Who’s Driving the Security Bus? Roles, Rules, and Responsibilities
Having a policy is one thing.
Making sure people actually know what they’re supposed to do – that’s something else entirely.
TISAX® doesn’t give points for best intentions. It expects structure.
Chapter 1 of the VDA ISA 6.0.3 catalog lays out a clear message:
assign the right roles, define who does what, and make sure oversight isn’t just checking its own work.
⸻
𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝗶𝘁’𝘀 𝗿𝗲𝗮𝗹𝗹𝘆 𝗮𝘀𝗸𝗶𝗻𝗴 𝗳𝗼𝗿:
• A real Information Security Officer – not someone with the title but no time or authority
• Defined responsibilities for things like risk management, incident response, and awareness training
• No overlap between who does the work and who reviews it
• A documented security org chart, not just a verbal “everyone kind of knows”
• A working escalation path when things go wrong
⸻
𝗪𝗵𝗲𝗿𝗲 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀 𝗺𝗲𝘀𝘀 𝘁𝗵𝗶𝘀 𝘂𝗽:
• Security tasks get sprinkled into people’s jobs, but no one owns anything
• The same guy writes the policy, implements it, audits it, and reports it
• No one outside of IT knows what the escalation path is – or that there even is one
• People only find out they’re the “ISMS coordinator” when the auditor walks in
⸻
𝗪𝗵𝗮𝘁 𝘁𝗼 𝗱𝗼 𝗶𝗻𝘀𝘁𝗲𝗮𝗱:
• Put the roles on paper – name names
• Separate responsibilities for execution and oversight
• Make sure people actually understand what’s expected of them
• Don’t just rely on org charts – walk through a scenario and see if the structure holds
⸻
𝗕𝗼𝘁𝘁𝗼𝗺 𝗹𝗶𝗻𝗲:
If everyone’s responsible, then no one is.
Assign the roles, build the structure, and test it before you get asked to prove it.
⸻
𝗡𝗲𝘅𝘁 𝘂𝗽:
Episode 3 – “Hiring Hackers? Protect Your Company Before Day One”
We’ll get into why HR security isn’t a soft topic – it’s where the real risk starts.
#TISAX #ISMS #InfoSec #GSInfoSec #Consulting #Automotive #Cybersecurity
