Post by rabiakhatun on Nov 3, 2024 10:30:07 GMT
This week, tomorrow to be exact, there will be a CISO Forum and I remembered a recent discussion about who a CISO is and how many CISOs can there be in an organization. The last question seems to have one obvious answer, but that is a superficial point of view. The thing is content writing service that we are used to working in small companies, where there is really only one person responsible for information security. But I would like to add a little to broaden the horizons of readers who have less and less opportunity to analyze what is happening outside our aquarium.
Well, so as not to make things up, I will tell you how it was arranged at Cisco, where I had the chance to work for a long time. Firstly, each acquired company had its own CISO, who, during the acquisition process, having already changed his name, continued to perform his role in the acquired asset. And even after the acquisition, some acquired companies, retaining a certain independence, but being part of Cisco, continued to have their own head of information security.
And this story is not about holding structures - we are talking specifically about one company.
Secondly, Cisco had its own (or rather its own) CISO, who worked in the manufacturing division responsible for assembling equipment. Unlike traditional "office" CISOs focused on protecting traditional corporate assets, this CISO dealt with supply chain security issues, monitoring contractors in different countries where hardware was assembled, etc.
That is, different CISOs focused on different processes within the company. Although they were subordinated to one vertical, the production CISO still led a fairly independent life within the framework of his activities.
And it gets worse. Many global companies (Cisco didn't have this) have their own regional CISOs, who broadcast the company's general information security policy to their region. In such cases, the head CISO often gets the prefix Global , and CISO meetings become like a gathering of knights of the round table (except that they are washed, not dressed in skins, and smell of expensive perfume).
Well, so as not to make things up, I will tell you how it was arranged at Cisco, where I had the chance to work for a long time. Firstly, each acquired company had its own CISO, who, during the acquisition process, having already changed his name, continued to perform his role in the acquired asset. And even after the acquisition, some acquired companies, retaining a certain independence, but being part of Cisco, continued to have their own head of information security.
And this story is not about holding structures - we are talking specifically about one company.
Secondly, Cisco had its own (or rather its own) CISO, who worked in the manufacturing division responsible for assembling equipment. Unlike traditional "office" CISOs focused on protecting traditional corporate assets, this CISO dealt with supply chain security issues, monitoring contractors in different countries where hardware was assembled, etc.
That is, different CISOs focused on different processes within the company. Although they were subordinated to one vertical, the production CISO still led a fairly independent life within the framework of his activities.
And it gets worse. Many global companies (Cisco didn't have this) have their own regional CISOs, who broadcast the company's general information security policy to their region. In such cases, the head CISO often gets the prefix Global , and CISO meetings become like a gathering of knights of the round table (except that they are washed, not dressed in skins, and smell of expensive perfume).