What is a CISO? Everything you need to know about the Chief Information Security Officer role

What does a CISO do and how do they work with the rest of the business? From reporting lines to working conditions and pay rates, here's everything you need to know about the role of the CISO.
Written by Mark Samuels, Contributor

What is a Chief Information Security Officer?

A CISO is responsible for establishing security strategy and ensuring data assets are protected. CISOs traditionally work alongside the chief information officer (CIO) to achieve these aims.

What does a CISO do?

As the guardians of information security, it's the CISO's role to create a strategy that deals with ever-increasing regulatory complexity, creating the policies, security architecture, processes and systems that help reduce cyber threats and keep data secure. Compliance is a key element of the role, as is understanding risk management.

CISOs will understand how the cybersecurity threat landscape is evolving and how that could affect the security risks facing their particular organisation. That means taking account of everything from the risk of malware and hacking through to insider threats or unpatched vulnerabilities in the organisation's systems. The CISO will likely take a key role in any incident response if there is a data breach.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The importance of cybersecurity is such that the vast majority (89%) of CISOs are regularly summoned by the board of directors to provide recommendations for the business, reports 451 Research and security firm Kaspersky.

More than half (54%) of CISOs responding to consultant KPMG and recruiter Harvey Nash's 2019 IT leadership survey said they are a member of the operational board or executive management committee.

How important is the CISO role?

In short, crucial – ensuring that IT systems comply with security and regulatory requirements is the top priority for tech chiefs, according to Grant Thornton LLP and the Technology Business Management Council. They report as many as 83% of IT leaders have increased spending on cybersecurity in the past 12 months.

Is the CISO taken seriously by business execs?

Kind of. While it's good news that CISOs have an increasingly high-profile executive audience for their opinions, the strategic importance of cybersecurity is far from guaranteed. Almost half (43%) of CISOs feel that they are in direct competition with other business and IT initiatives for funding, reports 451 Research and Kaspersky.

That battle for cash is at odds with wider business trends: almost every expert recognises businesses need to take security more seriously than ever before. But while 40% of CISOs say their organisation has been subjected to a security attack in the past two years, just 29% of CISOs believe they're very well-positioned to deal with security risks, according to KPMG and Harvey Nash.

SEE: 10 tips for new cybersecurity pros (free PDF)

Consultant EY says organisations can only stay one step ahead of the cyber threat by creating what it refers to as "a culture of security by design". This approach relies on bridging the divide between the security function and the C-suite. Here, CISOs act as a consultant and enabler, rather than positioning security as a roadblock to how people want to work.

Yet EY reports that while security teams have good relations with adjacent functions, such as IT, audit, risk and legal, there is a disconnect with other parts of the business. Almost three-quarters (74%) of CISOs say the relationship between security and marketing is, at best, neutral, if not mistrustful or non-existent. More than half (57%) say their relationship with finance, on which they depend on for budget authorisation, is also strained. CISOs with an amount of business acumen may find it easier to communicate with executive management than those totally focused on technical detail.

How does the Chief Information Security Officer and CIO work together on security?

Cecilia Feng, assistant professor of accounting at Stony Brook University, says that although the CIO and the CISO are both charged with the duty to protect their firm's IT systems, the relationship between these two roles is quite subtle. While a CIO typically reports to the firm's CEO or CFO, a CISO may often work under the CIO, reflecting the breadth of their duties.

Feng agrees that the battle for funding means the relationship between CISO and CIO isn't always straightforward, but both must recognise that they share the same goals, face the same challenges – and could suffer the same consequences.

"My recent study shows that a CIO is 72% more likely to be terminated following a security breach caused by a system deficiency," she says. 

The CISO is also likely to be held accountable for security shortcomings. But when united, these IT executives can consolidate their power to have a greater say in the boardroom when it comes to technology initiatives and guiding the business.

What's it like being a CISO?

More than three-quarters (78%) of CISOs find their jobs to be very or quite fulfilling, according to KPMG and Harvey Nash. In a world where technology and data only continue to increase in importance, it's unlikely the CISO is going to get bored any time soon.

Yet that strain also causes big issues. The vast majority of CISOs (88%) remain moderately or tremendously stressed, according to research from Nominet and Vanson Bourne. Worse still, almost half (48%) of CISOs say work stress had a detrimental impact on their mental health last year, almost twice as high as 2018 (27%).

Rich Armour, former global CISO at General Motors and now cybersecurity advisor at Nozomi Networks, says it's crucial that security chiefs can find a way to remain calm under pressure.  

"Many of the daily tasks of the CISO are stressful, but the management of major incidents or a publicly disclosed breach takes these stresses to the extreme," he says. "CISOs must be able to effectively manage and lead the organisation through these stressful situations, while maintaining their perspective and equilibrium."

What are the working conditions like for CISOs?

CISOs hold a position of power in most organisations, but this authority comes with strings attached. Almost all CISOs work beyond their contracted hours, on average by 10 hours per week, reports Nominet and Vanson Bourne. When they're not at work, many CISOs feel unable to switch off; missing birthdays, holidays, weddings and even funerals is not unusual.

Almost three-quarters (71%) of CISOs say their work-life balance is too heavily weighted towards work. They're also not taking their annual leave, sick days, or time for doctor's appointments. The result is more pressure and more health problems.

Almost all CISOs (90%) say they'd take a pay cut if it improved their work-life balance. On average, CISOs say they'd be willing to give up 7.76% of their wage, which equates to $9,642 (£7,475) per year.

