[BreachExchange] What is a CISO? Responsibilities and requirements for this vital leadership role

[Destry Winant]

https://www.csoonline.com/article/3332026/it-careers/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html#tk.rss_news

CISO definition

The chief information security officer (CISO) is the executive
responsible for an organization's information and data security. While
in the past the role has been rather narrowly defined along those
lines, these days the title is often used interchangeably with CSO and
VP of security, indicating a more expansive role in the organization.

Ambitious security pros looking to climb the corporate latter may have
a CISO position in their sights. Let's take a look at what you can do
to improve your chances of snagging a CISO job, and what your duties
will entail if you land this critical role. And if you're looking to
add a CISO to your organization's roster, perhaps for the first time,
you'll want to read on as well.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job
is to learn what day-to-day responsibilities that fall under its
umbrella. While no two jobs are exactly the same, Stephen Katz, who
pioneered the CISO role at Citigroup in the '90s, outlined the areas
of responsibility for CISOs in an interview with MSNBC. He breaks
these responsibilities down into the following categories:

- Security operations: Real-time analysis of immediate threats, and
triage when something goes wrong
- Cyberrisk and cyber intelligence: Keeping abreast of developing
security threats, and helping the board understand potential security
problems that might arise from acquisitions or other big business
moves
- Data loss and fraud prevention: Making sure internal staff doesn't
misuse or steal data
- Security architecture: Planning, buying, and rolling out security
hardware and software, and making sure IT and network infrastructure
is designed with best security practices in mind
- Identity and access management: Ensuring that only authorized people
have access to restricted data and systems
- Program management: Keeping ahead of security needs by implementing
programs or projects that mitigate risks — regular system patches, for
instance
- Investigations and forensics: Determining what went wrong in a
breach, dealing with those responsible if they're internal, and
planning to avoid repeats of the same crisis
- Governance: Making sure all of the above initiatives run smoothly
and get the funding they need — and that corporate leadership
understands their importance

For a deeper dive, check out the whitepaper from SANS, "Mixing
Technology and Business: The Roles and Responsibilities of the Chief
Information Security Officer."

CISO requirements

What does it take to be considered for this role? Generally speaking,
a CISO needs a solid technical foundation. Cyberdegrees.org says that,
typically, a candidate is expected to have a bachelor's degree in
computer science or a related field and 7-12 years of work experience
(including at least five in a management role); technical master's
degrees with a security focus are also increasingly in vogue. There's
also a laundry list of expected technical skills: beyond the basics of
programming and system administration that any high-level tech exec
would be expected to have, you should also understand some
security-centric tech, like DNS, routing, authentication, VPN, proxy
services and DDOS mitigation technologies; coding practices, ethical
hacking and threat modeling; and firewall and intrusion
detection/prevention protocols. And because CISOs are expected to help
with regulatory compliance, you should know about PCI, HIPAA, NIST,
GLBA and SOX compliance assessments as well.

But technical knowledge isn't the only requirement for snagging the
job — and may not even be the most important. After all, much of a
CISO's job involves management and advocating for security within
company leadership. IT researcher Larry Ponemon, speaking to
SecureWorld, said that "the most prominent CISOs have a good technical
foundation but often have business backgrounds, an MBA, and the skills
needed to communicate with other C-level executives and the board."

Paul Wallenberg, Senior Unit Manager of Technology Services at
staffing agency LaSalle Network, says that the mix of technical and
nontechnical skills by which a CISO candidate is judged can vary
depending on the company doing the hiring. "Generally speaking,
companies with a global or international reach as a business will look
for candidates with a holistic, functional security background and
take the approach of assessing leadership skills while understanding
career progression and historical accomplishments," he says. "On the
other side of the coin, companies that have a more web and product
focused business lean on hiring specific skillsets around application
and web security."

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn't
hurt to burnish your resume with certifications. As Information
Security puts it, "These qualifications refresh the memory, invoke new
thinking, increase credibility, and are a mandatory part of any sound
internal training curriculum." But there are a somewhat bewildering
number to choose from — Cyberdegrees.org lists seven. We asked Lasalle
Network's Wallenberg for his picks, and he gave us a top three:

- "Certified Information Systems Security Professional (CISSP) is for
IT professionals seeking to make security a career focus."
- "Certified Information Security Manager (CISM) is popular for those
who are looking to climb the ladder within the security discipline and
transition into leadership or program management."
- "Certified Ethical Hacker (CEH) is for security professionals
looking to obtain an advanced awareness of issues that can threaten
enterprise security."

