The CISO has security responsibility for a team of information security professionals. The size of that team will vary depending on the size of the organization, the nature of the business, and the specific responsibilities assigned to information security as opposed to other technical units.

This may include security generalists with a broad background across all information security domains, and/or specialists who focus on specific areas, such as immediate response, network security and security awareness.

All members of an information security team must follow important guiding principles for their role. One of these is the principle of care. Care states that security professionals must meet the organization’s legal responsibilities as well as the professional standards for information security. They must exercise the reasonable level of care that would be expected of any security personnel in their situation. The second principle is that of due diligence, which states that security personnel should take reasonable steps to investigate the risks associated with the situation. For example, if the organization is considering implementing a major new customer management system.