How much are CISOs paid?

The fact that so many CISOs would be willing to have their rates cut to work less suggests that many are well-compensated for the huge stresses and strains that they face.

The national average salary for a CISO in the UK is about £117,000, according to recruiting specialist Glassdoor. Rates vary considerably between public and private sector roles, by industry and by location.

Yet the opportunities for talented professionals abound. The unemployment rate for trained cybersecurity personnel is 0%, suggesting that the demand for workers in this profession is acute, and matched by insufficient supply.

Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings globally by 2021. Cybercrime, meanwhile, will more than triple the number of job openings over the next five years. The massive demand for skilled security experts will only push rates upwards.

Research suggests Fortune 500 corporations pay $400,000 and upwards annually to CISOs. In fact, the huge demand for expertise and the growing demands from regulations such as the General Data Protection Regulation (GDPR) means top rates of $1 million or more might not be uncommon soon.

SEE: IT pro's guide to GDPR compliance (free PDF)

How can I become a a CISO?

CISOs tend to emerge from the security side of technology departments. James Walsh, head of security practice at Harvey Nash, says some qualifications are really sort-after for IT or security professionals looking to progress or move into CISO positions.

He says the most-desired qualification is Certified Information Systems Security Professional (CISSP) from (ISC)²: "It features in most client requirements and job specifications," he says.

Walsh says other highly regarded qualifications include: ISACA's Certified Information Security Manager certification, its Certified Information Systems Auditor certification, and its Certified in Risk and Information Systems Control certification.

There has been significant growth in popularity for the Certified CISO (CCISO) qualification from EC-Council, particularly amongst information security managers looking to progress up to CISO roles. For all professionals, continual education is likely to be the key to success.

"The breadth of information security and its ever-changing landscape and threats mean that CISOs and all security professionals need to maintain and update their skills, and so many of the qualifications are then supplemented with others such as ISO 27001 Implementor and Auditor qualifications. So, as we find with all tech professionals in a rapidly changing digital world, continual learning and training is an integral part of any career journey," says Walsh. 

What makes a great CISO?

Walsh says there are a number of key qualities that successful CISOs demonstrate. As with any senior role in business or IT, leadership skills are key; the ability to manage, motivate and drive enterprise-wide information security teams and programmes, and be a leader and influencer within the executive tier of the business, is fundamental.

Strategic delivery and execution skills are also important. Walsh says the key skill of a good CISO is the ability to carefully define short- and long-term organisation-wide strategies and roadmaps for security that overlap and support the business strategy. "Alongside this is the ability and track record to implement on these improvement programmes, be that in terms of people, process or technology change," he says.

Walsh even says a good sense of humour can be an important feature of a successful CISO. In a high-stress job, where the next crisis could unfurl at any moment, an ability to communicate the risks and threats across the business in an approachable manner can really help. 

What are the key skills of a Chief Information Security Officer?

Rich Armour lists a number of key characteristics of successful CISOs:

  • Effective and inspirational leadership style
  • Strong communication skills with a variety of audiences 
  • Ability to remain calm under pressure 
  • Collaborative and results-driven
  • Extremely strong sense of urgency
  • Skilled multi-tasker
  • Intense curiosity about technology and the ever-changing cyber-threat landscape 
  • Strong technology and security knowledge 
  • Strong risk management instincts
  • Strong business acumen 

How can CISOs use their skills in a business environment?

Matt Harris, head of IT for Mercedes-AMG Petronas Motorsport, says a good head of security for his business has got to "a bit special". He says a lot of security people struggle when it comes to knowing what they need to be able to give the correct level of security to support the business around what it needs to do. "In other words, not too much or too little," he says.

Harris says there's "a very fine line to walk" between implementing the right technology, enabling the right process, and producing the right level of documentation or logging that enables the business to still work, but which also keeps the business secure.

SEE: IT jobs in 2020: A leader's guide (ZDNet special report) | Download the report as a PDF (TechRepublic)

While employees often think of security being the sole responsibility of the CISO, all workers need to be aware of secure working practices. Gartner says organisations should look to make key personnel aware of security responsibilities across all functions. The analyst predicts that 35% of enterprises will implement a security champion programme by 2021, up from less than 10% in 2017.

Harris recognises the importance of building cross-business responsibility for data security: "We're creating 45 terabytes or so of data per week. How can we as an IT department possibly know and understand all of that data and where it's being put? Providing education around that concern is the big challenge for the information community."

What is the future of the CISO?

One thing's certain: the critical role of data security is unlikely to diminish anytime soon. Almost all (94%) CISOs believe the way that organisations manage and use customer data will become just as important as product and service quality when it comes to attracting customers in the future.

Maintaining high levels of data security means CISOs are going to spend a lot more time interacting with the rest of the business. Consultant KPMG says the CISO of the future will be an outward-looking role, making decisions that tie not just into technical controls and security processes, but which also considers ethics, independence, consumer trust, and even national resilience and economic security.

Rana Bhattacharya, CTO at Atom Bank, is another IT leader who believes the future of IT security is outward-looking. Like Harris, he believes line-of-business units must take responsibility for data integrity, especially given their ever-increasing use of cloud-based services.

"I'd hope more people generally are hands-on, because the changes in the whole security landscape in terms of threats to the capabilities you have to data in places like the cloud are always ever-changing. You have to be nimble and fleet-of-foot today to grow the level of protection that you have," he says.

Editorial standards