Marketing

What is a CISO? Responsibilities and requirements for this vital leadership role

CISO definition

The chief information security officer (CISO) is the executive responsible for an organization’s information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.

Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let’s take a look at what you can do to improve your chances of snagging a CISO job, and what your duties will entail if you land this critical role. And if you’re looking to add a CISO to your organization’s roster, perhaps for the first time, you’ll want to read on as well.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities that fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the ’90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:

  • Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
  • Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
  • Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
  • Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
  • Identity and access management: Ensuring that only authorized people have access to restricted data and systems
  • Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks — regular system patches, for instance
  • Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
  • Governance: Making sure all of the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance

For a deeper dive, check out the whitepaper from SANS, “Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer.”

CISO requirements

What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master’s degrees with a security focus are also increasingly in vogue. There’s also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.

But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. After all, much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”           

Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from — Cyberdegrees.org lists seven. We asked Lasalle Network’s Wallenberg for his picks, and he gave us a top three: