How the CISO role is evolving

Definition of a CISO

The Chief Information Security Officer (CISO) is the executive responsible for the information and data security of an organisation. In the past, the position was defined rather narrowly, but today it is often used in the same sense as CSO or VP of Security, denoting a broader role within the organisation. The Chief Information Security Officer (CISO) is responsible for overseeing the strategic, operational and budgetary aspects of data management and protection.

This professional works closely with management to develop information security policies and procedures for the company or organisation. In addition, they manage a team of computer analysts, information security specialists and similar professionals responsible for identifying, neutralising and eliminating security threats. With advanced technical, commercial and organisational skills, Chief Information Security Officers (CISOs) work in all sectors of the economy.

They monitor security vulnerabilities, keep abreast of changing technologies and allocate resources to improve efficiency and effectiveness. According to PayScale, the average CISO earns more than $160,000 per year, and those with a career spanning more than 20 years can earn more than $170,000.

What does a Chief Information Security Officer do?

A CISO’s job is to protect the organisation’s protected data and intellectual property and manage security across the enterprise. As a highly skilled information security professional, the CISO has a broad understanding of information technology practices and the security needs of the company.

CISOs identify weaknesses in existing information security technologies and programmes; CISOs work with management and teams of information security professionals to develop security policies and measures to protect information. They also implement new technologies, oversee training programmes and provide guidance to employees.

In addition, they can prepare budgets and financial forecasts for security operations and maintenance. They also allocate financial resources, coordinate investigations and data recovery, conduct risk assessments and audits, and ensure compliance with applicable regulations and legislation. CISOs employ IT security specialists and form a team to implement the organisation’s strategic plan. They also produce reports and communicate technical information to both non-specialists and colleagues with specialist computer knowledge. This requires good communication, flexibility, problem-solving skills and critical thinking.

The typical CISO has a non-technical qualification (such as CISSP or CISM), but those with a technical background may develop more advanced technical skills. They should also be involved in project management to manage information security projects, financial management to manage information security budgets (e.g. through an accredited MBA), information security managers, information security directors, security analysts, security engineers, technical It is also common to train in soft skills, such as leading diverse teams of risk managers.

More recently, the involvement of CISOs in privacy issues has led to a strong demand for qualifications such as the CIPP. The latest development in this area is the emergence of ‘virtual’ CISOs (also known as vCISOs or ‘partial CISOs’).

These CISOs function on a shared or partial basis for organisations that are not large enough to support a full-time CISO or, for various reasons, want a dedicated external employee to perform this role. vCISOs typically perform the same functions as a traditional CISO, as he or she can act as a ‘temporary’ CISO while the employing company looks for a replacement CISO.