Your search keyword '"CISO"' showing total 20 results

1. Teacher, enforcer, soothsayer, scapegoat : the purpose of the CISO in commercial organisations

Author

Da Silva, Joseph

Subjects

CISO, Cyber security, Interpretive research, Business and Society

Abstract

The employment of a Chief Information Security Officer (CISO) is common in commercial businesses. However, the purpose of the CISO role is not well understood. This thesis provides in-depth perspectives on the CISO role, and, in so doing, brings to the fore a nuanced understanding of its purpose and surfaces the experiences of those performing it. The thesis is grounded in an in-depth study of 18 UK-based but predominantly multinational organisations. It utilises semi-structured interviews with 15 CISOs and six senior organisational leaders, as well as an analysis of each organisation's annual report. Through the application of empirically-grounded sociological theories to an interpretation of the findings, the thesis makes theoretical, practical, methodological, and empirical contributions. These include employing broader security scholarship related to ontological security and sociological notions of identity work to determine that cyber security plays an important role in business identity, being both threat to, and constituent of, that identity. It shows that the CISO's own identity is conflicted and contradictory and proposes a metaphor of soothsaying that provides further insight. By applying analytical lenses of risk management and governance, it shows that the CISO represents an attempt to control cyber-security uncertainty, and highlights paradoxes relating to the role that the CISO plays in risk management. Further, it introduces the concept of recreancy to cyber-security practice. Cyber security is also explored in wider societal contexts, with the work of Thomas Hobbes used as an analytical lens. This indicates that cyber-security practices within businesses are beneficial to the state and shows that cyber-security threats are survival-level concerns feared by both states and businesses. Reflexivity in relation to the complex and enmeshed nature of cyber-security practice within broader society is also motivated by the thesis. The thesis concludes with considerations for future work that have been provoked by this research.

Published

2023

2. Chief Information Security Officer: A Vital Component of Organizational Information Security Management.

Author

Ciekanowski, Marek, Żurawski, Sławomir, Ciekanowski, Zbigniew, Pauliuchuk, Yury, and Czech, Artur

Published

2024

3. Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate?

Author

Patrick Sven Ulrich, Alice Timmermann, and Vanessa Frank

Subjects

Cybercrime, Cyber risks, Cybersecurity, Family firms, Empirical study, CISO, Information technology, T58.5-58.64, Management information systems, T58.6-58.62

Abstract

Purpose – The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies. Design/methodology/approach – The article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods. Findings – The article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here. Originality/value – This paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.

Published

2022

4. The Soft Skills Business Demands of the Chief Information Security Officer.

Author

Smit, Richard, van Yperen Hagedoorn, Jeroen M. J., Versteeg, Patric, and Ravesteijn, Pascal

Subjects

CHIEF information officers, BUSINESS skills, SOFT skills, JOB analysis, JOB advertising

Abstract

While many researchers have investigated soft skills for different roles related to business, engineering, healthcare and others, the soft skills needed by the chief information security officer (CISO) in a leadership position are not studied indepth. This paper describes a first study aimed at filling this gap. In this multimethod research, both the business leaders perspective as well as an analysis of CISO job ads is studied. The methodology used to capture the business leaders perspective is via a Delphi study and the jobs adds are studied using a quantitative content analysis. With an increasing threat to information security for companies, the CISO role is moving from a technical role to an executive role. This executive function is responsible for information security across all layers of an organisation. To ensure compliance with the security policy among different groups within the company, such as employees, the board, and the IT department, the CISO must be able to adopt different postures. Soft skills are thus required to be able to assume this leadership role in the organisation. We found that when business leaders were asked about the most important soft skills the top three consisted out of 'communication', 'leadership' and 'interpersonal' skills while 'courtesy' was last on the list for a CISO leadership role. [ABSTRACT FROM AUTHOR]

