CISO job description

Chief Information Security Officer (CISO) job description: role, duties and responsibilities

CISO job description


Over the past few years, information security professionals have become major players in their companies. The continued rise of computing technology and the digitalization of communications – which entails a constantly widening network of interconnections and an increase in inherent risk – have transitioned security from a predominantly technical concern to a crucial business one. High-profile corporate cyberattacks involving enormous price tags have combined with the normalization of remote and hybrid work models to blur the technology/business divide.

The Chief Information Security Officer (CISO) has overall responsibility for securing a business, its systems, customers, employees and assets for the short, medium and long term. Their remit covers cybersecurity, data protection and maintenance, compliance with increasingly strict regulations, software and hardware purchasing decisions and management, the control and auditing of security protocols, and more. And the list keeps getting longer…

Given the breadth and increasingly crucial nature of their responsibilities, CISOs – once considered exclusively for their technical expertise – have become critical business figures and leaders within their organizations. Depending on company size and structure, and industry, today’s CISOs often have a seat at the boardroom table from which they drive company-wide security decisions. As such, CISOs are now expected to possess not only proven IT and information security expertise but also solid leadership, communications, and managerial skills. In addition, they must also be excellent strategic thinkers and visionaries.

CISO job description: the role and key responsibilities

Global strategy and training

The primary role of the Chief Information Security Officer is to develop, implement and manage an enterprise-wide security strategy. As such, the CISO must build and test the global IT architecture, evaluate its resilience, anticipate all possible scenarios, make business continuity plans, and guarantee compliance with a multitude of regulatory requirements.

To this end, they must evangelize about their subject company-wide, motivating not only their own team members but all employees. After all, it’s outside technical teams that security becomes unfamiliar territory, and it only takes one weak link in the chain for disaster to strike! The CISO must therefore educate and train all employees. All too often, we forget that the overwhelming majority of security problems arise from internal – and often unintentional – weaknesses. This doesn’t make their effects any less serious, however.

Consequently, it’s essential that CISOs know how to explain their choices beyond tech-savvy circles. This naturally necessitates a talent for conveying information, summarizing and listening – in addition to strong managerial skills – as CISOs have to communicate the challenges and best working practices across all levels of their organization. Such working practices don’t just relate to software. Increasingly, they also refer to the use of other devices – access to buildings, hardware, connected devices, and personal computers and smartphones. The CISO must ensure that best practice is respected at all touchpoints and that any vulnerabilities can be dealt with quickly.

Cybersecurity and management of external risks

Once the procedures have been put in place, a large part of the CISO’s work consists of monitoring the network and reacting as quickly as possible in the event of an attack or incident.

Faced with the boundless imagination of hackers and other malicious actors, enterprise IT security will always lag behind the latest innovations in malware. The challenge of the CISO lies therefore in prioritizing the most business-critical areas, optimizing reaction time regardless of attack type, concentrating on strategic areas and ensuring maximum service continuity. The pressure to meet these challenges means that the CISO must keep constantly abreast of all the latest developments. They must be curious as well as strong strategists and visionaries. Anticipation is the name of the game.

The data challenge

Alongside cybersecurity issues, data and everything related to it – compliance, confidentiality, documentation, and protection – represents the other major challenge faced by CISOs. With overall responsibility for data – which is increasingly considered an organization’s most valuable asset – CISOs are expected to know where it is stored, who has access to what, and how to react in the event of a problem.

Moreover, data regulation is getting stricter worldwide. Every week seems to bring a new development. Legislative compliance has become the CISO’s remit making in-depth and up-to-the-minute understanding of related laws, standards and guidelines – most of which vary by continent and by state/ country – a must.

According to The Legal 500, in the US, CISOs must guarantee regulatory compliance with acts including the Privacy Act of 1974, GLBA, FCRA, FISMA, HIPAA, Cable Act, VPPA, ECPA, SCA, COPPA and FERPA as well as a host of privacy laws which vary by state. In the UK, they must ensure adherence to acts including the Data Protection Act 2018, the UK GDPR, and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended PECR). In Germany, they must comply with GDPR, BDSG, TTDSG as well as many sector-specific regulations such the BSI Act, BAIT, WpHG, and VAIT.

Making security work for business

Ten years ago, information security managers were rarely involved in their company’s business issues. Their brief was to oversee system maintenance and security, and that in itself was already quite enough. These days, the CISO is increasingly a key figure within their organization, tasked with aligning security initiatives with broader business goals.

