What is a CISO, and What Do They Do?


In 2014, Gregg Steinhafel, then CEO and President of Target, stepped down from the company after 35 years of service. He held himself accountable for a data breach that resulted in 40 million credit card numbers and 70 million phone numbers and addresses being stolen by hackers. He is not the only CEO to have resigned following a hacking incident; Amy Pascal was fired from Sony Pictures Entertainment under similar circumstances. She later joked she should have been fired sooner. Consequently, in 2018 Tech Republic published an article saying there would be more CEOs fired due to cybersecurity issues because such business executives do not involve security personnel hence are usually to blame for such attacks. Fortunately, businesses are embracing the need for security experts, and one of the people invited to the high table is the CISO (Chief Information Security Officer). So, what is a CISO, and what is the responsibility? Let’s tell you more.

Defining CISO and What They Do

BitSight describes a CISO as someone who wears many hats but whose job is to translate complex business problems into viable information security controls. The CISO is a senior executive and is usually involved in the detailed process of coming up with practical information security policies and programs. As a result, the CISO is also tasked with ensuring the laid down policies and procedures regarding information security within the organization are constantly updated to remain compliant with the standards and laws.

It is the job of a CISO to keep everyone in the organization informed of any updates, making the responsibility a continuous one. CISOs must stay ahead of hackers by learning tricks used and alert the employees and executives of what to do to prevent attacks. The continuous exercise involves educating every stakeholder of the information security protocols, deploying them, revising them, and overseeing them. CISOs can use whatever means necessary, including simulated attacks, to check on the organization’s preparedness so that they can fix any vulnerabilities. As such, as IT Pro highlights, CISOs are also responsible for creating an Emergency Response Team to address any cybersecurity attack once it happens. Also, a CISO should develop a Disaster Recovery Plan to ensure that the business will not be left stranded after the attack since hacking can cost businesses millions of dollars, especially when stolen data cannot be recovered. Since a CISO also understands the limited budgets that most organizations have, s/he must advocate for investments to be made towards security practices.

Attributes of a Good CISO

Security Intelligence explains that a good CISO should have the following traits:

Executive Presence and Leadership

Having an executive presence ensures that the CISO can stand his ground even when the other senior employees try to intimidate him. CISOs should have a seat on the board of directors’ table to communicate any concerns regarding information security because those are the people who make the decisions on behalf of the company. As a spokesperson for the information security department, the CISO must also know how to communicate to all stakeholders in an easily comprehensible manner. Some security experts opine that the CISO’s executive presence should enable him to report directly to the CEO, but since most CEOs have no clue regarding cybersecurity, being invited to the board of directors table is better.

Strategic Planning Skills

Since a CISO is tasked with developing Data Recovery Plans and creating and Emergency Response Teams, she must know where the vulnerabilities lie within the security system. To come up with viable plans and effective reams, they must look at all the angles that give hackers a loophole to lay their attacks hence the need for being a strategic thinker. The policies they implement must be in line with the organizational goals and compliance with regulatory standards. Besides, if she is not a permanent employee of the organization and is being outsourced, she must understand that the plan that worked in one company will not necessarily work in another.

Security and Business Knowledge

As West Monroe enlightens us, a good CISO must have adequate business and security knowledge. Business knowledge is essential in ensuring that the policies they create address all aspects of the business operations. CISOs who understand how a business runs will develop plans and risk assessment procedures covering all grounds to ensure that one action does not interrupt the rest. In terms of security knowledge, this must be learned from training. There are many courses that CISOs can undertake to equip themselves with the necessary information security skills. Even after getting the right qualifications, CISO must also stay updated on the changes occurring in the technological space because hackers keep changing their attack methods.

Becoming a CISO

Cyber Security Guide details the steps one needs to become a CISO.


According to the article, information security is not a career suited for everyone; therefore, you must do a self-awareness test to understand if you possess the desirable traits required for the profession. Such skills include strategic thinking, leadership, and a drive to stay updated on technological changes.


Most CISOs get absorbed in the profession after obtaining their bachelor’s degree in information security, computer science, or other related disciplines. An undergraduate degree will get you to the junior positions as an entry-level system analyst or computer specialist before you can climb your way to the top. Soft skills are also crucial, so business education will go a long way in ensuring you clinch that position. It is, therefore, no wonder that CISOs are also pursuing their MBAs.

Stay Updated

Since staying updated is among the requirements for becoming a CISO, you must always be aware of any changes within the information security world. As hackers evolve their methods in launching attacks, you must always know what they are up to and devise effective plans to deter any possible attacks. Besides, as technology changes, so do the laws, and CISOs have to ensure that any programs they make comply with the regulations.

Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

quantum computer
20 Things You Didn’t Know About Quantum Machines
Arkady Volozh
10 Things You Didn’t Know about Arkady Volozh
20 Things You Didn’t Know About Yandex
Russell glass
10 Things You Didn’t Know About Russell Glass
Snowflake Stock
Is Snowflake Stock a Solid Long Term Investment?
grocery shopping with credit card
The 10 Best Credit Cards for Groceries in 2021
credit cards
The 10 Best First Credit Cards To Get in 2021
American Express
Ranking The 10 Best Amex Transfer Partners
lavender field
10 Lavender Farms You Need to Visit in the United States
What Is the Epic Pass for Skiers and Is it Worth It?
tulip farm
10 Amazing Tulip Farms to Visit in the United States
Ruby Falls
10 Awesome Caves To Visit in Tennessee
2022 Subaru Forester Wilderness
A Closer Look at The 2022 Subaru Forester Wilderness
A Closer Look at The 2022 Subaru WRX
Lincoln's New Sleek Concept Car
A Closer Look at Lincoln’s New Sleek Concept Car
"Arosa" - The Supercar of Hovercrafts
VonMercier Reveals “Arosa” – The Supercar of Hovercrafts
Speake-Marin Legerete
The 10 Best Speake-Marin Watches of All-Time
Sinn U1 DS Limited Edition
A Closer Look at the Sinn U1 DS Limited Edition
Casio Vintage X Pac-Man A100WEPC-1B
A Closer Look at the Casio Vintage X Pac-Man A100WEPC-1B
A Closer Look at the Bell & Ross Diver Blue
Brian Chesky
How Brian Chesky Achieved a Net Worth of $13.1 Billion
Bob Woodward
How Bob Woodward Achieved a Net Worth of $15 Million
Andrew Dice Clay
How Andrew Dice Clay Achieved a Net Worth of $10 Million
Ricky Martin
The 10 Richest People in Puerto Rico