Job Description: What Does a CISO Do?

A CISO is the executive-level manager who directs strategy, operations and the budget for the protection of the enterprise information assets and manages that program. The scope of responsibility will encompass communications, applications and infrastructure, including the policies and procedures which apply.

This position can have different titles for the same or similar duties:

  • Chief Information Technology Officer (CIO)
  • Information Systems (IS) Security Manager
  • Corporate Security Executive
  • Information Security Director

CISO Responsibilities & Duties

For a large enterprise, the CIO or his /her direct reports will:

  • Direct and approve the design of security systems;
  • Ensure that disaster recovery and business continuity plans are in place and tested;
  • Review and approve security policies, controls and cyber incident response planning;
  • Approve identity and access policies;
  • Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities;
  • Maintain a current understanding the IT threat landscape for the industry;
  • Ensure compliance with the changing laws and applicable regulations;
  • Translate that knowledge to identification of risks and actionable plans to protect the business;
  • Schedule periodic security audits;
  • Oversee identity and access management;
  • Make sure that cyber security policies and procedures are communicated to all personnel and that compliance is enforced;
  • Manage all teams, employees, contractors and vendors involved in IT security, which may include hiring;
  • Provide training and mentoring to security team members;
  • Constantly update the cyber security strategy to leverage new technology and threat information;
  • Brief the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget; and
  • Communicate best practices and risks to all parts of the business, outside IT.

Generally the CISO will take a management role to implement these responsibilities. For a smaller enterprise, the CIO may be involved in execution of some or all of these measures or provide oversight for vendors.