By Alan Jackson, CISSP
According to the Securities and Exchange Commission (2008), a firm must, “designate in writing an employee or employees to coordinate your information security program,” that has “sufficient authority and access to the institution’s managers, officers and directors to effectively implement the program and modify it as necessary” (p. 13696). This is the first, and most basic component of a cyber security program. At first glance, this seems like a very simple requirement. However, the program administrator should be carefully chosen, because the Chief Compliance Officer (CCO) cannot delegate away personal liability for a cyber security program. Therefore, if the CCO is going to delegate the responsibility for the cyber security program, the CCO must feel comfortable with what the administrator is doing.
This fact begs a question; is cyber security the domain of IT or compliance? Best-practices state that cyber security exists in both domains. This is because IT and compliance professionals think about cyber security in complementary, yet different ways. Nonetheless, it is common for firms to assign this responsibility exclusively to compliance professionals with no IT background or to IT professionals with no compliance background. Ideally, the person responsible understands both. This person is analogous to the quarterback on the football field. A good quarterback understands both offense and defense. The quarterback isn’t a wide receiver or a lineman, but relies on these position players to win. In the same way, the CCO is the coach, and the cyber security program administrator is the on-field general who bridges the gap between the compliance and IT functions. The coach and the quarterback work together to use the skillsets of different individuals to create a team. Once the administrator is chosen, the SEC expects that the firm provides written documentation of these roles and responsibilities in order to ensure accountability and action.
The next step in a cyber security program involves the administrator creating a risk assessment to evaluate the firm’s cyber environment. However, that is an article for another day.