Job Description: What Does a CISO Do?
A CISO is the executive-level manager who directs strategy, operations and the budget for the protection of the enterprise information assets and manages that program. The scope of responsibility will encompass communications, applications and infrastructure, including the policies and procedures which apply.
This position can have different titles for the same or similar duties:
- Chief Information Technology Officer (CIO)
- Information Systems (IS) Security Manager
- Corporate Security Executive
- Information Security Director
CISO Responsibilities & Duties
For a large enterprise, the CIO or his /her direct reports will:
- Direct and approve the design of security systems;
- Ensure that disaster recovery and business continuity plans are in place and tested;
- Review and approve security policies, controls and cyber incident response planning;
- Approve identity and access policies;
- Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities;
- Maintain a current understanding the IT threat landscape for the industry;
- Ensure compliance with the changing laws and applicable regulations;
- Translate that knowledge to identification of risks and actionable plans to protect the business;
- Schedule periodic security audits;
- Oversee identity and access management;
- Make sure that cyber security policies and procedures are communicated to all personnel and that compliance is enforced;
- Manage all teams, employees, contractors and vendors involved in IT security, which may include hiring;
- Provide training and mentoring to security team members;
- Constantly update the cyber security strategy to leverage new technology and threat information;
- Brief the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget; and
- Communicate best practices and risks to all parts of the business, outside IT.
Generally the CISO will take a management role to implement these responsibilities. For a smaller enterprise, the CIO may be involved in execution of some or all of these measures or provide oversight for vendors.
- Certified Information Systems Security Professional
- Certified Information Systems Auditor
- Certified Information Security Manager
- Certified in the Governance of Enterprise IT
- Certified in Risk and Information Systems Control
- Information Systems Security Management
CISO Soft Skills
Successful CISO’s will bring strong leadership and people management abilities. In their executive role, they must use strategic thinking to identify risks and trends and stay ahead of the threats to the environment they protect. To do this they must be able to understand multiple complex systems and technology at a detail level in a constantly changing threat environment. Plans and ad hoc responses must dovetail with the company strategy and budget.
Excellent communication, documentation and presentation skills will speed acceptance and support for their recommendations and plans.
A flexible, organized work style is necessary to balance the need for comprehensive, detailed analysis against the instances where they must respond quickly to crises which arrive without warning. The CIO must grasp the issue or problem, identify a resolution plan for the security staff and execute quickly.
CISO Degree and Education Requirements
A bachelor’s degree in Computer Science, IT Security or related field would be considered the minimum for this position. Some employers may require a master’s degree in one of these fields as well as specialized training and professional certifications.
CISO Work Experience
These executive positions will usually require at least ten to twelve years experience in IT and security, with a minimum of at least five in IT security management.
The following are some of the hard skills which are required, or useful, depending on the type of work being done:
- Network security including TCP/IP, communication protocols and vulnerabilities;
- Technical knowledge of different types of hardware, storage, imaging and file system analysis;
- Regulatory compliance knowledge, including HIPAA, SOX, PCI, NIST and GLBA;
- Understanding of Federal, State and Local laws concerning data acquisition, protection and transmission;
- Information Technology Infrastructure Library(ITIL), COBIT, ISO and other applicable IT management methods and toolsets;
- Standard enterprise and personal operating systems, such as Windows, Linux, Mac OS and UNIX;
- Familiarity with multiple software types at the application and enterprise levels;
- Mobile operating systems, applications and security protocols;
- Protection systems against malware, hacking and other threats;
- Secure practices in coding for standard languages, such as C, C++, Java and others;
- Policies and procedures for secure computing;
- Risk assessment experience;