CISO (chief information security officer)
What is a CISO (chief information security officer)?
The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats.
The chief information security officer may also be referred to as the chief security architect, the security manager, the corporate security officer or the information security manager, depending on the company’s structure and existing titles. When the CISO is also responsible for the overall corporate security of the company, which includes its employees and facilities, he or she may simply be called the chief security officer (CSO).
CISO role and responsibilities
In addition to responding to data breaches and other security incidents, the CISO is tasked with anticipating, assessing and actively managing new and emerging threats. The CISO must work with other executives across different departments to align security initiatives with broader business objectives and mitigate the risks various security threats pose to the organization’s mission and goals.
The chief information security officer’s duties may include conducting employee security awareness training, developing secure business and communication practices, identifying security objectives and metrics, choosing and purchasing security products from vendors, and ensuring that the company is in regulatory compliance with the rules for relevant bodies, and enforcing adherence to security practices.
Other duties and responsibilities CISOs perform include ensuring the company’s data privacy is secure, managing the Computer Security Incident Response Team and conducting electronic discovery and digital forensic investigations.
One of the most important duties is to manage the Cyber Incident Management Process.
Cyber Incident Management is a structured approach, and is composed of four phases:
1. Preparation: policies, stakeholder notification and technology acquisition.
2. Detection: detecting and confirming an incident has occurred; categorising the nature of the incident and then prioritising the incident.
3. Containment, Eradication and Recovery: minimising the loss or theft of information or service disruption; eliminating the threat and restoring services quickly and securely.
4. Post-Incident Activity: Submit a formal closure report including lessons learned. This report must also contain recommendations for improvement, mitigation of exploited weaknesses and additional security controls to prevent similar incidents from occurring in the future.
The sensitivity of information communicated during all phases of incident response must be carefully considered. Any Information Security Policy should define data classification levels in use across the company.
The first phase deals with preparing a team to be ready to handle an incident at short notice. Regardless of the cause of the incident, preparation is the most crucial phase, as it will determine how well the team will be able to respond to the event.
CISO qualifications and certifications
A CISO is typically a skilled leader and manager with a strong understanding of information technology and security, who can communicate complicated security concepts to both technical and non-technical employees.
CISOs should have experience with risk management and auditing.
Many companies require CISOs to have advanced degrees in business, computer science or engineering, and to have extensive professional working experience in information technology. CISOs also typically have relevant certifications such as Certified Information Systems Auditor and Certified Information Security Manager, issued by ISACA, as well as Certified Information Systems Security Professional, offered by (ISC)2.
According to the U.S. Bureau of Labor Statistics, computer and information systems managers, including CISOs, earned a median annual salary of $131,600 as of May 2015. According to Salary.com, the annual median CISO salary is $197,362.
CISO salaries appear to be increasing steadily, according to research from IT staffing firms. In 2016, IT staffing firm SilverBull reported the median CISO salary had reached $224,000.