Published

2021

5. Cyber-risk insurance — a big challenge facing contemporary economies

Author

CALIN Mihai Rangu and Leonardo Badea

Subjects

cyber risk, insurance, risk management, GDPR, underwriting, CISO, IT security, privacy, availability, data integrity, critical infrastructure, NIS, Finance, HG1-9999

Abstract

Cyber-security beyond the concept must be a product to be offered to modern society. We live in a complex world based on the digitization of products and services. Digitization also involves a complex system of associated risks. The road to the world of tomorrow goes through today's world and an analysis of the current situation in the contemporary economies about cyber risk insurance is only a first step that this article aims to achieve.The study aims to substantiate the need to formulate and assume policies and to support the regulation of cyber risk coverage by ensuring the need to support sectoral strategies to increase the level of maturity of companies from the perspective of protection against cyber threats. There is also a need to set up a cyber-risk reporting system, at least for critical and important infrastructures, the development and use by insurers of advisory and evaluation models based on standards and certifications recognized at the level of including the development of necessary skills for insurers to engineer these risks.

Published

2019

6. Cyber-Resiliency for Digital Enterprises: A Strategic Leadership Perspective

Author

Jeremy Zwiegelaar, Charles Booth, Vikas Kumar, and John Loonam

Subjects

business.industry, Business process, Strategy and Management, Corporate governance, media_common.quotation_subject, Cyber Security, Leadership, CIO, CISO, Qualitative inquiry, Interviews, 05 social sciences, Mindset, Information security, Public relations, Management, Officer, Strategic leadership, Transformational leadership, 0502 economics and business, Psychological resilience, Electrical and Electronic Engineering, business, 050203 business & management, media_common

Abstract

As organizations increasingly view information as one of their most valuable assets, which supports the creation and distribution of their products and services, information security will be an integral part of the design and operation of organizational business processes. Yet, risks associated with cyber attacks are on the rise. Organizations that are subjected to attacks can suffer significant reputational damage as well as loss of information and knowledge. As a consequence, effective leadership is cited as a critical factor for ensuring corporate level attention for information security. However, there is a lack of empirical understanding as to the roles strategic leaders play in shaping and supporting the cyber security strategy. This study seeks to address this gap in the literature by focusing on how senior leaders support the cyber security strategy. The authors conducted a series of exploratory interviews with leaders in the positions of Chief Information Officer, Chief Security Information Officer, and Chief Technology Officer. The findings revealed that leaders are engaged in both transitional, where the focus is on improving governance and integration, and transformational support, which involves fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Managerial relevance statement Our findings provide interesting insights for managers particularly those in the role of Chief Information Officers (CIOs), Chief Security Information Officers (CSIOs), and Chief Technology Officers (CTOs). We propose a Cyber Security Strategy Framework (CSSF) which can be used by these information/technology managers to design an effective organizational strategy to develop cyber resilience in their organization. Our framework suggests that managers should focus on transitional and transformational support. The transitional support focuses on improving governance and integration whereas transformational support focuses on the emphasis of fostering a new cultural mindset for cyber resiliency and the development of an ecosystem approach to security thinking. Our findings provide good evidence showing how leaders can support more effective cyber security initiatives.

Published

2022

7. L’Eurasie, champ d’expression de la puissance russe

Author

David Teurtrie

Subjects

Social Sciences and Humanities, Russian Power, General Medicine, ciso, Organisation de coopération de Shanghai (ocs), Eurasian Integration, Shanghai Cooperation Organization (sco), Puissance russe, intégration eurasiatique, Nouvelles routes de la soie, Union économique eurasiatique, csto, otsc, Eurasia, Sciences Humaines et Sociales, Eurasian Economic Union, cei, Eurasie, New Silk Roads

