CISO job description: What does a CISO do?
A chief information security officer deals with far more than firewalls and antivirus software
The past couple of years have been being particularly challenging for IT professionals and organisations alike, it doesn’t mean that 2022 will be any easier. As workers slowly return to the office, they are likely to keep working remotely on a more flexible basis for some part of the week than before the pandemic. This provides some extra security challenges that IT teams need to consider.
Many organisations are looking at reviewing their cyber security strategy as well as their response and monitoring capabilities, especially as there have been some high-profile cyber attacks recently, such as the SolarWinds hack. Businesses are choosing to do this to avoid making the same mistakes and losing their customers’ loyalty and trust, which is always detrimental but particularly so during the midst of a financial crisis.
The state of the world has changed drastically since the pandemic began, and this is especially true for the status of security too. Cyber security experts have been very busy during the last year or so: from the Solarwinds to Zoom attacks, it is necessary for organisations to possess competent security and leadership skills more than ever before. In these uncertain times, it is extremely important for companies to have an individual who can be trusted with maintaining the safety and security of the enterprise and its data.
This responsibility could be assigned to a chief information security officer (CISO), whose function we will study in this article. From requirements to reimbursement, we analyse the details of this executive role so you can learn about whether this could be the perfect role for you.
What is a CISO?
The CIO imperative: Leading in the digital future
Reimagine how to differentiate with technology
In order for that responsibility to be taken seriously, a strategy and someone to lead that vision from theory into reality is required. Enter the chief information security officer (CISO). First borne as a role that was exclusively the preserve of US companies, the job title has now made its way to British shores, too.
The CISO, who may also be referred to as a chief security architecture or information security manager, is an executive role that oversees the protection of company and customer data, as well as the protection of infrastructure and assets from malicious actors.
In an age of rampant data theft and aggressive but important legislation, such as GDPR, every IT facility in an organisation must be secure. That not only requires the implementation of security safeguards but also the training and educating of employees. With the majority of cyber security incidents being the result of employee error, it's important that a CISO is looking both internally and externally for potential threats.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Research suggests that a CISO can play a large part in improving security posture. The latest Cyber Risk Insights Index report by cyber insurtech Corvus Insurance revealed that almost three-quarters (72%) of surveyed companies which indicated that they needed help in improving their security were also found to lack a CISO position.
Despite often assuming more accountability and risk amid a rise in cyber attacks on corporate networks, CISOs often struggle with being perceived on the same level as their C-level peers, including the chief executive officer (CEO) or chief financial officer (CFO). In fact, research conducted in 2021 by security intelligence company LogRhythm found that the overwhelming majority (93%) of CISOs don't report directly to their organisation's CEO, despite 60% of respondents agreeing that doing so would create greater awareness of cyber security issues. Instead, the majority of CISOs are three steps away from the CEO, and often report to the chief operating officer (COO) instead.
What responsibilities does a CISO have?
CISOs have a wide range of responsibilities that extend far beyond dealing with firewalls and antivirus software. They are responsible for hiring IT personnel, for providing necessary policy direction to protect the company from emerging threats., and for directly managing senior IT team leaders to ensure they are prioritising the right aspects of a strategy at any given time.
A CISO must also spearhead the company's IT security hardware strategy and make sure necessary activities are undertaken by the appropriate department, whether this is IT staff or other IT security personnel.
Innovation also plays a key role in any organisation's security posture. As such, the CISO will also be tasked with keeping corporate security policies, standards and procedures fresh and fit for purpose, and making sure staff across the board comply on a day-to-day basis without fail.
CISOs are expected to work with the entire organisation to ensure everyone is pulling in the same direction. After all, ensuring security is a continuous process rather than something that can be auctioned once and then left alone. It needs to evolve and change as the threat landscape does. Success here, then, will include conversing regularly with senior management and employees to make sure all IT security policies are deployed, revised, sustained and overseen effectively.
Emulating what might happen in the real world is one way of ensuring everyone is on the same page when it comes to the threat of breaches and data theft. By essentially phishing employees to see who clicks on what - in your own, controlled environment - you can be more sure of any awareness gaps and training needs. Showing employees the damage that could have been done, but thankfully wasn't, will also ensure security remains front of mind in future.
