Cybersecurity as a function is not an option for today’s organizations. It’s essential for managing business risk, protecting core assets and helping to drive business growth.
At the head of this department sits the chief information security officer (CISO). Sometimes they may have an alternative job title. Most, if not all, medium and large enterprises will employ an individual to handle IT and data security strategy.
Whether they’re called a CISO, VP of security, information security officer, director of information security, information security manager, or something else, the role is the same.
It’s dedicated to supporting the business by managing cybersecurity risk, developing long-term strategy and running the information security or cybersecurity function.
In this article Infosecurity explains what a CISO is, the core skills needed to do the job and their responsibilities.
CISO Responsibilities
As the C-suite executive in charge of cybersecurity, CISOs have a long list of responsibilities that include:
- Developing security strategy, including key policies to continuously manage cyber risk across the enterprise
- Developing and coordinating incident response, disaster recovery and business continuity plans
- Creating and managing security awareness programs for employees
- Ensuring the organization remains compliant with relevant regulations, codes of practice, industry standards and other frameworks
- Liaising with the rest of the C-suite to align security with business objectives
- Reporting to the board and/or senior leadership
- Selecting and managing cybersecurity investments
- Creating a security-first culture that runs through the organization
Why the CISO is Important
CISOs are not always taken as seriously as they should be by senior leadership. One study revealed that 79% have felt boardroom pressure to downplay the severity of cyber-risks facing their organization, while a third (33%) have been dismissed out of hand.
Yet such attitudes are changing, largely because cybersecurity is rightly no longer viewed as a matter purely for the IT department. Cyber risk is a critical business risk, with a potentially major impact on the bottom line and corporate reputation.
Consider the financial and reputational damage a serious security breach could cause. Compliance fines, lost productivity, customer churn and even a negative impact on share price are all possible outcomes. Cyber risk can also derail important digital transformation initiatives and even lead to job losses – including among the C-suite.
From a more positive perspective, the CISO does not just help their organization to understand, mitigate and manage these risks.
By creating the right security-centric culture, they can also provide a solid foundation for business transformation projects, expansion into new markets, preserving competitive advantage, and even driving up the share price.
Who the CISO Works With
Reporting lines will vary depending on the organization. In some businesses, the CISO sits on the board. In others, they are more of a support role, reporting into a more senior member of the C-suite. In the largest organizations, they may have a regional rather than global remit.
According to a study from executive search company Heidrick & Struggles, the most common roles the CISO reports to are (in order of importance): CIO, CTO, COO, Global CISO, chief risk officer, CFO, and general counsel.
The CISO in turn will have a potentially large number of functions reporting into them, including: security operations, penetration testing, governance, risk and compliance (GRC), security architecture, cloud security, product security, business information security officers (BISOs), trust, crisis management, networking/infrastructure, physical security, and privacy.
Understanding the CISO's Role
A typical CISO role is usually split between the here and now – protecting cyber assets and managing risk – and longer-term strategy.
“CISOs are typically tasked with aligning security and compliance efforts with business strategy and goals, implementing robust risk management practices and incident response plans, and developing long-term cybersecurity strategies,” Model N CISO, Chirag Shah, told Infosecurity.
“They are also responsible for implementing robust security policies to protect sensitive data and ensuring compliance with regulatory requirements, managing daily security operations, and protecting digital assets from a broad spectrum of threats including insider threats, phishing attacks, and malware. CISOs also play a crucial role in managing technological innovation, such as adopting cloud services, AI, and IoT, while mitigating associated security risks.”
Protecting Information Assets
Take any organization and its most important assets are likely to be similar. Customer and employee data is highly regulated by GDPR and similar data protection laws around the world.
Then there’s intellectual property – the trade secrets which could erode competitive advantage if discovered. Increasingly, the IT environment itself is also a target for adversaries, who use ransomware to lock down critical systems and force payment.
Managing Cybersecurity Risks
An ideal cybersecurity program would balance the need for cyber-resilience, protective measures such as anti-malware, and proactive detection and response. It would require continuous monitoring of the attack surface to understand when assets are exposed – for example, unpatched vulnerabilities or misconfigured systems – and processes to automatically remediate these issues.
A mature cybersecurity program would follow best practices in vulnerability and patch management, data security, identity and access management (IAM), and much more. Incident response and network monitoring/XDR are also important. They’re based on the premise that threats will always sneak through, but if caught early enough they can be contained with minimal impact on the organization.