Abstract

Cet article est consacré à la dimension eurasiatique de la politique extérieure russe. L’intégration eurasiatique, qui n’avait pas la faveur des élites russes dans les années 1990, s’est progressivement imposée dans les années 2000 du fait de l’échec des projets d’union incluant l’Ukraine, comme des tentatives de rapprochement avec l’Europe occidentale. Désormais, Moscou s’appuie sur l’Union économique eurasiatique (uee) et sur l’Organisation du Traité de sécurité collective (otsc) pour tenter de réaffirmer son leadership en Eurasie postsoviétique et établir des partenariats internationaux à l’échelle continentale afin de structurer le projet de Grande Eurasie. Si cette politique a connu certains succès, notamment dans la coopération avec la Chine pour la mise en place des Nouvelles routes terrestres de la soie, elle continue de se heurter à l’incompréhension des puissances occidentales qui refusent toute forme de partenariat entre les structures euro-atlantiques et les organisations eurasiatiques., This article is devoted to the Eurasian dimension of Russian foreign policy. Eurasian integration, which was popular among Russian elites in the 1990s, gradually imposed itself in the 2000s due to the failure of union projects including Ukraine and of attempts to rapprochement with Western Europe. Moscow now relies on the Eurasian Economic Union (eaeu) and the Collective Security Treaty Organization (csto) to try to reaffirm its leadership in post-Soviet Eurasia and establish international partnerships on a continental scale in order to structure the Great Eurasia project. If this policy has known certain successes, in particular in the cooperation with China for the establishment of the New Land Silk Roads, it continues to come up against the incomprehension of the Western powers which refuse any form of partnership between the Euro-Atlantic structures and Eurasian organizations.

Published

2021

8. THE CHIEF INFORMATION SECURITY OFFICER: AN EXPLORATORY STUDY.

Author

Karanja, Erastus and Rosso, Mark A.

Subjects

CHIEF information officers, INFORMATION technology security, DATA security failures, STRATEGIC planning

Abstract

The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predominantly coming from outside the firm. Also, CISOs who are hired to fill newly created positions tend to report to the CEO whereas replacement hires for existing positions tend to report to the CIO. These findings have implications for both academics and practitioners. [ABSTRACT FROM AUTHOR]

Published

2017

9. The Soft Skills Business Demands of the Chief Information Security Officer

Subjects

Soft Skills, competences, ComputingMilieux_THECOMPUTINGPROFESSION, cybersecurity, CISO

Abstract

While many researchers have investigated soft skills for different roles related to business, engineering, healthcare and others, the soft skills needed by the chief information security officer (CISO) in a leadership position are not studied in-depth. This paper describes a first study aimed at filling this gap. In this multimethod research, both the business leaders perspective as well as an analysis of CISO job ads is studied. The methodology used to capture the business leaders perspective is via a Delphi study and the jobs adds are studied using a quantitative content analysis. With an increasing threat to information security for companies, the CISO role is moving from a technical role to an executive role. This executive function is responsible for information security across all layers of an organisation. To ensure compliance with the security policy among different groups within the company, such as employees, the board, and the IT department, the CISO must be able to adopt different postures. Soft skills are thus required to be able to assume this leadership role in the organisation. We found that when business leaders were asked about the most important soft skills the top three consisted out of 'communication', ‘leadership’ and 'interpersonal' skills while 'courtesy' was last on the list for a CISO leadership role.

Published

2021

10. Designing a strategic information security dashboard to support situation awareness

Author

Tardif, Pierre Martin, Blain, Nicolas, Moïse, Alexandre, Tardif, Pierre Martin, Blain, Nicolas, and Moïse, Alexandre

