The position of a CISO has been created by the Gazette Notice 44 dated 9th February 2024 on the Computer Misuse and CyberCrime Act (Critical Information Infrastructure and Cyber Crime Management.
Section 32 of the act prescribes the designation of the Chief Information Security Officer. The owners of Critical Information Infrastructure are supposed to appoint a Chief Information Security Officer.
The owners of Critical Information Infrastructure sectors are listed in the Gazette Notice No 21 of 31 January 2022, Section 9 (1) and (2)
This blog is going to be about how I would go about it
The Structure of this blog
- Responsibilities of a CISO
- Regulatory bodies and Compliance
- Resources
- Board, CEO and Fellow managers
- Team
- Threat Profile - Cyber Security Strategy
- Building an Information Security program
- Monitoring
- Gap Assessment
- Minimum Security Requirements
- Validating Security Controls
- Ransomware Incident
- Policies Procedures and Control
- Table Top Exercises
- Prepare for a ransomware Incident
- Ransomware Incident Reporting
- Software Development - DevSecOps
- Third Party management
- Contractual Agreements
- Information Security Sharing Communities
- Professional Development
Personally I think this is one of the toughest jobs around this is because of one main reason as a CISO, you have to get it right all of the time, while the attacker only needs to be right once and mostly it will be capitalizing on one of your mistakes. and the attackers are good, really really good.
This is literally the work of a goalkeeper, you have to be right all the time, while the striker needs to be right only once.
There is no push button for cyber security, you have to build it, layer by layer, brick by brick.