Enlightened leadership is now well aware of the cost of negligence in this matter. Of course, they know the direct costs of ransom attacks but, beyond these extreme cases – which are fortunately becoming less and less extreme – security breaches can still cause huge damage in terms of company image and the trust it inspires, production deadlines, partner relationships, and even at team level.

On a more positive note, when a company is experiencing high growth, new business partners must be brought on board at a rapid pace and new technologies tested. New business partners can even be involved in the process. Either way, it’s essential that a company’s security policy is operational, fluid, known by all parties, and capable of quickly supporting business-led innovations. More and more leadership committees have understood this and now involve the CISO in strategic decision-making, sending a strong signal to the entire business ecosystem.

How do CISOs measure their work performance?

All enterprises want to get a clear view of the ROI of their decisions, and security matters are no exception. But, as Logan Fernandez, CISO of Pentalog, explains, “In the area of security, it’s difficult to measure ROI as correlation doesn’t imply causation. When necessary, measures have been taken, it’s true that the surface of attack gets smaller, at times dramatically so. But just because an attack hasn’t been identified doesn’t automatically mean that all necessary measures have been taken. Maybe we haven’t been attacked yet? Or perhaps we have been, but we aren’t even aware of it. How can we claim with any certainty that everything is going well or better? It’s become essential for businesses to navigate this challenge with the help of relevant, measurable and comparable success indicators. One such indicator could be the percentage of company compliance achieved as regards certain internationally-recognized standards such as the ISO 27001 standard. It has the merit of providing a security management framework for different departments of an organization.”

To sum up, an array of standards and procedures exist to enable CISOs to navigate their way through the jungle of risks and constraints. Ultimately, the sound of a CISO’s success will be proportional to the silence of a properly protected system.

What qualifications, experience and skills does a CISO need?

  • A bachelor’s degree in cybersecurity or information technology is an essential element of the CISO job description. Complementary specialist training programs (a Master of Business Administration or a Master of Science in Cybersecurity and Information Assurance) are also highly valued, but not vital. On-the-job specialist certifications – e.g., Certified Information Systems Auditor and Certified Information Security Manager, issued by ISACA, and Certified Information Systems Security Professional issued by (ISC)2 – are strongly recommended.
  • A profound understanding of scripting and source code programming languages, such as C#, C++, .NET, Java, Python, JavaScript and PHP.
  • Extensive professional work experience – usually more than 10 years – including significant experience as IT and cybersecurity project lead/manager.
  • A firm understanding of business operations and how they impact cybersecurity (and vice versa).
  • Expertise in cybersecurity systems and their respective capabilities. The CISO job description also includes up-to-the-minute knowledge of emerging innovations and their potential impact, plus specialist IT and cybersecurity knowledge as regards security architecture, incident response and remediation, disaster recovery planning, mobile and endpoint management, remote device management, identity and access management, data and information management, security policy and framework implementation, application and database security, and management of network security and firewalls.
  • In-depth knowledge of how to assess constantly-evolving standards, guidelines and laws governing data protection and cybersecurity, and the ability to ensure compliance.
  • A proven track record in risk analysis, financial forecasting, strategic planning, and budget management.
  • Exceptional negotiation and problem-solving skills.
  • Strong leadership and management skills.
  • Excellent communication and presentation skills. The ability to effectively discuss security issues and concepts to both technical and non-technical teams, including C-level executives and the Board, is a must.
  • Solid decision-making skills. CISOs need to absorb complex and often conflicting information to make solid business decisions that best represent all stakeholders’ needs.

How much does a CISO earn?

The salary commanded by CISOs varies by country, industry and company size as well as by level of expertise. According to Glassdoor, the average basic salary for a CISO in the US in 2022 is $165K/year. The likely range quoted is from $193K/year to $343K/year.

For France in 2022, Glassdoor claims the salary of CSOs/CISOs varies from 50K€/year to 150K€/year, with the average salary of a CISO being 75K€/year.

The same source quotes the average basic salary for a CISO in Germany in 2022 as being $128K/year. The likely range quoted for full package worth is from $141K/year to $167K/year.

In the UK in 2022, Glassdoor claims the average base salary for CISOs is £123K/year. Payscale publishes slightly different figures, claiming the average basic salary of CISOs in the UK varies from £59K/year to £147K/year, with the average being £99K/year.