Abstract

Le responsable de la sécurité des systèmes d’information (CISO) a pour objectif de s’assurer que le conseil d'administration et les hauts dirigeants ont une bonne compréhension de la situation actuelle de l'organisation en matière de sécurité de l'information, puis d’agir de conseiller stratégique pour les décisions qui ont un impact sur la sécurité de l’information. Pour atteindre ces objectifs, le CISO doit avoir accès à de l’information fiable et complète, au moment opportun. Comme la reddition stratégique d’une telle quantité d’information est un processus complexe, elle nécessite l’utilisation d’outils comme le tableau de bord de gestion, défini comme étant un résumé en une page de l’information critique qui permet à l’utilisateur d'atteindre ses objectifs. Cet article propose une méthode de conception de tableau de bord stratégique en sécurité de l’information pour le soutien de la conscience de la situation, qui permet à une partie prenante stratégique en sécurité de l’information d’avoir une bonne compréhension de son environnement. Ensuite, l’article offre un aperçu de la valeur de cette méthode en présentant une maquette de tableau de bord, conçue pour le CISO d'une institution financière canadienne et son équipe. Il documente aussi les défis rencontrés lors du processus de conception., The Chief Information Security Officer (CISO) is the senior-level executive who ensures that the board and the executives have a good understanding of the current information security posture of the organization. To fulfill this objective, the CISO needs to have access to reliable, complete and relevant information in a timely manner to allow them to communicate effectively and to take the best decisions. Widely viewed as a great enabler of good performance management, the dashboard is a one-pager summary of the information that allows users to meet their objectives. This paper describes a method that makes it possible to consistently design dashboards that support situation awareness, giving users a good understanding of their environment in order for them to reach their goals. It then creates an example of such a dashboard that targets information security strategic stakeholders such as the CISO in the context of a Canadian financial institution, giving insights into the challenges faced in the design process.

Published

2021

11. Mitarbeiter Security Sensibilisierung - Empfehlung für Informationssicherheitsbeauftragte

Author

Volkamer, Melanie and Bachmann, Benjamin

Subjects

DATA processing & computer science, Security, CISO, ddc:004, Awareness

Published

2021

12. Security Sensibilisierung für Beschäftigte. Empfehlungen für Informationssicherheitsbeauftragte

Author

Volkamer, Melanie and Bachmann, Benjamin

Subjects

DATA processing & computer science, Security, CISO, ddc:004, Awareness

Published

2021

13. From Degree to Chief Information Security Officer (CISO): A Framework for Consideration

Author

1594384, Kappers, Wendi M, Harrell,, Martha Nanette, 1594384, Kappers, Wendi M, and Harrell,, Martha Nanette

Abstract

Educational entities are establishing program degree content designed to ensure cybersecurity and information security assurance skills are adequate and efficient for preparing students to be successful in this very important field. Many Master’s level programs include courses that address these skills in an attempt to provide a well-rounded program of study. However, undergraduates who are in the practitioner’s world have other alternatives to gain these skills. These individuals can gain various certifications, such as the Certified Information Systems Security Professional (CISSP) or the Certified Information Security Manager (CISM). Due to a perceived gap between academics and field knowledge, it appears that academic programs may not fully consider the very specific competencies of C-Suite members (e.g. Chief Information Security Officer (CISO)) since field certification may be the only validation of such skills. Therefore, a framework from degree to industry employment acceptance is needed. To this end, the current study suggests the use of a framework in which to examine and compare C-Suite competencies versus academic preparations. Ultimately, this framework will assist researchers in examining the actual, current job tasks of C-Suite members. Since the CISO position is new to the industry, becoming a common job title within only the last few years, the reporting structure for the CISO varies widely and various organizations have differing expectations of the position [1]. Therefore, the initial phases of this study focus solely upon this position as the starting benchmark. This paper explores historical aspects of the workforce skills gap in the area of computer security while providing survey validation results from Phase I of this project. This pilot investigation invited faculty (n=5; 24% response rate) who are both practitioners and academicians to support this examination and the acceptance of said framework. Demographic data includes a comparison betw

Published

2020

14. Target Group-Oriented Segmentation of Security Assessment Reports

Author

Daxbacher, David

Subjects

Information System Owner, Information Security, Topmanagement, CISO, System Engineer, Security Assessment, Security Assessment Bericht, Informationssicherheit, Security Assessment Report