CISO vs. CIO vs. CSO

Security is a role within an organization that inevitably butts heads
with others, since a security pro's instincts are to lock down systems
and make them harder to access — something that can conflict with IT's
job of making information and applications available in a frictionless
way. The way that drama plays out at the top of the org chart can be
as a CISO vs. CIO battle, and the contours of that fight are often
established by the lines of reporting within an organization.
(CSOdiscussed this in depth in the article "Does it matter who the
CISO reports to?") Even though both titles have "C" in the name, it's
relatively common for CISOs to report to CIOs, which can constrain
CISO's ability to execute strategically, as their vision ends up being
subordinated to the CIO's overall IT strategy. CISO's definitely gain
clout when they report directly to the CEO or the board, which is
becoming an increasingly common practice. This might involve a change
of title — according to the Global State of Information Survey 2018,
CISOs are more likely to be subordinated to a CIO, whereas a security
exec with the title of Chief Security Officer (CSO) is more likely to
be on the same level as the CIO — and to have non-tech security
responsibilities to boot.

Placing CIOs and CISOs on equal footing can help tamp down conflict,
not least because it sends a signal to the whole organization that
security is important. But it also means that the CISO can't simply be
a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio
Grossi told i-CIO magazine, "it’s up to the CISO to help the IT team
provide more robust products and services rather than simply saying
'no.'" This shared responsibility for strategic initiatives changes
the dynamics of the relationship — and can mean the difference between
success and failure for new CISOs.

CISO job description

If you're part of a search for a promising CISO for your organization,
part of that involves writing a job description — and much of what
we've discussed so far lays the foundation for how you'd approach
that. "Companies first decide if they want to hire a CISO and obtain
approvals for the level, reporting structure, and official title for
the position — in smaller companies, CISOs can be VPs or Director of
Security," says Lasalle Network's Wallenberg. "They also need to set
the minimum requirements and qualifications of the role, and then go
to market for external candidates or post for internal applicants."

CSO Senior Editor Michael Nadeau lays out in some detail how you'd
approach writing a CISO job description. One of the important things
he points out is that your description should make your organization's
commitment to security very clear from the get-go, because that's how
you're going to attract a high-quality candidate. You should highlight
where the new CISO will end up on the org chart and how much board
interaction they'll have to really make this point clear. Another
important point he makes is to keep the job description fresh, even if
you have someone in the role — after all, you never know when that
person will move on to another opportunity, and this is a crucial job
that you don't want to leave unstaffed.

CISO salary

CISO is a high-level job and CISOs are paid accordingly. Predicting
salaries is more of an art than a science, of course, but the strong
consensus is that salaries above $100,000 are typical. As of this
writing, ZipRecruiter has the national average at $153,117; Salary.com
pegs the typical range even higher, as between $192,000 and $254,000.

If you check out Glassdoor, you can see salary ranges for current CISO
job openings, which can help you get a sense of which sectors pay more
or less. For instance, at this writing there's an open CISO position
in the federal government that pays between $164,000 and $178,000, and
one at the University of Utah that pays between $230,000 and $251,000.

CISO jobs

The CISO job landscape is always changing, and CSO has plenty of
material to keep you up to date — how to get a CISO job, and how to
navigate the career landscape. You might want to check out:

- "A CISO’s guide to avoiding certain CISO jobs" : Not all CISO jobs
are created equal, and some will set you up for failure that can have
negative career implications down the line. Here's some tips on red
flags to watch out for.
- "Why do CISOs change jobs so frequently?": The average CISO only
stays on the job for 24-48 months, according to market research. Find
out what these fast moves mean for the industry and how you can react.
- "What is a virtual CISO?": C-level execs aren't immune to the trend
towards "on-demand" employees who work on part time contracts rather
than occupying full-time positions. This article will explain what
virtual CISOs can and can't do, which is important if you're competing
against them for jobs — or want to become one yourself.