To business executives, information security is essential at all times across all lines of business. The vast majority of modern business units and processes rely on IT systems. The heavy reliance on technology has led to an alarming uptick in cyberattacks. Businesses of all sizes and across all industries are targets.
In the event of a cyber security breach, the business and its users’ private information are at risk for theft and exploitation. Implementing and maintaining company-wide security requires an expert and leader to define, plan, audit, adjust, and respond. This has become the role of the Chief Information Security Officer.
Cyber security professionals who are interested in moving up to senior managerial positions should review how to become a CISO, including the knowledge and skills needed and methods for obtaining them.
The first step toward pursuing a senior management position is learning the key responsibilities of the role and the training and skills necessary to excel in that role. Before you can be confident that the CISO position is the right direction for your career, you need to understand an officer’s daily tasks as well as their long-term purpose.
The role and responsibilities of Chief Information Security Officer
The role of a Chief Information Security Officer (CISO) varies among organizations.
Respondents of a survey conducted in August 2017 by Ponemon Institute LLC, “The Evolving Role of CISOs and Their Importance to the Business,” noted the Chief Information Security Officer’s responsibilities include setting the organization’s security strategy and related initiatives (67%); setting the security mission (61%); and informing the organization about new threats, technologies, practices, and compliance requirements (60%).
C-suites recognize cyber security cannot be purely preventative. Cyber attacks are inevitable, which makes cyber security even more important to an organization’s ability to quickly identify and respond to an attack and then maintain its reputation.
Chief Information Security Officer Responsibilities
Among the range of dynamic skills needed to be a Chief Information Security Officer, a CISO is responsible for:
- Preparing for advanced persistent threat attacks, data leaks, and Distributed Denial-of-Service (DDoS) attacks
- Identifying and stopping cyber security breaches
- Providing high-quality responses to business units and customers regarding cyber security incidents
As a CISO, you must be prepared to work with an organization’s highest managers and executives. The CISO influences senior management and enforces its policies, which means the CISO works closely with the C-suite. 65% of respondents of the Ponemon Institute’s survey said the CISO role reports to senior executives, which are roles no more than three steps below the CEO on the organizational chart, and 60% said the Chief Information Security Officer has a direct channel to the CEO in the event of a serious security incident.
Demonstrating value to the company
Preventing and responding to cyber security threats and breaches are essential, but the C-suite requires more. Respondents to the Ponemon Institute’s survey stated the CISO’s most important mission was ensuring availability of IT services and prevention of downtime, with a score of 1.77 on a scale of 1 to 5, with 1 being the most important.
The second most important mission was protecting sensitive and confidential information (Score 2.35). The remaining top three missions are to ensure compliance with policies and regulations (Score 2.94), prevent damage to IT infrastructure (Score 3.65), and preserve customer trust (Score 3.97).
Chief Security Officer vs Chief Information Security Officer
Titles for security professionals vary from organization to organization. One business may utilize a CISO while another has a Chief Security Officer (CSO) or a Chief Information Officer (CIO). These roles are similar, though each role will differ based on the business’s needs and structure.
In 2014, CIMCOR described the CSO as a top executive responsible for an entire organization’s security needs and for communicating the organization’s needs, risks, and threats to management. The CISO role was responsible for creating and implementing security initiatives that align with business objectives. At the time of these definitions, corporate executives had little confidence in CISOs as leaders, which led to a distinction between security officers involved in leadership and those relegated to operational duties.
The role of a security officer has evolved, and now either a CSO or CISO, or both, may be found working with the top leadership of an organization. When applying to high-level security officer positions, no matter the title, you should carefully review the organization’s description of the role and its position within the business’s hierarchy.
To be successful in the CISO role, you must be able to promote collaboration between IT security and other business units. In ServiceNow’s “The Global CISO Study,” developed from original research conducted in early 2017, most Security Response Leaders (those who assessed themselves as highly effective at protecting their organizations against several kinds of attacks) said their company saw internal collaboration as critical to security (97%). Security officers must be able to work closely with IT departments and other business units on a daily basis. The CISO should consult on any projects that could create or affect security exposure for the organization.
In addition to collaboration, ServiceNow found several common characteristics among Security Response Leaders, including:
Focus on automation, including automating more strategic risks
- Tight integration with functions across the organization
- Strong relationships between IT and security
- Understand the ability to prioritize security alerts in relation to the organization is critical to the success of security
- See security as a core strategic goal of the organization
To succeed as a CISO, you must have the skills necessary to advocate for security across the organization, collaborate, and build strong relationships with others, and advance automation to improve detection and response.
Chief Information Security Officer knowledge, skills and abilities
You need certain knowledge, skills, and abilities (KSAs) to excel in the CISO role. The CISO position continues to evolve, though for the purpose of career strategizing, it can be seen a marriage between a chief executive position and a security manager.
According to O*NET Online, sponsored by the U.S. Department of Labor, Employment & Training, chief executives and security managers share many KSAs, but each role has unique aspects you will need to develop.
|Chief Executive||Security Manager|
|Administration and Management||✅||✅|
|Personnel and Human Resources||✅|
|Customer and Personal Service||✅||✅|
|Law and Government||✅|
|Public Safety and Security||✅|
|Education and Training||✅|
|Judgement and Decision Making||✅||✅|
|Complex Problem Solving||✅|
To become a CISO, you’ll need to build your skills as a critical listener and a strong oral and written communicator. Developing these skills can come from coursework if you return to school for a master’s degree. You also can take on volunteer roles within professional and non-profit organizations. Joining an array of professional networking opportunities can help you develop listening and speaking skills among a diverse group of people.
You need to hone your critical thinking skills, including the use of inductive and deductive reasoning and complex problem-solving. This takes practice as well as learning from those who have developed these skills over time. Working with a mentor can help you enhance your sensitivity to problems and talk through logical and effective solutions.
It is difficult to reach the Chief Information Security Officer position without specific certifications.
Possible certifications could include:
- CISA: Certified Information Systems Auditor
- CISM: Certified Information Security Manager
- GSLC: GIAC Security Leadership
- CCISO: Certified Chief Information Security Officer
- CGEIT: Certified in the Governance of Enterprise IT
- CISSP: Certified Information Systems Security Professional
- CISSP-ISSMP: Information Systems Security Management Professional
Completing a relevant master’s degree gives you a leg up when applying to CISO roles.
If pursuing a CISO position is right for you, then you may wish to explore online master in cyber security programs.
Online Cyber Security Programs
Browse online graduate cyber security programs nationwide.