Abstract

Diese Masterarbeit beschäftigt sich mit der Aufbereitung von Security Assessment Berichten für verschiedene Zielgruppen. Diverse Best Practices, wie beispielsweise der Penetration Testing Execution Standard oder der OWASP Testing Guide, bieten für die Erstellung eines solchen Berichts nur eine Vorlage an, in der lediglich das Management und die Techniker*innen berücksichtigt werden. Mit dieser wissenschaftlichen Arbeit wird untersucht, ob die Erstellung eines einzigen Abschlussberichts, mit einer strikten Trennung des Inhalts für das Management und die Techniker*innen, tatsächlich ausreichend ist oder ob es mehrere Zielgruppen zu berücksichtigen gilt, wodurch mehrere Berichte mit einer jeweils individuell angepassten Struktur sinnvoll wären. Dazu werden sämtliche Akteur*innen aus dem Bereich der Informationssicherheit identifiziert und in einem weiteren Schritt nur jene selektiert, für die der Empfang eines Security Assessment Berichts von Relevanz ist. Die verbleibenden Akteur*innen werden schließlich auf Basis einer Literaturrecherche näher auf ihre Aufgaben, Rollen, Verantwortlichkeiten etc. untersucht und gegebenenfalls zusammengefasst. Dadurch ergeben sich vier Akteur*innen, die sich aus dem Topmanagement (vertretend für CEO, CIO und CFO), dem CISO (Repräsentant für sämtliche Personen mit Sicherheitsaufgaben), dem Information System Owner und dem System Engineer zusammensetzen. Für die spätere individuelle Aufbereitung von Security Assessment Berichten werden zunächst konkrete Vorlagen von Best Practices betrachtet. Die Empfehlungen dieser verschiedenen Ansätze werden in einem einzigen Abschlussbericht zusammengeführt, der als weitere Ausgangsbasis dient. Für jede*n Akteur*in wird auf Basis der Informationen durch die Literaturrecherche im Anschluss die optimale Struktur eines Security Assessment Berichts ausgearbeitet. Diese finden als Hypothesen in der Empirie Verwendung. Die Richtigkeit dieser Hypothesen wurde mithilfe einer quantitativen Umfrage, die 42 Fachexpert*innen umfasst, überprüft. Die Aufgabe der Fachexpert*innen lag darin, die präsentierten Annahmen kritisch zu hinterfragen und gegebenenfalls zu korrigieren. Die Ergebnisse der Umfrage zeigen, dass ein einziger Security Assessment Bericht, in welchem die Inhalte für das Management und die Techniker*innen strikt getrennt werden, nicht ausreichend ist. Für die System Engineers sind nicht nur die detaillierten Ergebnisse zur Behebung der Schwachstellen von Bedeutung, sondern auch einige Unterkapitel aus der Zusammenfassung und den organisatorischen Informationen. Die detaillierten Ergebnisse haben zwar keinerlei Relevanz für das Topmanagement, dafür werden die organisatorischen Informationen zur Gänze benötigt. Der CISO hingegen ist sowohl an der kompletten Zusammenfassung, sämtlichen organisatorischen Informationen als auch am Großteil der detaillierten Ergebnisse interessiert. Der Information System Owner wiederum zieht den größten Nutzen aus den Ergebnissen, welche die unter seiner Obhut stehenden Systeme betreffen. Das Endresultat sind verschiedene Security Assessment Berichte, mit welchen klar ersichtlich wird, dass es mehrere Zielgruppen zu berücksichtigen gilt und damit eine individuelle Aufbereitung sinnvoll ist. This master thesis deals with the creation of security assessment reports for different target groups. Various best practices, such as the Penetration Testing Execution Standard or the OWASP Testing Guide, offer only one template for the creation of such a report, in which only management and technicians are taken into account. This scientific thesis examines whether the production of a single final report, with a strict separation of the content for management and technicians, is actually sufficient or whether several target groups need to be considered, which would result in several reports, each with its own customized structure. For this purpose, all actors in the field of information security are identified and in a subsequent step only those are selected for whom the recipience of a security assessment report is relevant. Finally, the remaining actors are examined more closely with regard to their tasks, roles, responsibilities, etc. on the basis of a literature search and combined in one actor if necessary. This results in four actors, consisting of the top management (representing the CEO, CIO and CFO), the CISO (representing all persons with security responsibilities), the information system owner and the system engineer. Specific templates of best practices are initially considered for the subsequent individual creation of security assessment reports. The recommendations of these different approaches will be merged into a single final report, which serves as a further starting point. The ideal structure of a security assessment report is then created for each actor based on the information provided by the literature search. These are used as hypotheses in empirical studies. The validity of these hypotheses was verified by means of a quantitative survey involving 42 experts. The task of the experts was to critically question the assumptions presented and correct them if necessary. The results of the survey show that a single security assessment report, in which the contents are strictly separated for management and technicians, is not sufficient. For system engineers, not only the detailed results to remedy the vulnerabilities are important, but also some sub-chapters from the summary and the organizational information. Although the detailed results are not relevant for the top management, the organizational information is required in its entirety. The CISO, on the other hand, is interested in the complete summary, all organizational information and most of the detailed results. The information system owner derives the greatest benefit from the results concerning the systems under his care. The end result is a number of different security assessment reports, showing clearly that there are several target groups to be considered and therefore an individual creation of the reports is appropriate. Abweichender Titel laut Übersetzung der Verfasserin/des Verfassers Arbeit an der Bibliothek noch nicht eingelangt - Daten nicht geprüft Wien, FH Campus Wien, Masterarb., 2020

