The Role of the Chief Information Security Officer
The role of the Chief Information Security Officer (CISO) has evolved dramatically and strategically over the years, as companies’ increasing reliance on the internet exposes their client and company data to mounting cybersecurity threats.
Today, most companies—and certainly any regulated company—should consider hiring a CISO or outsourcing the function. The CISO function should be designated by senior management and tasked with implementing and monitoring an information security program that will vary based on a company’s size, complexity, business operations, corporate culture, and global/local presence.
The CISO role has evolved in the last 15 to 20 years. First considered a purely technical function, the CISO was a member of the IT department and embedded under layers of reporting lines. Information security issues that were raised were rarely escalated. Often, the IT department management would seek to address the issues itself with corrective actions or even suppress the reporting of issues.
The CISO function today is considered to be a risk management function outside of the IT department. In this newer role, a CISO needs to maneuver seamlessly among senior management/board members, business management, and the IT department. That means expressing information security matters as business risks—grounded in an understanding of the technical aspects of information security, the full range of regulatory requirements, and best practice in compliance.
The challenge is not small. Business executives often regard information security as a roadblock to progress and meeting deadlines. Its importance needs to be sold to leadership to be an integral part of achieving business objectives while keeping the company safe. Then, across the organization, the CISO needs to be an information security advocate, fluent in business, technology, and regulatory parlance, to build alliances and drive a culture of security throughout the company.
Fundamentally, only by working to achieve the company’s business objectives will a CISO obtain adequate security resources and maintain effective cyber defenses.
The CISO function should report directly to a high-level company official. That could be the board of directors, a board committee, or a senior manager such as the Chief Executive Officer (CEO), Chief Risk Officer (CRO), Country Head, or equivalent position. But CISOs should not report to the Chief Information Officer (CIO), Head of Information Technology (IT), or similar function, which could be considered a conflict of interest and limit the CISO from carrying out their duties effectively.
To ensure independence, the CISO should be given sufficient authority that is clearly promoted by executive leadership across the company. To merit such independence, of course, the CISO must bring to the role the knowledge, background, and training to perform the tasks involved.
There are still gray areas in CISO governance. In many instances, CIOs still claim that they are responsible for implementing information security, which can be an ongoing cause of friction between the CISO and IT department. And even though the CISO has a “C” in the title, most companies do not treat the CISO as a true C-level role. Further confusion surrounds the title Chief Security Officer (CSO), whose role includes physical as well as cyber security. Whichever role is most appropriate for a company, the baseline is clear: It should include reporting the status of the information security program to senior management and the board or a board committee on a regular basis.
While no CISO job is identical, typical day-to-day responsibilities include the following:
Information security governance
- Making sure that security initiatives and the overall information security strategic plan is run smoothly and adequately funded, with regular reporting to business management leadership and the board or board committee
Information security operations
- Analyzing threats in real-time, using a variety of security tools along with the review of additional security reports at different intervals
- Implementing or deploying the incident response plan when there is a possible incident
- Keeping up to date with emerging security threats
- Communicating with business management leadership regarding any potential security issues that could come from mergers, acquisitions or other similar business activities
- Informing management of any security risks (e.g., known vulnerabilities) for new systems/applications regardless of the business potential
Training/data loss and fraud prevention
- Educating staff on information security awareness activities including how and who to report to, if they believe that there is a possible breach of security
Information security architecture
- Advising and working closely with the IT department on the planning, selection, and implementation of security hardware and software
- Working with IT and/or third parties with access to or hosting the company’s data to make sure that the network and access points are designed with security best practices where possible
- Reviewing firewall and intrusion detection/prevention
Identity and access management
- Authorizing and reviewing user access (including administrator and vendor access) to the company’s data and systems
- Overseeing the user entitlement review process
Information security program management
- Performing security risk assessments
- Overseeing social engineering exercises, penetration testing, and vulnerability scanning
- Overseeing and reporting on mitigation of information security issues
- Annual reporting to the board or a board committee
- Monthly or quarterly reporting of key risk indicators to senior management
Incident investigations and forensic review
- Incident response table-top testing
- Deploying the incident response plan if there is a possible security breach
- Coordinating with an external forensic service if warranted and requested by senior management
- Ensuring compliance with all information security regulatory requirements
- Representing the company in information security examinations with regulators
CISOs are critical to the protection of a company’s data and systems. To ensure that there is appropriate segregation of duties, the CISO should be independent of IT operations and should not report to the CIO or Head of IT. As a risk manager, the CISO must have the independence to identify and report information security risks to management and the board or a board committee. As a bridge-builder, the CISO has to navigate smoothly across business lines and IT, speaking both languages to adequately relay the expectations of potential breaches and the urgency of defending and responding effectively.