Driving Strategic Initiatives
In the longer term, the CISO also needs to focus on strategy. Cybersecurity is a critical business enabler, but to fulfil its role it must be aligned with business goals.
That means the CISO must be able to assess and quantify cyber risk continuously in a business-centric manner. And to ensure security is built into new products and services from the outset.
More broadly, this is all about creating a security-first culture in the organization. Cultural change of this sort can be challenging and time consuming, but it’s a lot easier to manage cyber risk in the enterprise if every employee understands the importance of following best practice. It’s the CISO’s job to get buy-in to this vision from the board down.
Essential Skills and Strategies for CISOs
Essential skills for a CISO include a combination of technical expertise, business acumen and leadership skills.
Shah explained, “They need strong communication abilities to convey complex security concepts to non-technical stakeholders, a deep understanding of regulatory compliance and risk management, and the capacity to stay informed about emerging cybersecurity trends and technologies.”
Risk Management Mastermind
At its heart, cybersecurity is about managing cyber-related risk in line with the risk appetite of the organization. But to do so, the CISO must understand the underlying technology. That’s why most CISOs have prior experience working in technology infrastructure (42%) software engineering (10%) or applications (7%). This is where the job can be seen either as dynamic or relentless. If anything, the pace of technology innovation is accelerating, meaning there’s always something new to learn. And risk doesn’t stand still either. According to Heidrick & Struggles, most CISOs believe cyber risks will be different in five years, with AI, geopolitics and cyber-attacks topping the priority list.
Communication and Business Skills
The CISO is a critical conduit between the technology function and the board. A large part of the role is about explaining tech-related risk in a language the board understands – giving senior leaders the information they need to make better decisions while ensuring cyber remains a top priority.
That requires business acumen, good communication skills and a solid grasp of tech details.
Unfortunately, they’re not always successful in doing so. One report claims only half (54%) of respondents are confident their C-suite completely understands the cyber-risks facing the organization. That figure that has barely moved since 2021 (50%).
The Evolving CISO Landscape
As long as the technology, business, compliance and threat landscapes continue to evolve, so will the role of the CISO.
“They must adapt to new technologies like AI and machine learning in cybersecurity operations, while also focusing on collaboration and information sharing with other organizations to address common security challenges,” said Shah. “Evolution of next-gen technologies requires CISOs to constantly adapt strategies and technologies to stay ahead of these threats. Additionally, industry-specific standards impose stricter data protection and privacy mandates. This compels CISOs not only to focus on technical security but also on ensuring alignment of compliance requirements.”
Emerging Threats: Ransomware, AI Vulnerabilities
New tactics, techniques and procedures (TTPs) are emerging every day. Ransomware is arguably the biggest threat facing CISOs, and the pace of threat actor innovation will only increase with the help of AI tools. Malicious groups are not only using AI to help craft attacks, they’re also finding ways to poison models and probe for vulnerabilities in AI systems. CISOs must help to mitigate all of these risks.
Changing Compliance Demands
Compliance is a major part of the CISO’s role, and it’s another area in constant flux, as regulators struggle to keep up with tech innovation. Best practice standards like ISO 27001 are an essential way to enhance cyber risk management, while regulations like GDPR and the EU AI Act have strict penalties for non-compliance.
Talent Challenges: Building Teams and Attracting Talent
A CISO is only as good as the team around them. Unfortunately, there’s a global shortall of nearly five million security professionals today, and the figure is rising all the time. CISOs must fight for budget and look for talent in new places, focusing on transferable skills as much as certifications.
What Comes Next?
According to Heidrick & Struggles, 40% of companies don’t have a succession plan for the CISO role. That’s concerning given 76% of CISOs are open to changing companies in the next three years. The stresses of the role mean others still may consider early retirement. But whatever their plans, it’s never been a more important time to be a CISO.
Conclusion
In today's dynamic threat landscape, the CISO plays a multifaceted and indispensable role. While technical expertise is foundational, successful CISOs must possess strong business acumen and leadership skills.
The CISO's core responsibility lies in safeguarding critical assets, mitigating cyber risks, and proactively addressing emerging threats. By embracing a proactive and strategic approach, CISOs can effectively guide their organizations towards a more secure and resilient future.