A Chief Information Security Officer (CISO) is responsible for information and data security across the organization. Compared to positions such as Chief Security Officer (CSO) or head of the security department, the range of duties is larger.
Photo: GaudiLab – shutterstock.com
During digitization, software permeates the entire company, significantly increasing the IT attack surface. That is why the role of the CISO is gaining in importance. It is therefore worthwhile to take a closer look at the specific responsibilities, tasks and requirements of this management position.
A CISO bridges the gap between the traditionally separate disciplines of IT, security and the business of a company. The position develops the IT security strategy based on the business goals and thus ensures the necessary level of protection without hindering the agility of modern business processes.
In day-to-day work, a CISO is responsible for areas such as: security operations, cyber risk and intelligence, protection against data loss and fraud, security architecture, identity and access management (IAM), program management, forensics and governance. As part of an Information Security Management System (ISMS), a CISO also audits IT security and reports the results to management.
IT security affects the entire organization at all levels, so a CISO must take a holistic approach to security. Technology and organization as well as culture and supply chain are important factors to keep in mind. The IT security manager is also responsible for reputation management and communication measures in the event of a crisis.
A CISO typically reports to the Chief Information Officer (CIO), in other cases directly to the Chief Executive Officer (CEO) or management, as IT security is only one part of their duties. The role also ensures the security and risk management of all other (non-digital) information assets of a company, such as paper records.
The duties of a CISO are as varied as the company he or she works for. Stephen Katz admitted in an interview a good overview of the basic aspects of daily work. Katz is credited with pioneering the CISO role he defined and held at Citigroup in the 1990s. He divides them as follows:
- Data Loss and Fraud Prevention
Ensure that employees do not misuse or steal data accidentally, negligently or intentionally. - Security Operations
Analyze immediate threats in real time and coordinate immediate countermeasures in the event of an emergency. - Cyber risk and intelligence
Stay informed about new security threats. Assist the board of directors in understanding potential security risks arising from acquisitions or other business decisions. - security architecture
Planning, procurement and commissioning of security hardware and software. Ensure IT and network are modeled according to the most appropriate security best practices. - Identity and Access Management (IAM)
Ensure that only authorized personnel have access to sensitive, proprietary data and systems. - program management
Meet emerging security needs by implementing programs and projects that eliminate risk. This includes, for example, regular system patches. - Troubleshooting and Forensics
Find out what went wrong in a data breach, hold those responsible accountable if they come from your own organization, and develop plans to prevent similar crises in the future. - management
Ensuring that all of the above initiatives run smoothly, are adequately funded and senior management understand their importance.
The training provider SANS Institute has a comprehensive description of the duties of a CISO in one white paper (PDF) summarized.
The position of a CISO assumes a solid technical education forward. According to the Information Portal for IT Security Students Cyberdegrees.org A CISO requires a minimum of a bachelor’s degree in computer science or a related field. Increasingly, however, subtopics are also dependent on one Master’s degree with a focus on security Where the. In addition, seven to twelve years of professional experience is required, of which at least five in a managerial position.
In addition, a CISO must possess a range of technical skills. Basic knowledge of programming and systems administration is what every senior technical manager needs. In addition, however, Knowledge of security technology important, such as DNS, routing, authentication, VPN, proxy services and DDoS mitigation, programming practices, ethical hacking, threat modeling and analysis, firewalls, and protocols for detecting and preventing breaches.
Also the human factor increasingly at the center of the CISO. Attackers use sophisticated phishing, email fraud or social engineering to circumvent companies’ technical protection measures. This makes raising awareness and training employees through security awareness measures an important task for those responsible for security.
In addition, a CISO must also have knowledge in the field of compliance to be able to support legal requirements to comply Depending on the industry and core business, these are, for example, the GDPR, IT basic protection, CRITIS or PCI specifications. Internationally operating companies must also observe other standards such as HIPAA, CCPA, NIST, GLBA or SOX.
Because CISOs management tasks and ideally maintain close contact with the board members, technical knowledge alone is not sufficient to qualify for this position. Larry Ponemon, founder of the research institute of the same name, grabbed to “SecureWorld”: “The most successful CISOs have a good technical foundation combined with a business background.” For example, they have an MBA degree and can communicate on an equal footing with other C-level managers or the board.
According to Paul Wallenberg, manager at recruiting firm LaSalle Network, the non-technical skills required are very specific to the company. “Internationally operating companies are especially looking for candidates with a holistic, functional security background.” They evaluate leadership qualities based on resume and past performance. On the other hand, companies with a web or product focus were looking for CISOs with specific skills in application and web security.
Since there is no predetermined training path to become a CISO, there are certificates that are intended to transfer the necessary specialist skills. The offer is wide, Cyberdegrees.org lists six alone. LaSalle manager Wallenberg lists three as the most important in his opinion:
In Germany, some associations and training companies also offer certification for the local market. Here are some examples:
Security agents sometimes tend to shut down systems to make them more secure. This can lead to conflicts with the IT department, which is responsible for making information and applications available as smoothly as possible.
This argument is likely between the CISO and the CIO fought. It plays a role in how the top management level of the company is organized. If a CISO does not report directly to the CEO but reports to the CIO, this can lead to problems. Strategic security decisions may then have to be subordinate to the CIO’s overarching IT strategy, which can be detrimental to the level of security.
When a CISO sits directly below the board of directors or the board of directors, they become more assertive. This may also lead to a title change. According to the Global research into the state of information security 2020 (PDF), a CISO will usually report to the CIO, while a CSO tends to operate at the same hierarchical level. He is also responsible for non-technical safety issues.
Putting the CIO and CISO on an equal footing can reduce the potential for conflict and can signal to the entire organization that security is taken seriously. However, this also means that the CISO should not block technical initiatives. That’s what Ducati CIO Piergiorgio Grossi said in the i-CIO Magazine, the job of the CISO is to help IT deliver more robust products and services, rather than just saying no. This shared responsibility for strategic projects changes the relationship dynamics of the two disciplines and can be the critical success factor for a new CISO.
If a company is looking for a CISO, many of the above points come into play in the job description. “Companies first decide whether to hire a CISO, then they get approvals for the hierarchy level, reporting structure and official title of the position,” explains LaSalle executive Wallenberg. In smaller companies, a department head or safety director may also become a CISO. Finally, it is important to formulate the minimum requirements and qualifications for the role and to start the internal or external tendering process.
The job posting itself should make it clear from the outset that the company is committed to safety in order to capture the attention of highly qualified candidates. It helps to describe exactly where a CISO is in the company hierarchy and how many contact points with management or the board of directors are planned.
Even if the position is filled, the job description should be regularly updated and kept available. It is not always clear when the employee will move on to a new challenge, and the CISO is a critical position that should not be left vacant.
The CISO has a high position and is usually paid accordingly, although the amount varies widely. salary calculator like Glass door CISO positions in Germany pay an average of around 107,000 euros per year with plenty of room for ups and downs. on the other hand to speak Recruiters also come from CISO incomes above 200,000 euros annual salary – as long as the candidate is the right expert for the specific position.
Our new portal is also for all CISOs and those who want to become one https://www.csoonline.com/de/ Strongly recommended.