Many government Chief Information Security Officers (CISOs) perform their functions solitarily within their organizations. A significant portion of them do so part-time. This is evident from a survey conducted by the Center for Information Security and Privacy Protection (CIP) among more than 100 CISOs and 40 administrators. The survey examined how CISOs experience their work and work environment.
The CIP CISO Survey makes clear that many organizations are implementing the new Government Information Security Baseline (BIO). Despite the solitary role, support is available. For example, the way to especially the NCSC, VNG/IBD and the CIP for practical support is well found and appreciated. For support networks for incident prevention and response, this is somewhat less true. They can, however, help the CISO in his tough 'role of conscience' in information security policy.
Many responding CISOs report to a director. Both CISOs and director are generally comfortable with their relationship with each other. Both agree on the duties and responsibilities of the CISO. Still, there are desires. The CISOs wish for a director who fulfills the ambassador role more emphatically, makes more budget available and is somewhat more accessible. They would also like to be more strategic themselves. The director wants a more advisory CISO.
Is the function of CISO given sufficient priority? Lack of 'middle management support', 'limited mandate', 'slow decision-making' and 'limited resources' emerged from the survey as the biggest obstacles. In addition, CISOs themselves indicated limited involvement in both change processes in information provision and information security, and in the procurement of secure hardware and software.
View the report: CISOs within the Dutch government
