Security Practitioner’s Roles and Responsibilities


The effective realization of an organization’s mission and vision lies in the ability of its management to identify and deal with potential security challenges. Today, hackers can access an organization’s information system and steal critical data with a view to impairing organizational performance. Hence, many institutions have established security measures to guarantee the safety of their systems. Security procedures should not be difficult to control. In addition, they are not expected to interfere with organizational performance. Companies assign different roles and responsibilities to various employees depending on their positions. Hence, it is crucial to examine the various roles and responsibilities given to security practitioners.

Roles and Responsibilities

The senior management may involve board members, chief information officers, and the chief executive administrator. This team of security practitioners is responsible for guaranteeing the safety of an organization (Tøndel, Line, & Jaatun, 2014). Consequently, it evaluates safety requirements in line with institutional goals. The management team guarantees consistency in the handling of system-related threats.

Moreover, it ensures that prevailing and potential safety issues are addressed in ways that mirror organizational risk tolerance to ensure that they do not compromise the respective institution’s mission and vision (Baskerville, Spagnoletti, & Kim, 2014). The senior management understands the entire organization’s operations (Tøndel et al., 2014). Thus, it is responsible for formulating a comprehensive approach to dealing with security challenges that might arise to interrupt operations in the company. It also supervises all activities that are geared towards guaranteeing the safety of an organization’s information systems.

The chief executive officer (CEO) holds the highest position in an organization. This security practitioner is mandated with providing the safety of an organization’s information system with a view to ensuring continuous institutional growth (D’Arcy, Herath, & Shoss, 2014). Security protection measures executed by this official should be proportionate to the impact of a possible risk on not only the organization but also employees, clients, and the public.

This security agent has a duty to make sure that information safety procedures are factored into an organization’s operational and strategic plans (Nieles, Dempsey, & Pillitteri, 2017). Moreover, the official makes sure that a business does not operate under unprotected information systems. A company has to equip its employees with requisite skills to implement information security procedures. It is the responsibility of the CEO to make sure that experienced workers abide by the laid down information security guidelines, instructions, policies, and standards.

The chief information officer (CIO) is another security practitioner who is responsible for formulating and enforcing security regulations, control techniques, and procedures aimed at guaranteeing the safety of a company’s information systems. The CIO also appoints a senior officer who is in charge of information (D’Arcy et al., 2014). This team of security practitioners supervises and trains employees who are given the duty of promoting information security.

The CIO works in collaboration with other senior management employees to ensure that they discharge their security duties effectively (Nieles et al., 2017). The CIO, in partnership with other managers, compiles annual reports that detail the successes and vulnerabilities of the company’s information security program before offering recommendations on what should be done.

The Information Steward is another security practitioner who functions as an institutional employee with legal, operational, and managerial control over specific data. This officer formulates rules and regulations that guide the production, compilation, processing, and distribution of information (Nieles et al., 2017). The Information Steward also participates in the development and implementation of safety measures intended to safeguard a company’s data.

The Senior Agency Information Security Officer (SAISO) is an institution’s employee mandated with discharging the CIO security duties under the Federal Information Security Management Act (FISMA) (Nieles et al., 2017). This agent acts as a principal link between the CIO and system security officers, authorizing officials, and common control providers among other practitioners. Additional duties allocated to this security expert include supervising and actualizing a company-wide information safety program and playing the role of the authorizing officer whenever necessary.

The Authorizing Official (AO) is an executive or individual in the senior management team who is allowed to assume the duty of running an information system at a tolerable degree of risk to a company’s staff, resources, operations, and other organizations. The AO endorses safety procedures, proposed actions, and memorandums of understanding. This security official also establishes whether an organization needs to change its modes of operations or it should improve the prevailing information systems (Nieles et al., 2017). The practitioner makes sure that all employees who work on his or her behalf to discharge duties accordingly.

Organizations are expected to comply with established federal regulations that safeguard information privacy. The Senior Agency Official for Privacy (SAOP) is a high-ranking organization official who is responsible for ensuring that a company puts in place measures to protect the confidentiality of the information at its disposal (Nieles et al., 2017). This security practitioner has a duty to persuade businesses to abide by the established policies, guidelines, and regulations attributed to information privacy. The official evaluates organizations’ information confidentiality measures to ascertain that they are inclusive and modern. The SAOP trains contractors and workers in data privacy regulations.


The safety of organizations’ information is paramount to its success. It requires concerted efforts among different security practitioners to uphold the security of information systems. Moreover, companies need to have multiple information security control systems as a way of preventing possible data breaches. All security practitioners have a duty to discharge their individual mandates and collaborate with colleagues to maintain the safety of these information frameworks.


Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138-151. Web.

D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285-318. Web.

Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Web.

Tøndel, I. A., Line, M. B., & Jaatun, M. G. (2014). Information security incident management: Current practice as reported in the literature. Computers & Security, 45(1), 42-57. Web.