The expanding role of a CISO

What are the responsibilities of a CISO?

Due to the expanding role, it is difficult to create a single definition of the roles and responsibilities of a CISO, but it will generally include the following:

Governance and security strategy
The CISO will be involved with setting the overall information systems security strategy and they will ensure that it is aligned with the overall corporate strategy and any relevant regulations. As part of this strategy, they will be involved in the development and enforcement of policies, standards and procedures.

Security operations and program management

The CISO needs to ensure that the organization has the ability to keep ahead of security needs by implementing programs and projects for the real-time analysis of threats, to mitigate risks and the identification and triage of incidents.

CISO’s need to be constantly aware of the evolving threat landscape and as such must ensure that systems are audited and assessed for risk.

They need to ensure that an organization has the ability to detect and respond to incidents, this includes preparing for outages and business continuity with the development of disaster recovery plans, the creation of emergency response teams and play-books for dealing with incidents. They also need to verify that the processes are fit for purpose with ongoing updates and testing.

Identity and Access Management (IAM)

The CISO is ultimately responsible for the security of the infrastructure, ensuring only authorized personnel have the required access to systems and data.

Culture, education and awareness

As part of the security function, the CISO will have an active role in implementing a ‘Culture of Security’ within the organization which will be achieved through running training and awareness programs. They themselves, as well as other security team members, need also to be abreast of the developing threats and changes to the landscape.

Budgets, resources and timelines

CISO’s are required to work within budgets and therefore need to prioritize and forecast expenditure in order to ensure the appropriate security according to the risk, they will also have to justify and show the return on investment for these expenditures.

Some specific tasks which the CISO would be involved in include (but not limited):

• Advise on corporate security policies, standards and procedures (to ensure compliance)
• Strategically plan the deployment of security technologies and program enhancements with security policies and information protection strategies
• Collaborate with key stakeholders to establish an IT security risk management program
• Ensure systems are secure and audited with comprehensive risk assessments
• Monitor risks and vulnerabilities along with the threats on an ongoing basis
• Understand changes in the threat landscape, with the identification of new security threats
• Develop strategies and play-books to handle security incidents and coordinate investigative activities
• Work with senior management to ensure IT security protection policies are implemented, reviewed and maintained
• Budget and prepare financial forecasts for the secure operations and maintenance of company IT assets
• Appoint and guide IT security experts
• Provide leadership, training and guidance and bridge the technical gap between senior management and the security operations team

CISO skillset

In order to be a successful CISO, several skills are required which obviously includes a good solid understanding of information systems security, threats, administration and management skills. CISO’s also require other skills including the understanding of relevant industry regulations, standards and compliance, policy knowledge and development skills, financial management, and strategy planning.

Because the role is an executive role, they require excellent communication and presentation skills to enable them to articulate IT and security concepts in a clear, actionable manner to non-technical leadership.

Due to the seniority of the role, it is also generally expected that the person will be very experienced in many areas with at least 10 years in risk and security management roles.

Qualifications

Although qualifications do not make a CISO, they do enable a CISO to show that they have the credibility and knowledge required. They also allow aspiring CISO’s the ability to understand the role and learn skills to invoke thinking.

Some courses we would recommend a CISO or an aspiring CISO to engage in as part of their career development include the following:

• Core IT knowledge (CompTIA A+, N+ etc.)
• Core Security Knowledge (ISC² Certified Information Systems Security Professional CISSP)
• Cloud Security (CSA, Certificate of Cloud Security Knowledge Plus CCSK)
• Project Management (Project+, PMP. ITIL etc)
• Information Security Management (ISACA Certified Information Security Manager CISM)
• Risk Management (CRISC, ISO 27005)
• Incident Response procedures (BSI Incident Response for Managers)
• EC Council Chief Information Security Officer (CISO)