A Descriptive Study of Chief Information Security Officers’ Roles and Responsibilities in Texas State Government Agencies

Abstract

Research Purpose: The purpose of this research is to describe the responsibilities of Texas Chief Information Security Officers (CISOs). This research should give stake holders, and policy makers a better understanding of Chief Information Security Officers’ responsibilities. In addition, it provides information security professionals a landscape of CISOs’ responsibilities. A comprehensive review of the literature was used to develop a framework with five descriptive categories: managerial, legal, technical, career development, and information security.</br> Method: This research via a survey, developed from the conceptual framework, gathered data the responsibilities of CISOs. An open records request was sent to all state offices in Texas. The survey was distributed to 100 CISOs. After carefully sifting through the responses received for the open records request, a total of 100 names of CISOs or titles similar to that were obtained. As a result the survey was administered to a total of 94 potential respondents. A total of 27 individuals responded to the survey, and out of 27 respondents only eleven explicitly identified as Chief Information security Officers.</br> Results: The results of this survey show that CISOs overwhelmingly support several managerial, legal, and information security responsibilities as extremely important. Extremely important responsibilities include risk management (77%), incident response (77%), information security polices (74%), procurement and contracts (70%), ethics (81%), data security (89%) and network security (70%). Survey results also revealed that respondents alluded to software development as not part of CISO responsibilities (66%).