A Chief Information Security Officer (CISO) is a senior-level executive accountable for overseeing all strategic, operational, and financial aspects of data protection and data management. CISOs typically work with fellow executives in an organization to establish policies and procedures that ensure protection of information assets and technology. CISOs oversee security of customer and company information as well as infrastructure and assets. The role of a CISO in organizations is becoming increasingly more important to the strategy and protection of a business as the threat landscape continuously evolves.
What does a CISO do?
It can be difficult to summarize the many responsibilities CISOs undertake. Often times, aspects of a CISOs job are directly correlated to the size of the company.
CISOs are now a crucial part of many organizations' executive teams. It is paramount that CISOs are prepared for fast paced change in keeping up with regulatory compliance, policies, security architecture, and the processes necessary to thwart data threats and effectively secure the company’s data and information. CISOs are ultimately risk management executives that maintain an organizations information security programs. Compliance and risk management are key components to the elements of the CISO role.
CISOs are also tasked with managing IT professionals within an organization (depending on the company’s size). CISOs will typically be in charge of hiring IT personnel to carry out security strategies. Senior IT leaders and managers report directly to the CISO of their organizations. IT teams are a significant part of the implementation of policies and procedures for data maintenance and security throughout the organization.
CISOs must make certain that all members of an organization are complying with policies to ensure internal protection from a cyber event. Governance of the internal security health of an organization is equally as important as protection from outside threats. Implementation of cybersecurity education and training to employees within an organization is crucial for a CISO and his or her team to track and manage internal risk. This is an ongoing responsibility for CISOs.
CISOs develop procedures and protocol for organizations when a cyber event does occur. Whether internal or external, a CISO must be able to quickly assess the situation and have a recovery plan in place in the event of a cyber incident like a data breach. A CISO may even appoint an Emergency Response Team or other specific team to help tackle security breaches that may occur or have already occurred in an organization.
CISOs must also be financially responsible after assessing an organization’s risk. It is a significant portion of a CISOs job to be able to properly allocate funds where they are best needed for adequate protection of an organization. A CISOs budget can be dispersed throughout their many responsibilities. It imperative that a CISO manages the budget to fit the security demand of the organization.
The first CISO, Steve Katz, named CISO by CitiGroup after it suffered cyberattacks in from a Russian hacker in the early 1990s named these important responsibilities for CISOs in an interview in 2018:
The first cybersecurity executive position was created back in 1994 when Steve Katz assumed the role for CitiGroup. The need for CISOs in organizations has grown exponentially in the decades since then. Different versions of security and technology executive offices have emerged since then as well such as Chief Information Officers (CIOs) and Chief Technology Officers (CTOs). CISOs often work along side these executives to protect and manage the data security of organizations.
Other versions of CISOs like Virtual Chief Information Security Officers (vCISO) have also emerged. vCISOs provide an affordable, outsourced CISO to companies who may not have the financial means to cover the salary of the addition of a c-suite executive. vCISOs provide oversight of data protection and cybersecurity to protect an organization just as a CISO would, but without the hefty price tag.
With ever-increasing and evolving threats in the cybersecurity landscape, it is imperative that organizations protect information and technology assets internally and externally. No matter the size or industry of the organization, the need for data protection and security is only increasing with time, technology, and innovation. The role of a CISO assumes responsibility and evolves accordingly.