What Is A Chief Information Security Officer? CISO Explained
The title of Chief Information Security Officer, or CISO, emerged during the 1990s as the first large-scale cyber attacks started to occur. Since then, it’s become a near-ubiquitous role in any large organization that takes cybersecurity seriously. According to analyst firm Cybersecurity Ventures, indeed 100% of Fortune 500 companies employed a CISO or an equivalent role in 2023, up from 70% in 2018, with at least 32,000 CISOs working globally and more than 7,500 in the U.S. And that number’s rising all the time.
We take a look at what the role entails, and how to become a CISO.
What Is A Chief Information Security Officer?
A CISO is, usually, a C-suite executive who oversees an organization’s information security, developing and implementing policies to keep critical data secure.
While this is a necessary function for any business, CISOs tend to be found only in larger organizations, with small- to medium-sized businesses more likely to blend the role with more general security responsibilities. According to Cybersecurity Ventures, while all the U.S.’s biggest companies employ a CISO, virtually no small businesses do. As you’d expect, the role has more importance in organizations that handle large amounts of sensitive information, whether that’s intellectual property or customer data. Thus, it’s a particularly important function for financial institutions, government bodies and the like.
What Does A Chief Information Security Officer Do?
A CISO’s responsibilities include developing and implementing information security policies, from risk management and policy development to compliance and incident response planning.
In day-to-day terms, this means liaising with other C-suite executives such as the CEO or Chief Financial Officer, along with other senior security professionals and technical teams, on how to prepare for, assess and manage new and potential cyber threats. Over the longer term, they’ll create a cybersecurity strategy aligned with the organization’s goals, maintain regulatory compliance, carry out ongoing risk management and assessment and oversee staff training programs. They’ll also liaise with vendors and supply chain partners over security issues to create and, when necessary, implement the organization’s incident response plan, including working with external experts and legal authorities.
CISO Vs. CIO: What’s The Difference?
The chief information officer has a broader range of responsibilities than the CISO, with the CIO taking responsibility for all of an organization’s IT, rather than just security issues.
The CIO has the greater seniority of the two, developing and implementing the entire IT strategy, overseeing all IT staff and managing budgets. This means taking responsibility for all software, hardware and infrastructure, including software and hardware upgrades and network optimization, as well as with the overall management of data. Thus, the CIO is a position of greater responsibility, with more focus on the business as a whole. The two will work together closely; often, the CISO will report to the CIO, although reporting directly to the CEO or chief operations officer is more common.
CISO Vs. CSO: What’s The Difference?
These days, the titles of chief information security officer and chief security officer are often used interchangeably, with the CISO role focused on cybersecurity.
However, the CSO original job description, and the one that still persists in many organizations, covers the security of physical as well as digital assets. This could encompass control over access to corporate sites, surveillance and liaison with law enforcement and external business partners. It will also involve managing any security staff. In some cases, the job of CSO also covers the physical security of employees, for example in the case of factories or banks, covering safety procedures and emergency response plans.
What Are The Necessary Skills and Qualifications Of A CISO?
CISOs will need a broad range of abilities and qualifications. As it’s a management role, soft skills such as leadership, communication and strategic thinking are a must.
The job also requires a high level of technical knowledge. In terms of educational background, a CISO will generally have, as a minimum, a bachelor’s or master’s degree in a subject such as computer science, information technology, engineering or cybersecurity. On top of this, though, they will usually have other certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager or Cybersecurity Analyst Certification. CISOs will also need to stay on top of new technical developments, such as AI, as they arise. Most CISOs will also have several years’ experience in a more junior cybersecurity role.
Why Is It Important To Have A CISO?
All businesses, from the largest to the smallest, need somebody to oversee their data security. However, the size of the organization will generally dictate just how many staff can be devoted to security functions, and thus whether or not they can afford to keep it as a specialist role.
In smaller organizations, therefore, the role of CISO is often subsumed into that of the CIO. In other cases, a company may hire a virtual CISO, or vCISO — an external advisor or consulting firm that works for the business only part-time. The advantage of this is that a vCISO is likely to have a greater level of expertise than a company could otherwise afford. Some types of organization will have greater need than others for a dedicated CISO: those making use of large amounts of data, for example, or those where the legal and reputational consequences of a breach would be particularly severe.
What Is The Average Salary of a CISO?
The average salary for a CISO in the U.S., according to recruitment platform Glassdoor, is $313,036 per year, plus an average bonus of $110,366. In the U.K., it’s £132,745 plus an average £23,779 bonus.
However, these averages disguise a very wide range, according to figures published in October 2023 by IANS Research and Artico Search. More than half of the 600 U.S.-based CISOs it polled said they were earning less than $400,000 in salary, bonuses and equity, with three in ten pulling in less than $300,000. At the other end of the scale, though, one in five was making more than $700,000. Only 28% fell in the middle. Overall, found the survey, pay rose by 11% year over year. Fortune 500 companies, particularly in industries such as finance, health and defense, tend to offer the highest pay.
How Can You Become a CISO?
As we’ve seen, there’s a fairly high level of formal education required for the role of a CISO — at least bachelor degree level — along with other specialist cybersecurity accreditations.
However, that’s only the start: the role of CISO is very far from an entry-level job. Most people moving into the role will have between five and ten years’ experience in other IT roles, whether that be security analyst, security engineer, network administrator or network architect. A certain level of management experience will also be required. This could mean taking a position as a cybersecurity manager, security director or security administrator — or even, in an organization large enough to have one, deputy CISO. Aspiring CISOs should aim to get as broad a range of experience as possible, from governance and compliance to incident management. CISO positions will, of course, be easier to get in smaller organizations.
What Is The Future of CISO Roles?
The role of the CISO has steadily increased in importance over the decades, as cybersecurity threats have proliferated. At the same time, the regulation around data privacy and security has become ever more restrictive.
CISOs are now more likely to engage directly with the CEO, and are taking on a broader scope and increased responsibility, with a greater strategic focus. According to a survey from Gartner, nearly nine in ten boards now regard cybersecurity as a business risk, rather than a technology risk. Meanwhile, new technologies, such as the cloud, AI, and the internet of things are constantly bringing new dangers, and thus require new strategies to deal with them. Meanwhile the shift to remote working has brought new problems of its own. And as the attack surface expands, so too do the consequences of a security failure, particularly given the increasing prevalence of ransomware attacks.
Bottom Line
The role of a CISO carries responsibility for all aspects of an organization’s information security policy, and requires a broad range of both technical and management skills. And with the threat landscape constantly expanding, it is increasing in importance all the time.
link