LEARN

The CISO Role: What Does a Chief Information Security Officer Do?

With the high rate of cyberattacks today, the role of a chief information security officer (CISO) has become more important — and much more visible. Businesses have been forced to invest in guarding their infrastructures, networks and sensitive data.

This blog post will take a look at the basics of a CISO, as well as the CISO's main tasks and responsibilities.


Defining the CISO role

Part of the so-called “C-suite”, a Chief Information Security Officer is a senior executive who is responsible for developing and implementing an information security program that protects an organization's data and systems. CISOs are responsible for managing risk and ensuring that the organization's security posture is aligned with its business objectives.

CISOs work closely with other senior executives, such as the chief information officer (CIO) and chief technology officer (CTO), to ensure that the organization's security program is effective and efficient. CISOs typically have a background in information security, computer science, computer engineering or another related field.

To succeed as CISO, you must have extensive knowledge of security technologies and processes as well as a strong understanding of business and risk management. Understanding the security side isn’t enough though. Crucially, CISOs must be able to:

  • Effectively communicate with both technical and non-technical staff.
  • Clearly articulate the organization's security posture to senior management (particularly when the situation is not satisfactory).

Primary responsibilities of CISOs

OK, so those are the broad strokes, but what does a CISO actually do?  A CISO is responsible for the overall security of an organization's information systems. This includes:

  • Developing and implementing security policies and procedures, perhaps using a security framework as guide
  • Managing security staff, which means overseeing many security teams at larger organizations
  • Understanding network activity and preparing for potential threats
  • Overseeing incident response and disaster recovery planning
  • Coordinating the response and recovery efforts when a data or security breach occurs
  • Reporting to the designated hierarchy, which might be the CIO, the CEO and even the board of directors

(Understand how vulnerabilities and threats contribute to overall risk.)

CISO skills and experience

A CISO is a leader who often manages security engineers and maneuvers resources to react and respond to mission-critical situations. Hence, CISOs should combine deep knowledge of information security, experience in information technology, risk management and leadership skills. Auditing skills can be a fine addition.

Besides responding to breaches, monitoring threats and devising strategies to reduce risk, a CISO must align security strategies to business goals while allocating resources for maximum efficiency. So, a strong business understanding can go a long way in making an effective chief information security officer.

Many companies require a CISO to have an advanced degree in computer science, engineering, or business. They're often also required to have certifications. A CISO can be certified as:

  • An information systems auditor or security manager by ISACA
  • An Information Systems Security Professionals by (ISC)2

How the CISO role came to be

The term CISO was first introduced by Citigroup around 1994 when they hired Steve Katz to set up a security office to make technology more secure. As you can observe, the crux of the role hasn't changed that much over nearly three decades. 

Nevertheless, while a CISO's responsibilities had been limited to governance, policymaking and monitoring traffic for an extended period, some exciting additions are now part of the CISO's role. A CISO builds bridges between technical and nontechnical executives, subject matter experts, security professionals and developers.

Hierarchy & reporting structure around CISOs

Traditionally, CISOs had reported to the CIO. This has changed a lot recently, where 61% of CISOs no longer report to the CIO. Instead, they report to the CTO, the COO or sometimes directly to the CEO.

As for who reports up to the CISO, a survey involving 3,600 security professionals showed that 48% of security teams report to the CISO, where the CISO helms the overall security effort. The study by ISACA also showed that security assessments are more likely to be aligned with IT and business goals when the CISO is in charge of the security teams.

 

CISO salary

Based on the importance of this role, you’d be safe in assuming that CISOs draw hefty paychecks. Thanks to the aggression of security threat actors, the salary of CISOs has been rising remarkably in the last decade. 

According to a variety of sources, the median CISO salary was in the vicinity of $130,000 to $190,000 in 2015. It reached the $220,000 mark before 2017. 

As of October 2022, the average base salary in the USA is $234,025. Depending on the role, the context, the organization and overall experience, a CISO's salary can go well up to $585,000 — and that’s before bonuses that are often standard for C-level roles.

(Check out our roundup of IT salaries.)

CISO vs. other roles

CISOs are often compared to other C-suite roles. Let’s look briefly at the differences.

CISO vs. CTO vs. CIO

A CISO is responsible for the security of an organization's information systems, while a CIO or CTO is responsible for the overall operation and management. Although they do share some responsibilities, they have different priorities, and they focus on various aspects of the organization's information systems.

A CIO or CTO is responsible for the overall management of an organization's information systems. A CISO reports to the CEO or CIO, whereas a CIO and CTO report to the COO.

CISOs are typically more focused on security than CIOs or CTOs, and their role is to ensure that the organization's information systems are secure from internal and external threats.

(Use threat intelligence to advance your security posture.)

CISO vs. vCISO

A vCISO is a virtual chief information security officer. This new role is becoming more popular in organizations that are looking for ways to improve their cybersecurity posture. The vCISO is responsible for providing strategic direction and leadership for the organization's cybersecurity program. Responsibilities of a vCISO include:

  • Developing and implementing security strategies that align with business goals.
  • Managing and overseeing the day-to-day operations of the security team and ensuring that the security program is effective.

Sounds like a CISO, except for a key difference:  vCISOs are not full-time employees of the organization. Instead, they are hired as consultants to provide their expertise and guidance. This allows organizations to benefit from a CISO without the cost of hiring one full-time. Additionally, the vCISO can be more flexible in its approach to cybersecurity, which can be beneficial in today's rapidly changing threat landscape.

How to hire a CISO

CISOs are valuable parts of keeping organizations secure, but you still might be wondering why you should hire one. You want a CISO for:

  • Management and security of information resources
  • Maximizing ROI on security-related decisions
  • Staying ahead of the threat landscape
  • Compliance with industry standards
  • Aligning security with business

If you decide to hire a CISO, these are the qualities to look for:

  • Deep experience in working with information assets
  • Solid knowledge of data governance and understanding of compliance structures
  • Ability to assign business value to security efforts
  • Ability to trigger actions that would strengthen security
  • Risk management skills
  • Leadership qualities
  • A calm demeanor, especially under pressure

Summing up the CISO

Cybersecurity is a never-ending battle that requires constant vigilance and the skills of professionals with the right qualifications and experience.

The CISO is responsible for safeguarding an organization's information assets. They do this by ensuring that a company's IT infrastructure is secure, investigating security incidents and working with other members of the organization to ensure that the IT department and all employees are following best practices.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Stephen Watts
Posted by

Stephen Watts

Stephen Watts works in growth marketing at Splunk. Stephen holds a degree in Philosophy from Auburn University and is an MSIS candidate at UC Denver. He contributes to a variety of publications including CIO.com, Search Engine Journal, ITSM.Tools, IT Chronicles, DZone, and CompTIA.