A Good Chief Information Security Officer

Barely a day  goes by without there being somewhere a major information security breach of some sort.

It is in that context that the role of the Chief Information Security Officer has never been more important.

But what can be reasonably expected of the CISO?

Well it turns out – a lot!

The United States General Accountability Office has recently released a very helpful guide as to what those expectations are – and where certain US agencies have (considerable) opportunities for improvement.

Most importantly:

13 of the 24 agencies GAO reviewed had not fully defined the role of their CISO.


Agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place.

The biggest issue that was a challenge to their authority was:

Competing priorities between operations and security

Followed quickly by:

Coordination with component organizations

This is an excellent report for anyone interested – as we all should be – in the world of information security.

For the CISO’s reading this report hopefully the deficiencies are not too autobiographical … but if they are this report serves as a wake up call to improve.


Download PDF

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.