What Does a Chief Information Security Officer Do?
What is a CISO?
A Chief Information Security Officer (CISO) is the five-star general of an IT security department and its staff. In this C-level management position, you’ll select, oversee and provide leadership for any initiatives that concern the overall security of an organization. On one day, you might be putting together a complex risk management program. On another, you may be overseeing your company’s response to a sudden, large-scale threat. At big companies, you may even find yourself consulting with the FBI, law enforcement and government on corporate security matters.
It’s high-level stuff, and it requires a unique set of technical skills and extensive experience. A lot of budding CISOs work their way up from technical jobs (e.g. security engineer, security analyst, etc.) and leadership positions (e.g. security manager). The best CISOs are the ones who remember what it’s like to work in the trenches.
CISO Job Responsibilities
Expect a job with a certain amount of power and creative freedom. But also remember that this power will depend a lot on the organization – some CISOs have little to none. As the head of IT security, you could be required to:
- Appoint and guide a team of IT security experts
- Create a strategic plan for the deployment of information security technologies and program enhancements
- Supervise development of (and ensure compliance with) corporate security policies, standards and procedures
- Integrate IT systems development with security policies and information protection strategies
- Collaborate with key stakeholders to establish an IT security risk management program
- Audit existing systems and provide comprehensive risk assessments
- Anticipate new security threats and stay-up-to-date with evolving infrastructures
- Monitor security vulnerabilities, threats and events in network and host systems
- Develop strategies to handle security incidents and coordinate investigative activities
- Act as a focal point for IT security investigations and direct a full investigation with recommended courses of action
- Prioritize and allocate security resources correctly and efficiently
- Prepare financial forecasts for security operations and proper maintenance cover for security assets
- Provide leadership, training opportunities and guidance to personnel
- Work with senior management to ensure IT security protection policies are being implemented, reviewed, maintained and governed effectively
- Spearhead education programs focused on user awareness and security compliance
In addition to these efforts, you may be involved in a large variety of non-technical managerial tasks. At the end of the day, the CISO reports on security to the CIO or the CEO.
Chief Information Security Officer Careers
CISO Career Paths
To become the boss, CISOs must spend years in the field of information security. You could consider getting your start as a:
- Security Administrator
- Network Administrator
- System Administrator
You can then build your technical and interpersonal skills in jobs such as:
Eventually, you will need to progress to a senior-level position where you can gain experience with leadership, project management and organizational politics.
The highest position in IT security goes by a variety of names, though CISO seems to be the most popular. Similar job titles include:
- Chief Security Officer (CSO)
- Information Security Officer (ISO)
- Global Head of Information Security
Payscale has two categories for Information Security Officers:
- The median salary for a CISO is $156,659 (2019 figures). Overall, you can expect to take home a total pay of $105,177 – $255,135.
- The median salary for a CSO is $145,110 (2019 figures). Overall, you can expect to take home a total pay of $66,717 – $247,798.
Total pay figures include your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
CISO Job Requirements
When it comes to CISO job descriptions, employers aren’t messing around. They’ll usually want to see: a relevant technical degree; at least 7 years of prior experience; tons of exposure to management situations; IT security chops; and soft skills. Don’t discount the last category. Meeting those demands will probably land you the job.
We also recommend you do a bit of field research. Current Chief Information Security Officers are often busy, but remember that you always have the option to connect with them at a conference or networking event. You can also volunteer to take on complex security projects at your current workplace; study for an MBA or MS in Cyber Security via distance learning; and/or apply for jobs that are one rung below where you’re eventually aiming to be. For example, you could work for a couple of years as a Security Director in a small (but well-known and respected) IT company.
At bare minimum, you will need a bachelor’s degree in Computer Science, Cyber Security or a related technical field.
As security issues become more dangerous and complex, some employers are starting to specify that CISOs must also have a technical master’s degree with a concentration in IT security. Continued training and solid security & management certifications won’t go amiss.
Expect to spend 7-12 years working in IT and security before you begin filling out applications for a CISO position. Try to ensure that at least 5+ years of that experience is spent managing security operations and teams.
By the time you reach the top, you should have the same technical skills as the best of your engineers. These skills can include:
- Practices and methods of IT strategy, enterprise architecture and security architecture
- Security concepts related to DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies
- ISO 27002, ITIL and COBIT frameworks
- PCI, HIPAA, NIST, GLBA and SOX compliance assessments
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java and/or PHP programming languages
- Firewall and intrusion detection/prevention protocols
- Secure coding practices, ethical hacking and threat modeling
- TCP/IP, computer networking, routing and switching
- Network security architecture development and definition
- Knowledge of third party auditing and cloud risk assessment methodologies
Employers demand a lot of their CISO candidates. In addition to expert oral and communication skills, they will want to see evidence of organization, process-oriented thinking, strategic planning and creative attack. In other words, the same skills that a five-star general brings to the field of battle.
Interpersonal and negotiation skills are hugely favored. Every day, CISOs must operate within a complex organization, interacting with and influencing multiple stakeholders. Employers need to know that you are capable of directing a team, collaborating with high-level executives and building relationships with a diverse set of departments.
Finally, employers are looking for results. CISOs must be able to juggle the pressures of legal/regulatory requirements, financial constraints and technological adoption with the imperative to get multi-year programs and projects accomplished.
Certifications for CISOs
IT security certifications are required when it comes to this level of management. CISSP and CISM are two of the most widely recognized, but there are plenty of others to consider.
- CISA: Certified Information Systems Auditor
- CISM: Certified Information Security Manager
- GSLC: GIAC Security Leadership
- CCISO: Certified Chief Information Security Officer
- CGEIT: Certified in the Governance of Enterprise IT
- CISSP: Certified Information Systems Security Professional
- CISSP-ISSMP: Information Systems Security Management Professional