In the autumn of 2019, the Centrum voor Informatiebeveiliging en Privacybescherming (CIP) conducted a survey ‘How do CISO’s experience their work and work environment?'. It included more than 100 CISO’s and 40 directors. Notable results from the survey are that CISO’s within the government are solitary and in a challenging relationship with the director.
Many of the Chief Information Security Officers (CISO’s), working within the Dutch government, perform their duties solitary within their organisation, i.e. without their own employees. In addition, a significant part does so on a part-time basis. They are also marginally involved in the purchase of secure hardware and software.
CISO’s and their director
In general, both are positive about their relationship, while a large number of the responding CISO’s report to a director. Both groups of functionaries are remarkably unanimous about the tasks and responsibilities of the CISO. However, there is also discrepancy. The directors say they give high priority to information security, and their view of potential risks and damage in the event of incidents seems to be even stronger and broader than that of CISO’s. However, the CISO’s wish to have a director who fills in the role of ambassador more emphatically, who will make more budget available and who will be more accessible. The director would like to see a more advising CISO. CISO’s themselves would like to act more strategic.
Limited Mandate and Slow Decision-making
Is the function of CISO given sufficient priority? Lack of ‘support for middle management’, ‘limited mandate’ ‘slow decision-making and ‘limited resources’ come out of the survey as the biggest obstacles in their practice. In addition, CISO’s point out that they are only for a limited extent involved with the change processes in the information provision and information security. As a nuance: many have seemed to have delegated this to a more executive level.
The CIP CISO Survey makes clear that a lot of organisations have already chosen for the introduction of the new Baseline Informatiebeveiliging Overheid (BIO). The road to the NCSC, VNG/IBD and the CIP for practical support is well found and appreciated. The connection to support networks for prevention and incident response (SOC’s, CERT’s, Nationaal Detectienetwerk en ISAC’s) could still be improved. They can help the CISO with its tough ‘conscience role’ in the field of information security policy and help them to keep their organisations actually and more structurally safe.
For further information, the full survey can be found here.
As a follow-up to this survey, CIP recently launched the CISO Cirkel, a community of and for CISO’s within the Dutch government.