Chief information security officer

A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve ISO/IEC 27001 certification for an entity or a part of it). The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

Typically, the CISO's influence reaches the entire organization. Responsibilities may include, but not be limited to:

Computer emergency response team/computer security incident response team
Cybersecurity
Disaster recovery and business continuity management
Identity and access management
Information privacy
Information regulatory compliance (e.g., US PCI DSS, FISMA, GLBA, HIPAA; UK Data Protection Act 1998; Canada PIPEDA, Europe GDPR)
Information risk management
Information security and information assurance
Information security operations center (ISOC)
Information technology controls for financial and other systems
IT investigations, digital forensics, eDiscovery

Having a CISO or an equivalent function in organizations has become standard practice in business, government, and non-profits organizations. By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006. In 2018, The Global State of Information Security Survey 2018 (GSISS), a joint survey conducted by CIO, CSO, and PwC,^[1]^[2] concluded that 85% of businesses have a CISO or equivalent. The role of CISO has broadened to encompass risks found in business processes, information security, customer privacy, and more. As a result, there is a trend now to no longer embed the CISO function within the IT group. In 2019, only 24% of CISOs report to a chief information officer (CIO), while 40% report directly to a chief executive officer (CEO), and 27% bypass the CEO and report to the board of directors. Embedding the CISO function under the reporting structure of the CIO is considered suboptimal, because there is a potential for conflicts of interest and because the responsibilities of the role extend beyond the nature of responsibilities of the IT group.

In corporations, the trend is for CISOs to have a strong balance of business acumen and technology knowledge. CISOs are often in high demand and compensation is comparable to other C-level positions that also hold a similar corporate title.

A typical CISO holds non-technical certifications (like CISSP and CISM), although a CISO coming from a technical background will have an expanded technical skillset. Other typical training includes project management to manage the information security program, financial management (e.g. holding an accredited MBA) to manage infosec budgets, and soft-skills to direct heterogeneous teams of information security managers, directors of information security, security analysts, security engineers and technology risk managers. Recently, given the involvement of CISO with Privacy matters, certifications like CIPP are highly requested.

A recent development in this area is the emergence of "Virtual" CISOs (vCISO, also called "Fractional CISO").^[3] These CISOs work on a shared or fractional basis, for organizations that may not be large enough to support a full-time executive CISO, or that may wish to, for a variety of reasons, have a specialized external executive performing this role. vCISOs typically perform similar functions to traditional CISOs, and may also function as a "interim" CISO while a company normally employing a traditional CISO is searching for a replacement.^[4] Key areas that vCISOs can support an organization include:

Advising on all forms of cyber risk and plans to address them
Board, management team, and security team coaching
Vendor product and service evaluation and selection
Maturity modeling operations and engineering team processes, capability and skills
Board and management team briefings and updates
Operating and Capital budget planning and review

References[]

^ "2018 Global State of Information Security Survey". IDG. 2017-12-08. Retrieved 2021-08-17.
^ Fruhlinger, Josh (2018-06-12). "Does it matter who the CISO reports to?". PricewaterhouseCoopers. Archived from the original on 2019-04-04. Retrieved 2021-08-17.{{cite web}}: CS1 maint: unfit URL (link)
^ Drolet, Michelle (1 Apr 2015). "Secure Your Future with a Virtual CISO". InfoSecurity Magazine. Retrieved 2021-08-17.
^ "Virtual CISO (vCISO) Services". Retrieved 2021-08-17.

External links[]

"The CERT Division". Carnegie Mellon University Software Engineering Institute. Retrieved 2021-08-17.
Bird, Brad (2020-04-21). "What is a Chief Information Security Officer?". Office of the CISO. Retrieved 2021-08-17.
"Managing Information Security Risk: Organization, Mission, and Information System View". NIST. March 2011. Retrieved 2021-08-17.

[1] "2018 Global State of Information Security Survey". IDG. 2017-12-08. Retrieved 2021-08-17.

[2] Fruhlinger, Josh (2018-06-12). "Does it matter who the CISO reports to?". PricewaterhouseCoopers. Archived from the original on 2019-04-04. Retrieved 2021-08-17.{{cite web}}: CS1 maint: unfit URL (link)

[3] Drolet, Michelle (1 Apr 2015). "Secure Your Future with a Virtual CISO". InfoSecurity Magazine. Retrieved 2021-08-17.

[4] "Virtual CISO (vCISO) Services". Retrieved 2021-08-17.

[1]

[2]

[3]

[4]

v t Corporate titles
Chief officers	Accessibility Administrative Analytics Audit Brand Business Channel Commercial Communications Compliance Content Creative Data Design Digital Diversity Executive Experience Financial Human resources Information Information security Innovation Investment Knowledge Learning Legal Marketing Medical Merchandising Networking Operating Privacy Procurement Product Research Restructuring Revenue Risk Science Security Solutions Strategy Sustainability Technology Visionary Web
Senior executives	Chairperson Creative director Development director General counsel Executive director Non-executive director President Representative director Vice president
Mid-level executives	Manager General manager Account manager Supervisor Foreman
Related topics	Board of directors Corporate governance Executive compensation List of business and finance abbreviations Senior management Supervisory board Talent management

Chief information security officer

See also[]

References[]

External links[]