CISO: The Diplomat between Cybersecurity and Top Management
Master thesis
Permanent lenke
https://hdl.handle.net/11250/3019813Utgivelsesdato
2022Metadata
Vis full innførselSamlinger
Beskrivelse
Full text not available
Sammendrag
Digitalization has transformed nearly all businesses in the last decades and more businessesrely on digital solutions to survive. With this change cybersecurity has become even moreimportant and it is now important that cybersecurity is also viewed as a strategic investmentrather than only technological. Many organizations today are still not aware of the risk theirorganization faces in the cyberfield and how they can mitigate these risks. The CEO togetherwith the board is ultimately responsible for the information security in the organization. It istherefore important that the CEO together with the top management is aware of cyber relatedrisks and can make smart decisions together with the top management protecting theorganization's goals and assets.
This master thesis looks into the top management involvement in cybersecurity and how toget the top management more involved in cybersecurity in order to mitigate the risk ofcybersecurity threats. The CISO (Chief Information Security Officer) role became apparentas a possible solution for spreading knowledge and awareness, making top managementunderstand the importance of their involvement in cybersecurity. Throughout this thesis weaimed to answer three research questions:“Has it become more important that top management involve themselves in cybersecurity?”,“Who should have the overall responsibility of cybersecurity in an organization?”, and“How can a CISO help improve an organization's cybersecurity overall?“○ “What should be the CISO’s responsibilities?”○ “Where in the organizational structure should the CISO be placed?”The last research question was divided into two sub-question for better clarification.
In this thesis a qualitative research method was used, including a systematic literature review.A total of nine interviews were conducted with one information security leader, four CISOs,two CEOs and two information security experts. The systematic literature review showed thatthe field is understudied and that studies previously done, mostly propose academic solutionsor models for mitigation of risk. Some studies found during the literature review were stillrelevant and supported the data found in the interviews of this thesis.The interview respondents all had some experience in the field of cybersecurity and all of theinterviews produced relevant data. Towards the end of the study two cybersecurity expertswere contacted to see if they agreed or disagreed with the research findings and by doing sotriangulated our data. The findings from the interviews indicated that the top managementneeds to involve themselves in cybersecurity, know about the organization’s important assetsand be aware of cybersecurity threats. Another finding was that the CISO role can help thetop management be more involved in cybersecurity. A CISO that can communicatecybersecurity strategies, risks and awareness in a good, understandable way will enable thetop management to more easily take correct and important decisions related to cybersecurity.
The placement of the CISO role in an organization was the only subject where the expertsand other interview candidates had slightly different opinions, however all agreed that theCISO should have a clear communication path to the top management. Overall, the resultsfrom our study supported the research statement: “It is crucial that top management getsinvolved in cybersecurity in order to properly secure an organization.”. Showing that it iscrucial that decision makers (top management) have the best knowledge possible for makingcybersecurity related decisions in an organization. This can help them make the correctdecisions regarding funding, strategies, measures and other decisions related to cybersecurity,and therefore also better protect the organization from cybersecurity threats. It is clear thatthe CISO most definitely should have the possibility of direct communication with the CEOand the top management. Furthermore, the CEO and the top management getting involved incybersecurity is absolutely necessary for the organization to secure themselves againstcybersecurity threats as they possess the knowledge about the important assets of theorganization.