This generally means the ability to create and operate the group processes that generate policies and control standards in any appropriate arena.
The Security Lead should have the right to inspect protection process and procedure.
This implies the uninhibited, and unfettered access to information, including the people and systems containing that information, to the extent necessary to gather but not alter content and metadata. Generally, this must be able to happen without the knowledge or consent of anyone operating the systems that control that content in order to perform investigative process and stop subversion of measurement processes.
The Security Lead should have the capacity to meaningfully analyze feedback to determine actions to induce.
Adequate analytical capability includes both personal skills and knowledge in context of the enterprise and the availability of adequate resources in the form of external expertise, computational resources, and tools.
The Security Lead should have direct management control over protection functions.
While it is often inadvisable for the Security Lead to have direct control over operations, direct control of other aspects is common. This implies that the Security Lead has staff that works for them and over which they have hiring and termination responsibilities as well as all other related management control and power.
There is usually an individual in charge of the overall information protection program, and oftend titled as the Chief Information Security Officer (CISO) - which we identify as the Security Lead. In order for the protection program to be effective, the Security Lead has to have (1) the power and influence within the enterprise to effectively control the protection program and process, (2) the information and access to find out what is going on within the enterprise, and (3) the knowledge and skills necessary to understand and apply the actuators effectively to get the process and program to meet the duties to protect. Many enterprises have high cost plus loss because top management fails to: (1) understand the role of the Security Lead, (2) place the Security Lead properly in governance, (3) provide adequate power and influence for the Security Lead, or (4) grant the Security Lead adequate access to information.