ABSTRACT
Overview The emergence of the Chief Information Security Officer (CISO) as a valued position within government and private sectors is a relatively new phenomenon. Within the last five years in particular, there has been a significant emphasis on information security through emerging laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLBA), SarbanesOxley (SOX), the Federal Information Security Management Act (FISMA), and the refinement of supporting control frameworks such as ISO17799 (ISO27001: 2005), Control OBjectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL), and others. Why is this significant? In the past, where information security was relegated to log-on IDs and
passwords performed somewhere deep in the information technology organization as an “IT” task typically performed by a lower-level associate, today there is an increasing recognition that information security is essential to the business. Along with this recognition is also the recognition that the CISO is an individual who needs to have a wide range of skills to be effective within the organization.
