top of page
Voraudit, ISO 27001, ISMS, IT-Sicherheitskatalog, IT-SiKat, TISAX®, VDA ISA, VAIT, KRITIS, B3S, §8a BSIG, Informationssicherheit, Angriffserkennungssysteme, SzA, Zertifizierungsvorbereitung, Audit-Management, Compliance, IT-Sicherheit
Search
Writer's pictureMarc Borgers

CISOs cannot save the world


Information security officer, risk management, ISMS, ISO 27001, ISO 31000, BaFin, cyber threat, conflicts of interest, IT security, confidentiality, availability, integrity, governance, digitization, business processes, financial services, IT compliance, corporate security, intervention rights, internal resistance, process responsibility

In some companies, the opinion is still held that the information security officer is solely responsible for the risks he or she has identified, should estimate the potential level of damage himself or herself and implement technical measures to minimize risk. However, a look at the relevant standards ISO 2700x and 31000 and the interpretative letter published by BaFin on September 15, 2015 provides clarity:

 

Information security officers cannot save the world. They ensure that others can save the world by having a functioning and adequate information security management system (ISMS).

 

The ISMS enables the owners of business processes to transparently record and evaluate the risks to confidentiality, availability and integrity (CIA) for their processes and the information behind them. The knowledge gained during an ISMS run is, like the ISMS itself, an integral part of company-wide risk management and forms the basis for prioritizing and treating the CIA risks found. The responsibilities within risk management are clearly regulated in the international standards and do not allow the misunderstanding mentioned at the beginning. In order to avoid possible conflicts of interest, the Federal Financial Supervisory Authority has expressed the expectation that the information security officer must not be an employee or head of IT and should not perform any internal audit tasks.

"An important building block for solving this problem is to improve the position of IT security experts in credit institutions, for example by making them directly subordinate to the board of directors and giving them powers of intervention across all hierarchies within the company. Particularly in light of the fact that the cyber threat situation is becoming increasingly acute, IT security experts must be able to carry out their tasks - despite internal resistance." https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2015/fa_bj_1509_it_sicherheit.html

 

The aim behind this requirement, the avoidance of conflicts of interest and internal resistance, should, in my opinion, also be heard and accepted outside of the financial sector. Because the challenges in the ever-increasing digitalization of the business world are not diminishing. Instead, they are increasing every day! In my personal experience, a clear separation between governance, implementation and operations is unavoidable if you want to deal with many risks in the short and medium term and guarantee at least an acceptable level of quality.

Comments


Telephone2trans.png

You have questions?

Sometimes a direct conversation is simply unbeatable. Please do not hesitate to arrange a free initial conversation via our telephone calendar!

ConsultantGPT.png
bottom of page