Published

2020

15. RoboCISO: Um sistema de robôs de software (RPA) para alertar o CISO sobre o status dos seus vetores de risco mais críticos

Author

Rodrigues, Cátia Sofia Silva and Respício, Ana Luísa do Carmo Correia, 1965

Subjects

Robotic Process Automation, Alertas, Patching, Departamento de Informática, CISO, Trabalhos de projeto de mestrado - 2020, DDoS

Abstract

Trabalho de projeto de mestrado, Informática, Universidade de Lisboa, Faculdade de Ciências, 2020 Submitted by Teresa Boa (tdboa@fc.ul.pt) on 2021-05-19T18:03:36Z No. of bitstreams: 1 ulfc126313_tm_Cátia_Rodrigues.pdf: 7082792 bytes, checksum: 9433447526cf72ef216e72bc3aa6eecb (MD5) Made available in DSpace on 2021-05-19T18:03:46Z (GMT). No. of bitstreams: 1 ulfc126313_tm_Cátia_Rodrigues.pdf: 7082792 bytes, checksum: 9433447526cf72ef216e72bc3aa6eecb (MD5) Previous issue date: 2020

Published

2020

16. A influência da predisposição regulatória dominante da personalidade dos CISOs nas decisões de segurança da informação

Author

Lima, Alexandre, Escolas::EAESP, Larieira, Cláudio Luís Carvalho, Terllizzi, Marco Alexandre, and Sanchez, Otávio Próspero

Subjects

Tecnologia da informação - Medidas de segurança, Proteção de dados, Segurança da informação, Teoria do foco regulatório, Information security, Regulatory focus theory, Administração de empresas, Tecnologia da informação - Sistemas de segurança, Processo decisório, CISO, Empresas - Medidas de segurança, Tomada de decisão, Decision making

Abstract

Organizações do mundo inteiro estão sofrendo impactos significativos decorrente de diversos tipos de incidentes de segurança da informação (SI), e isso fez com que a área de SI e sua principal liderança (CISO – Chief Information Security Officer) ganhassem importância. Há muitos estudos acadêmicos sobre SI, mas pouquíssimos que focam em como tornar esse profissional mais efetivo no exercício da sua função. Através da Teoria do Foco Regulatório será estudado como esses profissionais tomam decisões (muitas vezes carregando vieses comportamentais) e o reflexo nas organizações. Resultados revelaram que dependendo do foco motivacional do profissional, ele poderá tomar decisões desalinhadas ao contexto da organização, como por exemplo, seus objetivos e estratégias, podendo impactar na sua performance e na performance da organização para a qual atua. Organizations around the world are suffering significant impacts from various types of information security (IS) incidents, and this has made the IS area and its chief information security officer (CISO) gain importance. There are many academic studies on IS, but very few focus on how to make it more effective in the exercise of its function. Through the Regulatory Focus Theory will be studied how these professionals make decisions (often carrying behavioral biases) and the reflection in organizations. Results revealed that depending on the motivational focus of the professional, he / she can make decisions that are out of alignment with the context of the organization, such as its objectives and strategies, and may impact on his performance and the performance of the organization for which it operates.

