While the CISO will have a security team, everyone needs to understand that the security team does not keep the organization safe but instead spreads the word. Organizational risk decreases only when a culture of security pervades every part of the organization.
Key to this is education, including general cyber security awareness, operational security awareness, and training that helps developers introduce fewer vulnerabilities as they write code. This is not a one-time effort; education needs to be ongoing, current, and engaging.
In IT security, the CISO’s team can help create and implement policies for everything from authentication to procurement.
In product security, the goal of the CISO’s team is to help product teams adopt a proper secure development life cycle (SDLC), one that accounts for security at every phase. This can be supplemented by more testing and better testing, which allows more vulnerabilities to be located and eliminated before product release.
When things go wrong (and things always go wrong), having a plan is important. Defining policies for incident response helps your organization minimize damage and respond quickly to security events.