What is a CISO? Responsibilities and requirements for this vital leadership role:
This was a common topic on the late lamented PVC Security podcast. Let's dive in!
CISO definition
The chief information security officer (CISO) is the executive responsible for an organization's information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.
Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let's take a look at what you can do to improve your chances of snagging a CISO job, and what your duties will entail if you land this critical role. And if you're looking to add a CISO to your organization's roster, perhaps for the first time, you'll want to read on as well.
CISO responsibilities
What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities that fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the '90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:
- Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
- Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
- Data loss and fraud prevention: Making sure internal staff doesn't misuse or steal data
- Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
- Identity and access management: Ensuring that only authorized people have access to restricted data and systems
- Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks - regular system patches, for instance
- Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they're internal, and planning to avoid repeats of the same crisis
- Governance: Making sure all of the above initiatives run smoothly and get the funding they need - and that corporate leadership understands their importance
For a deeper dive, check out the whitepaper from SANS, "Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer."
CISO requirements
What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor's degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master's degrees with a security focus are also increasingly in vogue. There's also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.
But technical knowledge isn't the only requirement for snagging the job - and may not even be the most important. After all, much of a CISO's job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that "the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board."
Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. "Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments," he says. "On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security."
CISO certifications
As you climb the ladder in anticipating a jump to CISO, it doesn't hurt to burnish your resume with certifications. As Information Security puts it, "These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum." But there are a somewhat bewildering number to choose from - Cyberdegrees.org lists seven. We asked Lasalle Network's Wallenberg for his picks, and he gave us a top three:
- "Certified Information Systems Security Professional (CISSP) is for IT professionals seeking to make security a career focus."
- "Certified Information Security Manager (CISM) is popular for those who are looking to climb the ladder within the security discipline and transition into leadership or program management."
- "Certified Ethical Hacker (CEH) is for security professionals looking to obtain an advanced awareness of issues that can threaten enterprise security."
CISO vs. CIO vs. CSO
Security is a role within an organization that inevitably butts heads with others, since a security pro's instincts are to lock down systems and make them harder to access - something that can conflict with IT's job of making information and applications available in a frictionless way. The way that drama plays out at the top of the org chart can be as a CISO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization. (CSO discussed this in depth in the article "Does it matter who the CISO reports to?") Even though both titles have "C" in the name, it's relatively common for CISOs to report to CIOs, which can constrain CISO's ability to execute strategically, as their vision ends up being subordinated to the CIO's overall IT strategy. CISO's definitely gain clout when they report directly to the CEO or the board, which is becoming an increasingly common practice. This might involve a change of title - according to the Global State of Information Survey 2018, CISOs are more likely to be subordinated to a CIO, whereas a security exec with the title of Chief Security Officer (CSO) is more likely to be on the same level as the CIO - and to have non-tech security responsibilities to boot.
Placing CIOs and CISOs on equal footing can help tamp down conflict, not least because it sends a signal to the whole organization that security is important. But it also means that the CISO can't simply be a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio Grossi told i-CIO magazine, "it's up to the CISO to help the IT team provide more robust products and services rather than simply saying 'no.'" This shared responsibility for strategic initiatives changes the dynamics of the relationship - and can mean the difference between success and failure for new CISOs.
CISO job description
If you're part of a search for a promising CISO for your organization, part of that involves writing a job description - and much of what we've discussed so far lays the foundation for how you'd approach that. "Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position - in smaller companies, CISOs can be VPs or Director of Security," says Lasalle Network's Wallenberg. "They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants."
CSO Senior Editor Michael Nadeau lays out in some detail how you'd approach writing a CISO job description. One of the important things he points out is that your description should make your organization's commitment to security very clear from the get-go, because that's how you're going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they'll have to really make this point clear. Another important point he makes is to keep the job description fresh, even if you have someone in the role - after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don't want to leave unstaffed.
CISO salary
CISO is a high-level job and CISOs are paid accordingly. Predicting salaries is more of an art than a science, of course, but the strong consensus is that salaries above $100,000 are typical. As of this writing, ZipRecruiter has the national average at $153,117; Salary.com pegs the typical range even higher, as between $192,000 and $254,000.
If you check out Glassdoor, you can see salary ranges for current CISO job openings, which can help you get a sense of which sectors pay more or less. For instance, at this writing there's an open CISO position in the federal government that pays between $164,000 and $178,000, and one at the University of Utah that pays between $230,000 and $251,000.
CISO jobs
The CISO job landscape is always changing, and CSO has plenty of material to keep you up to date - how to get a CISO job, and how to navigate the career landscape. You might want to check out:
- "A CISO's guide to avoiding certain CISO jobs" : Not all CISO jobs are created equal, and some will set you up for failure that can have negative career implications down the line. Here's some tips on red flags to watch out for.
- "Why do CISOs change jobs so frequently?": The average CISO only stays on the job for 24-48 months, according to market research. Find out what these fast moves mean for the industry and how you can react.
- "What is a virtual CISO?": C-level execs aren't immune to the trend towards "on-demand" employees who work on part time contracts rather than occupying full-time positions. This article will explain what virtual CISOs can and can't do, which is important if you're competing against them for jobs - or want to become one yourself.
(Via CSO Online)
A few notes:
The CISO/CSO and analogs suffer from a short life span and a need to impress the Board of Directors. Most CISO's are in poor situations at the start, and anyone who aspires to such a role needs to know the disadvantages,
The CISO/CSO often reports to the CIO, which is a conflict of interest. I generally recommend reporting to CEO directly or else the COO or CFO.
CISO/CSO roles require strong reporting managers and talented teams plus reliable managed security service providers. The best way to determine their value is by measuring them. Yet many enterprises I visit fail to measure even the most obviously valuable metrics but want their Top Ten lists.
This is a solid summary of the CISO role. If you target this in your career path, this article is useful.