Published

2019

17. A função do Chief Information Security Officer nas organizações

Author

Monzelo, Pedro Miguel Centúrio Sol and Nunes, Sérgio

Subjects

Segurança da Informação, Risk Management, Board of Directors, Gestão de Risco, Information Management, SRI, Information Security, RGPD, SGSI, NIS, Gestão de Informação, Conselho de Administração, ISMS, CISO, GDPR

Abstract

Mestrado em Gestão de Sistemas de Informação Num mundo cada vez mais conectado e digital, a informação é crescentemente vista como potenciador do negócio e fonte de vantagem competitiva. Assim, a segurança de informação torna-se crítica ao proteger os ativos de informação, pelo que a estratégia de segurança organizacional tem vindo a alinhar-se com os seus objetivos de negócio. Por outro lado, as recentes alterações legais, tais como a Diretiva Segurança das Redes e da Informação e o Regulamento Geral de Proteção de Dados, vêm impor regras relativamente à privacidade e à segurança da informação, permitindo às organizações um redesenho ou ajuste dos seus processos de forma a garantir que a informação se encontra efetivamente segura. Neste contexto, o Chief Information Security Officer assume um papel de destaque na coordenação da confidencialidade, integridade e disponibilidade da informação na organização. Este trabalho pretende estudar o ambiente geral da segurança de informação nas organizações, analisar o papel do CISO, e compreender onde este deverá estar integrado na estrutura organizacional. Para tal, foram realizadas entrevistas a consultores especialistas e a pessoas com cargos diretivos nas áreas de sistemas de informação e de segurança da informação, que permitiram concluir que ainda é necessário um grande amadurecimento a nível das organizações em Portugal relativamente ao tema, e que tal poderá dever-se à ausência de uma cultura de segurança estabelecida no país. Por outro lado, o papel do CISO tem assumido uma maior relevância, sendo que é uma opinião geral que o mesmo deverá ter uma relação próxima com a administração das organizações. In an increasingly connected and digital world, information is seen as a business enabler and a source of sustained competitive advantage. Thus, information security is becoming critical so to protect these information assets, which is why the concern with organizations’ security strategy has been aligning with their strategic objectives. On the other hand, recent changes in regulation, as Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR), come to regulate and create rules when it comes to information security, and allow organizations to redesign or adjust these processes in order to ensure that information is, in fact, safe. In this context, the Chief Information Security Officer (CISO) comes to play an important role in coordinating confidentiality, integrity, and availability of information in the organization. This paper aims to study organizations’ information security environment in general, analyse the CISO’s role inside them, and understand where they should be integrated in the corporate structure. To do so, interviews were conducted on experienced information security consultants and information systems and information security directors, which allowed to conclude that organizations in Portugal still need a great amount of maturing when it comes to information security, and that this may eventually be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being a general opinion that their relationship with organizations’ boards should be close. info:eu-repo/semantics/publishedVersion

