What is a CISO? The top IT security leader role explained – Source: www.csoonline.com

The chief information security officer (CISO) is the top-level executive responsible for an organization’s information and data security.

Not every company has a security executive who operates at the top of the corporate pyramid. In fact, only 45% of North American companies have a CISO, according to CSO’s Security Priorities Study 2024. Moreover, only 20% of companies have a top infosec officer in the C-suite, according to the 2024 State of the CISO report from IANS, a figure that goes down to 15% for $1B+ companies. This discrepancy arises because some top-level security officers — even ones with a “C” in their title — are functionally VPs or directors, reporting to other executives rather the CEO or board.

Where employed, CISOs play an important role: As CSO’s Security Priorities Study found, companies without a CISO or CSO were more likely to suffer competing priorities and lack sufficient budget to achieve their security goals, whereas companies with a CISO or CSO were nearly twice as likely to say that engagement with their board of directors helps improve security initiatives, versus those without such officers.

Following is an overview of the responsibilities and requirements of the CISO role, as well as what ambitious security leaders with a CISO position in their sights can do to improve their chances of snagging that job. Organizations looking to add a CISO to their roster, perhaps for the first time, can also find tips on what to look for in a candidate.

CISO vs. CSO: What’s in a name, and who’s on top? 

The title CISO echoes that of another key security executive: chief security officer (CSO). You’ll often hear people say the difference between the two is that CISOs focus entirely on information security issues, while a CSOs remit is wider, also taking in physical security as well as risk management.

But reality is messier. Many companies, especially smaller ones, have only one C-level security officer, called a CSO, with IT security functions reporting to them. Or they might have only a CIO, with the top cybersecurity officer reporting to them with a VP or director title.

“Sometimes a company has a CSO but no CISO because they’re simply not big enough to justify both,” says Patrice Williams-Lindo, CEO of Career Nomad and a longtime management consultant. “But in many larger companies, it’s also about internal politics: A CSO may resist adding a CISO if it threatens their budget or influence, or leadership may not yet see how different physical security and cybersecurity truly are. It’s often a sign of organizational maturity when companies realize cyber risk needs its own dedicated seat at the table.”

In organizations where there are CSOs and CISOs, Williams-Lindo says their relationship depends on the structure and goals of the company, as well as their org’s specific corporate politics:

• CISO reporting to CIO? “The company sees cyber as an IT cost center, not a strategic risk.”
• CISO reporting to CSO? “Often means the company is in old-school mode, seeing cyber and physical security as the same.”
• CISO reporting to CEO/board of directors? “This is where the future is going, driven by regulatory pressures, shareholder lawsuits post-breach, and customer trust stakes.”
• Dual or matrix reporting? “This usually means nobody wants to own the risk outright.”

“CSO vs. CISO is often a turf war dressed up as alignment,” Williams-Lindo says. “On paper, the CSO owns all security, but cyber risk is now the golden ticket for budget, visibility, and board access. CISOs who know how to speak dollars and risk, not just tech, increasingly bypass CSOs and even CIOs to report directly to the CEO.”

For a more detailed discussion of these topics, check out “Does it matter who the CISO reports to?” and “Reporting lines: Could separating from IT help CSOs?” Meanwhile, in this article, we’ll be using the term CISOto refer to an organization’s top-level infosec officer, but keep in mind that their actual title and reporting situation may vary from company to company.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the 1990s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:

• Security operations: Real-time analysis of immediate threats and triage when something goes wrong
• Cyber risk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
• Data loss and fraud prevention: Making sure internal staff do not misuse or steal data
• Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
• Identity and access management: Ensuring that only authorized people have access to restricted data and systems
• Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks — regular system patches, for instance
• Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
• Governance: Making sure all the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance

CISO requirements

What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and seven to 12 years of work experience, including at least five in a management role; technical master’s degrees with a security focus are also increasingly in vogue.

There’s also a laundry list of expected technical skills: Beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, such as DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should also know about a host of regulations that affect your industry, including PCI DSS, HIPAA, GLBA, and SOX.

But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. “Effective CISO’s are by their nature cross functional and blend technical expertise with an understanding of the business,” says Ralph Pyne, CISO for Apollo.io. “Security teams frequently have limited budgets so practitioners are well versed with the ‘do more with less’ approach that makes them trusted by the finance team.”

