The CISO Role: What Does a Chief Information Security Officer Do?

With the high rate of cyberattacks today, the role of a chief information security officer (CISO) has become more important — and much more visible. Businesses have been forced to invest in guarding their infrastructures, networks, and sensitive data. They also have to consider emerging technologies, like what ChatGPT and other generative AIs mean for cybersecurity.

This blog post will take a look at the basics of a CISO, as well as the CISO's main tasks and responsibilities.

(Check out our recommendations for security books and security events & conferences.)

Defining the CISO role

A Chief Information Security Officer (CISO) is a senior executive who is responsible for developing and implementing an information security program that protects an organization's data and systems. They are part of the “C-suite” roles and are responsible for managing risk and ensuring that the organization's security posture is aligned with its business objectives.

To succeed as CISO, you must have extensive knowledge of security technologies and processes as well as a strong understanding of business and risk management. Thus, understanding the security side isn’t enough. Crucially, CISOs must be able to:

• Effectively communicate with both technical and non-technical staff.
• Clearly articulate the organization's security posture to senior management (particularly when the situation is not satisfactory).

Primary responsibilities of CISOs

OK, so those are the broad strokes, but what does a CISO actually do?

A CISO is responsible for the overall security of an organization's information systems. This includes:

• Developing and implementing security policies and procedures. Security frameworks are helpful here as guide.
• Managing security staff, which means overseeing many security teams at larger organizations.
• Understanding network activity and preparing for potential threats.
• Overseeing incident response and disaster recovery planning.
• Coordinating the response and recovery efforts when a data breach or security breach occurs.
• Reporting to the designated hierarchy, which might be the CIO, the CEO, and even the board of directors.

(Understand how vulnerabilities and threats contribute to overall risk.)

CISO skills and experience

A CISO isn't just a security expert but is a leader who often manages security engineers and resources to react and respond to mission-critical situations. Thus, CISOs usually have a background or deep understanding of information security, information technology experience, risk management, computer science, or another related field. Auditing skills, though not required, can be a fine addition.

Besides responding to breaches, CISOs monitor threats and devise strategies to reduce risk while allocating resources for maximum efficiency. However, it is a leadership role; their security strategies must align with business goals. Thus, many companies require CISOs to have an advanced computer science, engineering, or business degree.

CISOs may be required to have these certifications:

• An information systems auditor or security manager by ISACA
• An Information Systems Security Professionals by ISC2

(Related reading: top cybersecurity certifications to earn.)

How the CISO role came to be

The term CISO was first introduced by Citigroup around 1994 when they hired Steve Katz to set up a security office to make technology more secure. As you can observe, the crux of the role hasn't changed that much over nearly three decades.

Nevertheless, while a CISO's responsibilities had been limited to governance, policymaking and monitoring traffic for an extended period, some exciting additions are now part of the CISO's role. A CISO builds bridges between technical and nontechnical executives, subject matter experts, security professionals and developers.

Hierarchy & reporting structure around CISOs

Traditionally, CISOs work closely with other senior executives, such as the chief information officer (CIO) and chief technology officer (CTO), to ensure that the organization's security program is effective and efficient. This has changed a lot recently, where 61% of CISOs no longer report to the CIO. Instead, they report to the CTO, the Chief Operating Officer (COO) or sometimes directly to the Chief Executive Officer (CEO).

A significant majority of CISOs report either to the CEO or the CIO (Source: The CISO Report) 

As for who reports up to the CISO, a survey involving 3,600 security professionals showed that 48% of security teams report to the CISO, especially in organization where the CISO oversee the overall security effort. The study by ISACA also showed that security assessments are more likely to be aligned with IT and business goals when the CISO is in charge of the security teams.

CISO salary

Based on the importance of this role, you’d be safe in assuming that CISOs draw hefty paychecks. Thanks to the aggression of security threat actors, the salary of CISOs has been rising remarkably in the last decade.

According to a variety of sources, the median CISO salary was in the vicinity of $130,000 to $190,000 in 2015 and reached the $220,000 mark before 2017.

As at January 2024 according to Glassdoor, CISOs have a median annual total salary of $386,000. Depending on the role, the context, the organization and overall experience, a CISO's salary can go well up to $585,000 — and that’s before bonuses that are often standard for C-level roles. In the banking and financial services sector, the salary can range from $180,000 to $400,000, with significant bonuses and long-term incentives.

(Check out our roundup of IT salaries.)

CISO vs. other roles

CISOs are often compared to other C-suite roles. Let’s look briefly at the differences.

CISO vs. CIO

A CISO is responsible for the security of an organization's information systems. This role focuses more on how the organization's IT systems are secure from internal and external threats.

A CIO, on the other hand, is responsible for the overall IT operation and management and how the business can use it to meet its strategic data use.

CISO vs. CTO

Unlike the CISO, which focuses more on implementing security checks and all security-related activities and responsibilities, the CTO focus more on the organization's overall IT operations and infrastructures.

Sounds similar to the CIO's role? not quite. The CTO role is gauged toward innovation and how the organization can use existing and new technologies to meet the company's business goals and technological development.

(Learn about cyber threat intelligence.)

CISO vs. CPO

As technology writer Kayly Lange explains:

• CISOs focus on protecting its information assets against cyber threats.
• CPOs focus on ensuring that the organization complies with privacy laws and regulations.

(Read our comparison: CIO vs. CISO vs. CPO.)

CISO vs. vCISO

A vCISO is a virtual chief information security officer. This new role is becoming more popular in organizations that are looking for ways to improve their cybersecurity posture. The vCISO is responsible for providing strategic direction and leadership for the organization's cybersecurity program. Thus they:

• Develop and implement security strategies that align with business goals.
• Manage and oversee the day-to-day operations of the security team and ensuring that the security program is effective.

Sounds like a CISO, except for a key difference:  vCISOs are not full-time employees of the organization. Instead, they are hired as consultants to provide their expertise and guidance. This allows organizations to benefit from a CISO without the cost of hiring one full-time. Additionally, the vCISO can be more flexible in its approach to cybersecurity, which can be beneficial in today's rapidly changing threat landscape.

Why it’s important to have a CISO

CISOs are valuable parts of keeping organizations secure, but you still might be wondering why you should hire one. You want a CISO for:

• Management and security of information resources
• Maximizing ROI on security-related decisions
• Staying ahead of the threat landscape
• Compliance with industry standards
• Aligning security with business

How to hire a CISO

If you decide to hire a CISO, these are the qualities to look for:

• Deep experience in working with information assets
• Solid knowledge of data governance and understanding of compliance structures
• Ability to assign business value to security efforts
• Ability to trigger actions that would strengthen security
• Risk management skills
• Leadership qualities
• A calm demeanor, especially under pressure

Summing up the CISO

Cybersecurity is a never-ending battle that requires constant vigilance and the skills of professionals with the right qualifications and experience.

The CISO is responsible for safeguarding an organization's information assets. They do this by ensuring that a company's IT infrastructure is secure, investigating security incidents and working with other members of the organization to ensure that the IT department and all employees are following best practices.