Steve Levinson
Steve Levinson – Online Business Systems – VP, Risk, Security, and Privacy & CISO As the Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice, and Online’s Chief Security Officer, Steve leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security, including advisory services, governance/program management and risk assessments (PCI, HIPAA, ISO, NIST, FedRAMP and preparation for SOC2) technical security services (vulnerability scanning, penetration testing, red teaming, and secure code development), data protection and privacy, cloud security, and specialized security services for the healthcare and financial industries. Steve is considered a thought leader in the cybersecurity community, delivering captivating presentations and webinars, and having penned dozens of insights for many publications. Steve is an active CISSP, CISA, and QSA with an MBA from Emory Business School and has over twenty years of IT security experience, and over 25 years of IT experience. Steve’s strong technical and client management skills combined with his holistic approach to risk management resonates with clients and employees alike. He has performed or participated in hundreds of risk assessments and compliance assessments, starting his consulting career with Verisign and AT&T Consulting, where he provided cybersecurity consulting leadership. Since then, Steve has served as a key strategic advisor for hundreds of clients and has gained the trust of many industry partners and affiliates, earning him a seat as a respected voice around the PCI SCC’s Global Assessors Round Table. In addition to serving as virtual CISO for several clients, Steve has also performed security architecture reviews, network and systems reviews, security policy development, vulnerability assessments, and served as cybersecurity subject matter expert to client and partner stakeholders globally. Wherever Steve’s travels take him – and he travels a lot – he makes friends and finds time in his busy calendar to gather as many local like-minded security professionals, colleagues old and new, to share ideas, foster connections, and build on ideas. His true professionalism and his earnest nature, together, make up the ‘magic’ that fuels the passion of those he leads. It was exactly this combination of Steve’s vision, passion, and his connections around the world that recently helped form Online’s EMEA division, expanding the organization’s security and digital transformation footprint internationally. Keeping up with the latest security trends and threats is easier than keeping up with Steve; when he’s not connecting with clients or fighting cybercrime, Steve is making meaningful memories with his family, keeping pace with his beloved pups, catching the early surf just after sunrise, or charging down a mountain slope. “Where’s Stev0?” is a common phrase jested amongst colleagues around the virtual Online office. But not to worry, if you miss him, he will circle back again soon.
In Part One of my blog series aimed at breaking down each section of Online’s security 
policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Now let’s take a look at the roles needed to implement an effective policy.
The intercom at the airport speaks the truth as it periodically repeats the mantra “Security is Everyone’s Responsibility”. If security is everyone’s responsibility then even the best written security policy is nearly worthless if it doesn’t include a section pertaining to roles and responsibilities.
A security policy has to identify WHO is responsible and WHAT they are responsible for. From there, those people can create processes to support the policy, which then improves both adoption of the policy and ultimately the overall security posture of the organization.
While the individuals or groups assigned with ownership of the elements of a security program will vary from organization to organization, at a high level, the elements themselves are fairly consistent. This includes:
- Technical overseer – usually CTO or Director of IT
- Technical operations (ITOPs) – usually CTO or IT Director
- Security – usually CISO, CSO, or Security Director
- Security operations (SecOps) – Security Operations Center
- Information owner – usually business unit leaders
- Human resources
- Users – this means you!
Now let’s break down these roles one by one to gain a better understanding of how they might fit within your organizational structure:
The Technical Overseer is responsible for implementing the technology used to provide reasonable safeguards to protect the confidentiality, integrity, availability, and security of company-wide and client information assets. In addition, this individual works closely with the security overseer to ensure that common goals are met and to understand emerging threats. While this individual is responsible for providing a strategic view, they often delegate the tactical day-to-day responsibilities to Technical Operations.
Technical Operations (TechOps) is responsible for carrying out the organization’s technical processes, oftentimes encompassing building/maintaining/documenting systems/networks, access controls, and data stores, provisioning access and access controls, and interfacing with the business to ensure that business needs are being addressed in a reasonably secure manner. Basically, this is where the rubber hits the road and it is essential that the TechOps team understands several details of a security policy. That is why the second half of Online’s security policy applies to only this group. In small and medium sized businesses, the TechOps team may also be responsible for Security Operations (“SecOps”), whereas oftentimes in larger organizations the SecOps team reports up to the Security Officer.
The Security Officer is responsible for setting the overall strategy and vision of an organization’s InfoSec program. The goal is the ensure that the ‘right’ amount of security controls are in place to provide a reasonable amount of protection for all digital assets. It is imperative that this person work closely with the business to ensure that they understand the value of their assets, the risks, threats, and controls. The Security Officer is often accountable for developing and maintaining the security policy, and often delegates responsibilities for particular elements to applicable groups and individuals. The security officer is also usually accountable for security awareness training, incident response, SecOps, addressing employee and customer security concerns, and Security Operations.
SecOps is responsible for the day-to-day management and operations of an organization’s security controls. This includes being the “eyes and ears of the institution” to detect and respond to all pertinent security events and incidents. This role is not limited to ‘office hours’ as security events occur around the clock.
The Information Owner represents the business in helping determine the value and sensitivity of the data for that particular business unit. Data sensitivity cannot be measured by a security or technical resource alone (though these people may be able to weigh in on industry laws and regulations) as the business must have a true understanding of the data and its sensitivity so that the IT and Security arms of the organization can implement controls that provide the reasonable amount of protection for that particular data sensitivity level, including access controls, encryption, and monitoring.
Human Resources (PeopleCare at Online) is responsible for publishing and disseminating security policies, including employee acknowledgement at the time of hire as well as whenever else deemed necessary. In addition, HR is responsible for the vetting of potential employees (i.e. background checks) and usually is the ‘group of record’ as it pertains to the requests for provisioning/deprovisioning user accounts and assets. Sometimes this team is also responsible for security awareness training, or at least tracking which employees undergo the training.
Each user of a company’s computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Users must guard against abuses that disrupt or threaten the viability of every system, including reading applicable security policies, attending applicable security training, being vigilant in looking for anomalies, and being communicative when they do see something unusual.
In my next blog, I will be covering the electronic communication (i.e. E-mails) portion of security policies.
Are you looking for guidance on creating or reviewing your organization’s security policies? Feel free to reach out to me directly or leave a comment below.
Submit a Comment