Find out what tasks a CISO has in the company, what training and qualifications he needs and what his salary is. […]
The Chief Information Security Officer (CISO) is responsible for information and data security throughout the company. Compared to roles such as the Chief Security Officer (CSO) or the Head of the Security department, the range of tasks is larger.
In the course of digitization, software permeates the entire company, which significantly increases the IT attack surface. That is why the role of the CISO is becoming increasingly important. So, it is worth taking a closer look at the specific responsibilities, duties and prerequisites of this management function.
The CISO bridges the gap between the traditionally separate disciplines of IT, security and the business of a company. He develops the IT security strategy from the business objectives and thus ensures the necessary level of protection without hindering the agility of modern business processes.
In his daily work, the CISO is responsible for the following areas, among others: security operations, cyber risks and intelligence, protection against data loss and fraud, security architecture, identity and access management (IAM), program management, forensics and governance. As part of an Information Security Management System (ISMS), the CISO also audits the security of IT and reports the results to the management.
IT security affects the entire company at all levels, so the CISO must pursue a holistic security approach. Both technology and organization as well as culture and supply chain are important factors that need to be kept in mind. Reputation management and communication measures in the event of a crisis are also the responsibility of the head of IT security.
The CISO is usually subordinate to the Chief Information Officer (CIO), in other cases directly to the Chief Executive Officer (CEO) or the management, since IT security is only a subset of his tasks. He also takes care of the security and risk management of all other (non-digital) information assets of a company, such as paper files.
The tasks of a CISO are as different as the company for which he works. In an interview, Stephen Katz gave a good overview of the basic aspects of daily work. Katz is considered a pioneer of the CISO role, which he defined and held at Citigroup in the 90s. He breaks them down as follows:
The training provider SANS Institute has summarized a detailed description of the duties of a CISO in a white paper (PDF).
The position of a CISO sets a solid technical education advance. According to the information portal for IT security students Cyberdegrees.org a CISO requires at least a bachelor’s degree in computer science or a related field. Increasingly, however, sub-topics also attach importance to a master’s degree with a security focus. In addition, seven to 12 years of professional experience are required, at least five of them in a management position.
Furthermore, a CISO should have a number of technical skills. Every high-ranking manager in the technical field needs basic knowledge in programming and system administration. In addition, however, it is also Knowledge of security technology important, such as DNS, routing, authentication, VPN, proxy services and DDoS protection, programming methods, ethical hacking and threat modeling and analysis, firewalls and intrusion detection and prevention protocols.
Also the The human factor is increasingly becoming the focus of the CISOs. Using sophisticated phishing, email fraud or social engineering, attackers circumvent the technical protection measures of companies. This makes the sensitization and training of employees through security awareness measures a central task of security managers.
In addition, the CISO must also have know-how in the compliance area in order to support, regulatory requirements comply. Depending on the industry and core business, this includes, for example, the GDPR, basic IT protection, CRITIS or PCI requirements. For internationally operating companies, it is important to observe other standards such as HIPAA, CCPA, NIST, GLBA or SOX.
Da CISOs Management Tasks in the ideal case, maintaining close contact with the board members, technical knowledge alone is not enough to qualify for this position. Larry Ponemon, founder of the research institute of the same name, summed up to SecureWorld: “The most successful CISOs have good technical foundations paired with a business background.“ For example, you have an MBA degree and could communicate with other C-level managers or the board on an equal footing.
According to Paul Wallenberg, manager at the LaSalle Network recruitment agency, the required non-technical skills are strongly oriented to the respective company. “Internationally operating companies are usually looking for candidates with a holistic, functional security background.“ They evaluate leadership qualities based on the resume and past achievements. On the other hand, companies with a web or product focus were looking for CISOs with special skillsets in the field of application and web security.
Since there is no pre-defined training path to the CISO, there are certificates that should impart the necessary professional competence. The choice of offers is great, Cyberdegrees.org lists six alone. LaSalle manager Wallenberg highlights three of them as the most important in his opinion:
In Germany, some associations and training companies also offer certifications for the local market. Here are some examples:
Security officers sometimes tend to shut down systems to make them more secure. This can lead to conflicts with the IT department, which is responsible for making information and applications available as smoothly as possible.
This dispute is likely to be fought between the CISO and the CIO. At the same time, it matters how the top management level of the enterprise is organized. If the CISO does not report directly to the CEO, but is subordinate to the CIO, this can lead to problems. Strategic security decisions may then have to subordinate themselves to the CIO’s overarching IT strategy, which can be detrimental to the level of security.
If the CISO is located directly under the Management or the Executive Board, he will gain more assertiveness. This could also be accompanied by a title change. According to the Global State of Information Security Survey 2020 (PDF), a CISO is usually subordinate to the CIO, while a CSO acts more at the same hierarchical level. He is also responsible for non-technical security issues.
Using CIO and CISO on an equal footing can reduce the potential for conflict and serve as a signal for the entire company that security is taken seriously. However, this also means that the CISO should not block technical initiatives. For example, Ducati CIO Piergiorgio Grossi said in i-CIO magazine that it is the CISO’s job to help IT provide more robust products and services, rather than simply saying “no”. This joint responsibility for strategic projects changes the relationship dynamics of the two disciplines and can be the decisive success element for a new CISO.
If a company is looking for a CISO, many of the above points were included in the job description. “Companies first decide whether they want to hire a CISO, then they get approvals for the hierarchy level, reporting structure and the official title of the position,” explains LaSalle manager Wallenberg. In smaller companies, a department manager or security director can also become a CISO. Finally, it was necessary to formulate the minimum requirements and qualifications for the role and to start the internal or external tendering process.
The job advertisement itself should clearly highlight the company’s commitment to safety from the very beginning in order to attract the attention of highly qualified candidates. It helps to describe exactly where the CISO is located in the company hierarchy and how many points of contact with the management or the board are planned.
Even if the position is filled, the job description should be regularly updated and kept ready. It is not always clear when the employee will move to a new challenge, and the CISO is a critical position that should not be left unfilled.
The CISO holds a high-ranking position and is usually paid accordingly – however, the amount varies greatly. Salary calculators such as Glassdoor give CISO positions in Germany an average of about 102,000 euros per year with a lot of room for improvement and reduction. On the other hand, recruiters also talk about CISO incomes that exceed the 200,000 euro mark in annual salary – provided that the candidate is the right expert for the special position.
*Jens Dose is editor of the CIO magazine. In addition to the core topics around CIOs and their projects, he also deals with the role of the CISO and its area of responsibility.