How the CISO role is evolving

CISO definition

The chief information security officer (CISO) is the executive responsible for an organization’s information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.

Not every company has a top-level security executive: According to IDG’s 2020 Security Priorities Study, 61% of surveyed companies do, though that rate goes up to 80% for large enterprises. But in companies that employ such an executive, they play an important role: the same study found that companies without a CISO or CSO were more likely to say their employee security training was inadequate and their security strategy was insufficiently proactive than those who had such officers.

Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let’s take a look at what you can do to improve your chances of snagging a that job, and what your duties will entail if you land this critical role. And if you’re looking to add a CISO to your organization’s roster, perhaps for the first time, you’ll want to read on as well.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the ’90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:

• Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
• Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
• Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
• Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
• Identity and access management: Ensuring that only authorized people have access to restricted data and systems
• Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks—regular system patches, for instance
• Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
• Governance: Making sure all of the above initiatives run smoothly and get the funding they need—and that corporate leadership understands their importance

For a deeper dive, check out the whitepaper from SANS, “Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer.”

One other important note: Most of those bullet points apply to IT security. But for many top security execs, their mandate goes beyond servers and PCs and extends to physical security as well, making sure that their companies’ offices and physical plants are safe from intrusions. According to IDG’s 2020 Security Priorities Study, 42% of top security executives say they have had physical security duties added to their plate in the past three years—and another 18% expect to take on that role within the next 12 months.

CISO requirements

What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master’s degrees with a security focus are also increasingly in vogue. There’s also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should also know about a host of regulations that affect your industry, including PCI DSS, HIPAA, GLBA and SOX.

But technical knowledge isn’t the only requirement for snagging the job—and may not even be the most important. After all, much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”      

Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from — Cyberdegrees.org lists seven. We asked Lasalle Network’s Wallenberg for his picks, and he gave us a top three:

• “Certified Information Systems Security Professional (CISSP) is for IT professionals seeking to make security a career focus.”
• “Certified Information Security Manager (CISM) is popular for those who are looking to climb the ladder within the security discipline and transition into leadership or program management.”
• “Certified Ethical Hacker (CEH) is for security professionals looking to obtain an advanced awareness of issues that can threaten enterprise security.”

CISO, CSO, and beyond: What’s in a name, and who’s on top?

Let’s talk for a moment about job titles. Although we’ve been using CISO throughout this article, as we mentioned above there are other titles that are used for an executive-level security officer: Chief Security Officer, or CSO, is fairly common, and some other officers have a Vice President title. IDG’s 2020 Security Priorities study found that CISO was the most common title at 41% of respondents, as opposed to 14% who worked at companies with a CSO and 16% for other titles. Interestingly, large enterprises are more likely to call their top security exec a CISO: 80% of those surveyed use that title. As noted, we’ve been using these job titles more or less interchangeably; in many cases, they reflect hierarchy or roles within a specific organization, and someone with a CISO job at one company  may have duties very similar to a CSO in another.

More important than the letters in your title is the structure of the org chart. Security is a role within an organization that inevitably butts heads with others, since a security pro’s instincts are to lock down systems and make them harder to access — something that can conflict with IT’s job of making information and applications available in a frictionless way. That drama can play out at the top of the org chart as a CISO/CSO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization: if the top security exec reports into the leadership of the IT department, that can constrain the CISO’s ability to execute strategically, as their vision ends up being subordinated to IT’s larger strategy.

How common are different reporting structures? According to IDG’s 2020 Security Priorities Study, 46% of top security execs at surveyed companies report to the CEO or the Board of Directors, while 33% report to a corporate or divisional CIO. Smaller companies perhaps unsurprisingly have flatter structures: 59% of security execs at surveyed SMBs report directly to the CEO.

IDG

Placing CIOs and CISOs on equal footing can help tamp down conflict, not least because it sends a signal to the whole organization that security is important. But it also means that the CISO can’t simply be a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio Grossi told i-CIO magazine, “it’s up to the CISO to help the IT team provide more robust products and services rather than simply saying ‘no.'” This shared responsibility for strategic initiatives changes the dynamics of the relationship — and can mean the difference between success and failure for new CISOs.

For a more detailed discussion of these topics, check out the CSO article “Does it matter who the CISO reports to?”

CISO job description

If you’re part of a search for a promising CISO for your organization, part of that involves writing a job description—and much of what we’ve discussed so far lays the foundation for how you’d approach that. “Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position—in smaller companies, CISOs can be VPs or Director of Security,” says Lasalle Network’s Wallenberg. “They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants.”

CSO Senior Editor Michael Nadeau lays out in some detail how you’d approach writing a CISO job description. One of the important things he points out is that your description should make your organization’s commitment to security very clear from the get-go, because that’s how you’re going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they’ll have to really make this point clear. Another important point he makes is to keep the job description fresh, even if you have someone in the role—after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don’t want to leave unstaffed.

CISO salary

CISO is a high-level job and CISOs are paid accordingly. Predicting salaries is more of an art than a science, of course, but the strong consensus is that salaries above $100,000 are typical. As of this writing, ZipRecruiter has the national average at $159,877; Salary.com pegs the typical range even higher, as between $195,000 and $257,000.

If you check out Glassdoor, you can see salary ranges for current CISO job openings, which can help you get a sense of which sectors pay more or less. For instance, at this writing there’s an open CISO position at GE Power that pays between $152,000 and $164,000, and one at the University of Michigan that pays between $259,000 and $279,000.

CISO jobs

The CISO job landscape is always changing, and CSO has plenty of material to keep you up to date — how to get a CISO job, and how to navigate the career landscape. You might want to check out:

• “6 secrets to CISO job longevity“: Long-serving CSOs say that business focus and communication are key.
• “What CIOs want from CISOs: Collaboration and no finger pointing“: A look at how to navigate this sometimes fraught relationship. Two CIOs explain how they view their relationships with the security function, and why CISOs need to collaborate closely with CIOs whether they report into them or not.
• “7 security incidents that cost CISOs their jobs“: When you’re a top-level executive, the buck stops with you, as these CISO found out. Let their security failures serve as a learning opportunity for you.