Every so often, when new employees are hired, I do a half-our one-on-one orientation session to explain what the information security officer role is all about. Previously, I used to go in with some talking points and engage the new employee in an open and unstructured discussion, but since I seems to be spending more time in meetings of this kind lately, I decided to capture my current situation in a diagram. I have written about roles and responsibilities of an information security function in the past, and much of what I posted in the past is replicated in this diagram, but there may be some new observations.
Starting at the bottom-left is the "information security cycle". It is based on many bodies of knowledge, but it has been slightly adjusted to fit my needs. An information security function cannot be effective if it is just reactive. Most of the work should be focused on things like identifying enterprise goals, deriving information security goals from them and to come up with strategies to achieve those goals. Some of initiatives should be captured in policies, and all policies should work towards reaching these goals. All of this happens in the "prepare" phase. The prepare phase also includes implementing technical controls, such as developing a monitoring infrastructure, setting up preventative technical controls, etc.
Since building an infrastructure that is capable of reporting on what is going on is actually only useful when someone is listening for the information it provides, the next phase of the security cycle is the detection phase. The goal of the detection phase is to watch all the information coming in, correlate the information, and look for signs of anomalies. Once anomalies have been detected and cannot be ruled out easily as false positives, we move to the respond phase.
The respond phase is where a lot of organization focus all of their efforts. It consists of incident response, investigation, forensics, cleanup, etc. After finishing up the response phase, we work on bringing operations back to normal in the recovery phase, and we reflect on what we can do better in the learn phase. All of these phases feed into each other, but conceptually, you can view them as a continuing circle.
Managing this whole process is the job of the (chief) information security officer. He or she does so by establishing the information security strategy and the information security policies with the help of stakeholder groups. The stakeholder groups should have organization wide representation (on the right), as well as be carried widely by the IT department (on the left).
Once the foundation of strategy and policy has been established, the CISO can work by building out functional areas, such as risk management and compliance, security monitoring, incident response, awareness training and business continuity. Not all of these functional areas have to be executed by the CISO's staff, but they should be involved in all of these.
Using this chart as a starting point for a conversation has proven to be very valuable, and it has elevated the level of discussion that I was able to have with new employees. If you find it useful, feel free to tailor it for use in your own organization.