Published

2018

18. Cybersäkerhet - Forskning och industri, en fallstudie : Cybersäkerhetshot och lösningsförslag

Author

Lönnebo, Anton and Lönnebo, Anton

Abstract

Hot mot organisationers cybersäkerhet innebär stora risker för dessa. När organisationer drabbas av incidenter så som dataintrång kan de kostnader som följer av detta vara mycket höga. Tidigare forskning påvisar att forskning inom cybersäkerhet ofta brister i att utforska och förstå de utmaningar verksamheter ställs inför, med detta som motivering utforskar denna studie de lösningsförslag som relaterad forskning respektive cybersäkerhetsindustrin presenterar gällande de hot som omfattas av studien. Utifrån denna kartläggning förväntades studien att kunna bidra med att minska eventuella kunskapsluckor mellan forskningen och cybersäkerhetsindustrin ifall sådana påträffas. Denna studies frågeställning är; "Gällande de i uppsatsen studerade hoten, hur skiljer sig cybersäkerhetsindustrins lösningsförslag från de lösningar som presenteras i den vetenskapliga litteraturen?" Befintlig forskning gällande respektive hot studerades och sedan utfördes semistrukturerade intervjuer med personal från ett cybersäkerhetsföretag. Studiens resultat visar på många likheter och skillnader mellan de presenterade lösningsförslagen, identifierar en grupp relaterade bifynd och bidrar med förslag gällande vilka lösningsförslag som bör utredas ytterligare.

Published

2018

19. Diferencia entre seguridad informática y ciberseguridad

Author

López Duque, Carlos Mario and López Duque, Carlos Mario

Abstract

El artículo tiene como fin explicar las diferencias entre seguridad informática y ciberseguridad. La protección de la información en las organizaciones suele ser mejor día tras día, lo que representa la exigencia y la existencia de nuevas áreas de protección de ataques, ciberataques en el ciberespacio de las organizaciones., The article aims to explain the differences between computer security and cybersecurity; the protection of information in organizations is usually better day by day, which represents the demand and the existence of new areas of protection from attacks, cyber-attacks in cyberspace of organizations.

Published

2018

20. IT Security Risk Management als wichtiger Bestandteil der Unternehmensstrategie - Handlungsempfehlungen und Rahmenbedingungen für eine erfolgreiche Einführung

Author

Struck, Erik

Subjects

Risikomanagement, Risk Management, IT Security Risk Management, CISO, ISMS, IT Security, IT-Sicherheit

Abstract

IT Security Risiken sind auf dem Vormarsch und haben sich in den letzten Jahren zum Nr. 1 Risiko der Versicherungsunternehmen entwickelt. Die fortschreitende Digitalisierung, Vernet-zung und Globalisierung der Unternehmen beschleunigten diese Entwicklung weiter. Diese Ar-beit beschäftigt sich daher mit der Einführung eines IT Security Risk Managements, den nötigen Rahmenbedingungen, Voraussetzungen aber auch Herausforderungen im Betrieb. Um ein pra-xisnahes Bild zu erhalten wurden 7 Experteninterviews mit erfahrenen Security Verantwortlichen und ISO Auditoren durchgeführt. Nach der qualitativen Inhaltsanalyse der Interviews zeigte sich, dass es sehr pragmatische Ansätze gibt, ein Security Management zu betreiben, aber auch die ISO und normbasierte Ansätze, um hier den gesetzlichen Anforderungen gerecht zu werden. Als Voraussetzung war hier die Rolle der Geschäftsführung als Enabler sehr wichtig und dass es eine zentrale Organisation mit einen Verantwortlichen Risk Manager gibt, welcher Richtlinien erstellt, Prozesse definiert und eine Sicherheitsmanagement aufbaut. Als kritischer Punkt wurde auch der zunehmende Personalmangel beleuchtet, bei welchen Prozesse vereinfacht werden und man einen Best-of-Breed Ansatz verfolgt. Besonders empfohlen wurden Tools wie CRI-SAM, welche bei der Einführung aber auch dem Betrieb unterstützen. Die finanzielle und quanti-tative Bewertung von Risiken wurde als sehr kritisch betrachtet und ist in der Praxis oftmals sehr komplex. Helfen kann hier ein Enterprise Riskmanagement mit einheitlichen Vorgaben und viel Know-How., Erik Struck, Masterarbeit Universität Klagenfurt, Universitätslehrgang Business Manager/in 2022