Much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that ”the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”     

Paul Wallenberg, associate vice president of technology services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring.

 “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”

“A decade ago compliance or general IT experience sufficed,” says Nic Adams, co-founder and CEO at 0rcus, who has dealt with CISOs across a number of organizations and industries as part of his adversarial security consulting. “Today’s CISOs bring custom zero-day frameworks, closed-loop OSINT, live adversary emulation, and anti-forensic control design.”

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from. 0rcus’s Adams pegs several certifications that he sees as being common among today’s CISOs:

• “Tradecraft credentials such as OSCP or GPEN and proven exploit development pedigree”
• “Governance and audit certifications like CISSP or CISA to navigate board-level risk”
• “Cloud and container security certifications such as CCSP or Kubernetes Certified Security Specialist“
• “Threat intelligence and DFIR certs like GCIA or GCIH“

CISO job description

If you’re part of a search for a promising CISO for your organization, part of that involves writing a job description — and much of what we’ve discussed so far lays the foundation for how you’d approach that.

“Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position — in smaller companies, CISOs can be VPs or Director of Security,” says Lasalle Network’s Wallenberg. “They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants.”

Your CISO job description also shouldn’t be generic. 0rcus’s Adams breaks down how different types of organizations need to uniquely tailor their CISO’s job description and responsibilities:

• “Public sector and defense organizations focus on classified data handling, cross-domain guards, FISMA and NIST deep dives, and sovereign-grade threat hunting.”
• “Private-sector tech firms emphasize CI/CD pipeline security, devsecops integration, live-fire red-team operations, and zero-trust microsegmentation.”
• “Regulated industries such as finance and healthcare require real-time fraud analytics, know-your-customer/anti-money-laundering alignment, encryption-first architectures, and continuous third-party risk assessments.”

Michael Nadeau lays out in detail how you’d approach writing a CISO job description. One of the important things he points out is that your description should make your organization’s commitment to security very clear from the get-go, because that’s how you’re going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they’ll have to really make this point clear.

Another important point Nadeau makes is to keep the job description fresh, even if you have someone in the role — after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don’t want to leave unstaffed.

CISO salaries

CISO is a high-level job and CISOs are paid accordingly. Predicting salaries is more of an art than a science, of course, but the strong consensus is that salaries well above $100,000 are typical. As of this writing, ZipRecruiter has the national average at $148,746; Salary.com pegs the typical range much higher, as between $346,000 and $429,000. Glassdoor’s salary ranges for current CISO job openings are somewhere in the middle, ranging from $204,000 to $364,000.

CISO jobs

The CISO job landscape is always changing, and we have plenty of material to keep you up to date on how to get a CISO job, and how to navigate the career landscape:

• “CISOs reposition their roles for business leadership“: Learn more about how CISOs are taking on more responsibilities around business risk.
• “Has CISO become the least desirable role in business?”: Get a hard look at the tough position many CISOs find themselves in.

• “What CIOs want from CISOs: Collaboration and no finger pointing“: Two CIOs explain how they view their relationships with the security function, and why CISOs need to collaborate closely with CIOs whether they report into them or not.
• “7 security incidents that cost CISOs their jobs“: When you’re a top-level executive, the buck stops with you, as these CISO found out. Let their security failures serve as a learning opportunity for you.

What is a vCISO?

One final note on a recent development in the CISO career path: Many organizations — especially those that can’t support a full-time CISO — are turning to virtual CISOs, or vCISOs. These fractional,or part-time, executives be independent consultants or work as part of a larger firm, and can help companies build or mature their security programs, meet compliance goals, and guide risk management strategies, but they don’t require the overhead of a full-time hire. You don’t get the full attention of a full-time employee either, but in practice that isn’t something everyone needs; for example, Cynomi’s State of the Virtual CISO 2024 showed that 75% of MSPs and MSSPs report very high demand for vCISOs and fractional CISOs.

For security pros, the vCISO path offers something else: control. Whether working solo, partnering with a firm, or building a boutique consultancy, vCISOs enjoy greater autonomy and variety in their day-to-day work, and can shape engagements to fit their strengths. It’s a viable and potentially rewarding alternative to the traditional executive ladder — especially for those who are always looking for fresh challenges and want to keep their skills sharp across industries. To learn more, read “The rise of vCISO as a viable cybersecurity career path.”