Cyber Security Roles and Responsibilities

1000 Windows 10 Thousand Windows helps victims of human trafficking reclaim their lives.  They do so by reaching out with trust and dignity to those who have been exploited, working with them to achieve financial freedom and self-sufficiency.


Cyber security is not a new thing, but even so, it feels that way.  High profile attacks and data breaches increase public awareness of the issue and the overarching feeling seems to be, “you’re not safe anymore.”

Hyped up issues tend to be easy to click and share, but there is typically a lot of nuance and detail to unpack before you can find solutions to the problem.  Therefore, I thought it would be helpful to approach the topic from the beginning.  Starting with with, “What is cyber security in the first place?”

Cyber Security Roles and ResponsibilitiesThe Role of Cyber Security in the Organization

Broadly speaking, Cyber Security is a subset of Information security management that focuses on digital information and digital assets.  Cyber security’s goal is to assure the CIA of digital information within the organization.  CIA stands for: ConfidentialityIntegrityAvailability.

To accomplish this a Cyber Security approach must:

  • Establish security measurements & metrics
  • Maintain awareness of emerging threats & vulnerabilities
  • Translate risks into business impact for Sr. leadership 
  • Recommend best practices & influence the organizations policy, standards, procedures and guidelines
  • Ensure compliance with Government and industry regulators

The Team members involved in Cyber Security:

Cyber Security is a function of management that touches every aspect of the business.  Therefore, everyone on the team has some level of involvement.  However, there are key roles and responsibilities and each one plays an important part.

C-level / Sr. Leadership

C-level is responsible for making value judgments based on cyber security vulnerability and business risk.  They have the ultimate authority, therefore they have the ultimate responsibility for results of the organizations cyber security program.

Steering Committee

The Steering committee represents the different departments within the organization.  The committee’s purpose is to provide insight into business operations, data classification, and overall impact of cyber security policy’s and procedures.

Auditors

Auditors are outside consultants or regulators tasked with assessing cyber vulnerability and risk.  It is important that auditors are not aligned with the IT organization, but rather with operations or finance.

Data Owner

Data owner – the data owner is responsible for the classification of data.    Classification drives the organization’s cyber security controls.  (General use data can be on a file server and any authenticated network user can access it.  Top Secret data goes in a safe and only the COO and CFO know the location of the safe and the lock combination)

Data Custodian

The data custodian is responsible for the safe custody, transport, storage of the data.  Simply put, data custodians are responsible for the technical environment and database structure.

Network Admin

The network admin ensures availability of resources and has access to resources based on pre-established policy and can make changes within his sphere of access.

Security Admin

Security Admin has access to everything allowing her to audit and measure cyber security effectiveness.  But a security admin should not have permission to make any changes.

It’s important to note that the network admin and the security admin roles often conflict with one another.  At the core, a network admin wants to assure access to network resources.   A security admin by contrast seeks to enforce a principle of least privilege (Access on a need to know basis.) Therefore these roles need to be separated.   The security admin and the network admin should not be the same person.

As I noted earlier, I feel like this is the very beginning of an exploration into the cyber security I plan to add future postings on the topic and to expand on what I’ve outlined here.  If you have any questions or if you feel like you have something to add, please leave a comment.  You can also connect with me here: Connect with Jason

Resources

Computer problems are expensive and frustrating.

They’re also almost always avoidable.    

About Jason Clause

Originally from the great state of Ohio I relocated to the Bay Area to work in high-tech. A veteran of the dot com boom and bust, I have more than 15 years experience helping small businesses apply information technology to improve business process and increase revenue. I live in Livermore, California with my wife Jennifer and enjoy hiking, having friends over for dinner and quiet time at home. My hobbies include golf, snowboarding, creative writing and performing amateur standup comedy.

Leave a Reply