role of Business Technology Strategist , 2011, MIS Q. Executive.

[25]  Frédérique Grazzini,et al.  How do managers make sense of strategy , 2013 .

[26]  Cynthia A. Montgomery,et al.  Putting leadership back into strategy. , 2008, Harvard business review.

[27]  Henry Mintzberg Musings on management. Ten ideas designed to rile everyone who cares about management. , 1996, Harvard business review.

[28]  Martin Gilje Jaatun,et al.  Information security incident management: Current practice as reported in the literature , 2014, Comput. Secur..

[29]  Paul E. Tesluk,et al.  DEVELOPING EXECUTIVE LEADERS: THE RELATIVE CONTRIBUTION OF COGNITIVE ABILITY, PERSONALITY, AND THE ACCUMULATION OF WORK EXPERIENCE IN PREDICTING STRATEGIC THINKING COMPETENCY , 2011 .

[30]  Franklin G. Miller,et al.  A Case Analysis , 2002 .

[31]  Shahram Sarkani,et al.  Impacts of Organizational Capabilities In Information Security , 2011, Inf. Manag. Comput. Secur..

[32]  J. Quincy Hunsicker Can top managers be strategists , 1980 .

[33]  Jane Sparrow Creating and sustaining meaningful engagement: what managers need to develop in their five roles as engagers , 2013 .

[34]  Graeme G. Shanks,et al.  Organizational Security Learning from Incident Response , 2017, ICIS.

[35]  Graham Beaver,et al.  The chief executive officer: showman, statesman and strategist , 2002 .

[36]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[37]  Giovanni Gavetti The new psychology of strategic leadership. , 2011, Harvard business review.

[38]  P. Jarzabkowski,et al.  Strategizing: The challenges of a practice perspective , 2007 .

[39]  Sean B. Maynard,et al.  Towards a Taxonomy of Information Security Management Practices in Organisations , 2014 .

[40]  P. Nunes,et al.  The chief strategy officer. , 2007, Harvard business review.

[41]  Deborah J. Armstrong,et al.  The impact of relational leadership and social alignment on information security system effectiveness in Korean governmental organizations , 2018, Int. J. Inf. Manag..

[42]  T. Catarino,et al.  The Role of the Chief Information Security Officer , 2016 .

[43]  Tao Zhang,et al.  The impacts of organizational culture on information security culture: a case study , 2015, Information Technology and Management.

[44]  Ariel I. La Paz How to Become a Strategist CIO , 2017, IT Prof..

[45]  Nicholas Dew,et al.  Abduction: a pre-condition for the intelligent design of strategy , 2007 .

[46]  Gina Kanouse,et al.  Making the strategy work , 1980 .

[47]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[48]  Lalit Garg,et al.  Ontology of Information Security in Enterprises , 2014 .

[49]  Henry Mintzberg,et al.  Rethinking strategic planning part I: Pitfalls and fallacies , 1994 .

[50]  M. Angela Sasse,et al.  CISOs and organisational culture: Their own worst enemy? , 2013, Comput. Secur..

[51]  Rudy Martens,et al.  From “manager” to “strategist” , 2018, International Journal of Entrepreneurial Behavior & Research.

[52]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[53]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[54]  Michael J Critelli Back where we belong. , 2005, Harvard business review.

[55]  Sotirios Paroutis,et al.  Connecting up Strategy: Are Senior Strategy Directors a Missing Link? , 2009 .

[56]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[57]  Mark A. Rosso,et al.  The Chief Information Security Officer: An Exploratory Study , 2017, Journal of International Technology and Information Management.

[58]  Ken Lindup The role of information security in corporate governance , 1996, Comput. Secur..

[59]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[60]  Finn Olav Sveen,et al.  Blind information security strategy , 2009, Int. J. Crit. Infrastructure Prot..

[61]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[62]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[63]  Julia Hautz Opening up the Strategy Process - A Network Perspective , 2015 .

[64]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[65]  Bahareh Shojaie Implementation of information security management systems based on the ISOIEC 27001 standard in different cultures , 2018 .

[66]  Gill Ringland Scenario planning: persuading operating managers to take ownership , 2003 .

[67]  Maria Karyda,et al.  Fostering Information Security Culture In Organizations: A Research Agenda , 2017, MCIS.

[68]  Robert MacIntosh,et al.  Planning reconsidered: Paradox, poetry and people at the edge of strategy , 2015 .

[69]  David Rooke,et al.  7 transformations of leadership. , 2005, Harvard business review.

[70]  Andres Fortino The New CIO: From Technician to Business Strategist and the Implications for E-Commerce , 2008, 2008 IEEE International Conference on e-Business Engineering.

[71]  Ming D. Leung,et al.  Categories and Competition , 2016 .