As part of this, existing IT infrastructure must be audited and assessed for any security risks and CISOs are responsible for using the data they have at hand to predict any risks and deal with them accordingly. They need to be continuously assessing vulnerabilities and finding fixes before an incident occurs.
A CISO also needs to develop policies around security incidents and create an Emergency Response Team to act as and when a security breach is looming or has happened. As well as this, they may be in charge of developing a disaster recovery plan to allow for business continuity post-cyber-attack.
Like many businesses and IT decision-makers, CISOs are constrained by budgets, so resources need to be prioritised and allocated efficiently and financial forecasts prepared to ensure appropriate cover for security assets. A CISO needs to show that investments can be used to protect an organisation's assets and safeguard its data and reputation if the worst should happen.
What skills are needed to be a CISO?
To be a competent CISO, several key skills are required, beyond common sense. These include:
- Communication and presentation skills
- Policy development and administration skills
- Knowledge about government (e.g. relevant legislation both current and incoming)
- Collaboration expertise
- Financial, planning and strategic management skills
- Supervisory and incident management skills
- And, finally, knowledge of regulation and standards compliance.
However, the most valuable skill for a CISO is the ability to articulate IT security and technical issues in a non-threatening, clear and actionable manner to non-technical leadership.
A CISO’s salary can be increased by 4% thanks to this quality, according to PayScale. This also means, however, being up to the challenge of leading by example, which can be challenging at times. One in four global IT security leaders have used the same password for personal and work use, according to a recent report. In the report, 39% of respondents say they haven’t changed their work email passwords in the last month. It also found that 48% of CISOs log into social network platforms through their work computers, and 63% were willing to accept connection requests from unknown LinkedIn users – a behaviour MI5 is actively warning people not to do.
How much does a CISO get paid?
In general, someone applying for a CISO role is expected to be highly experienced, with many roles asking for at least 10-plus years in security and senior risk management roles. However, this also means the role commands a significant salary.
A CISO in the UK can expect to receive an average salary of around £92,000 a year, with a number of organisations offering additional benefits and bonuses, with the most popular being medical (70%), dental (25%), and vision (17%). A CISO’s average annual bonus is around £11,500 in the UK.
The CIO imperative: Leading in the digital future
Reimagine how to differentiate with technology
The salary, however, mostly depends on the level of expertise. For example, a newly-appointed CISO will probably earn no more than £73,000 per year. After five to nine years of experience, this is likely to go over the 80k mark. After a decade in this position, a CISO can earn an average total compensation of £97,000, while those with 20 years experience can earn a total average of £110,000.
Of course, this is still dependent on the company and its location. While the average CISO pay in the UK is £90,000, some companies at the highest level can afford to offer salaries of up to £147,000. Regardless of whom you work for, the pay is nothing less than impressive.
Nevertheless, it’s still an industry heavily dominated by men, with only 13% of CISOs at Fortune 500 companies identifying as female, according to latest Forrester data. The number is even lower for EMEA-based enterprises, where only 8% of information security leaders are women. Commenting on these findings, Forrester principal analyst Jinan Budge said that "there is an urgent need and enormous opportunity to become not just an ally but an outspoken champion for women in tech and cybersecurity, especially when so many people tell women to solve workplace challenges by simply "leaning in"."
"While personal responsibility is important, there is only so far that your confidence can take in an industry ingrained with systemic sexism and bias. Engage with people who experience the adversity, and advocate for women in your team by creating a space where they, alongside male allies, can champion real change," she added.
Maggie has been a journalist since 1999, starting her career as an editorial assistant on then-weekly magazine Computing, before working her way up to senior reporter level. In 2006, just weeks before ITPro was launched, Maggie joined Dennis Publishing as a reporter. Having worked her way up to editor of ITPro, she was appointed group editor of CloudPro and ITPro in April 2012. She became the editorial director and took responsibility for ChannelPro, in 2016.
Her areas of particular interest, aside from cloud, include management and C-level issues, the business value of technology, green and environmental issues and careers to name but a few.