CISO job description: What does a CISO do?

A chief information security officer deals with far more than firewalls and antivirus software

A businessman working on a futuristic tablet that is displaying the word 'CISO'

Cyber security has never been more of a hot topic than it is in 2020. The global COVID-19 pandemic has seen hackers taking advantage of the mass shift to remote working in order to attempt to infiltrate corporate networks, in turn forcing organisations to revisit their cyber security strategies

The NCSC, for example, reported that it has been battling a surge of pandemic-related cyber attacks, while cyber security firm F5 Labs has seen phishing attempts increase by 220% over the past few months. There's no sign of this trend slowing down either, as F5 predicts the number of phishing attacks will continue to grow 15% year-on-year. 

Given this rise in cyber threats, along with the huge amount of data that businesses handle day-to-day, keeping this out of the hands of hackers has fast become a priority. However, doing so is no longer seen as simply an IT issue, nor  one reserved for the boardroom. Data security is now the responsibility of everyone in an organisation.

What is a CISO?

In order for that responsibility to be taken seriously, a strategy and someone to lead that vision from theory into reality is required. Enter the chief information security officer (CISO). First borne as a role that was exclusively the preserve of US companies, the job title has now made its way to British shores, too.

The CISO, who may also be referred to as a chief security architecture or information security manager, is an executive role that oversees the protection of company and customer data, as well as the protection of infrastructure and assets from malicious actors.

In an age of rampant data theft and aggressive but important legislation, such as GDPR, every IT facility in an organisation must be secure. That not only requires the implementation of security safeguards but also the training and educating of employees. With the majority of cyber security incidents being the result of employee error, it's important that a CISO is looking both internally and externally for potential threats.

As the threat landscape continues to evolve, the work of a CISO must also keep pace.

What responsibilities does a CISO have?

CISOs have a wide range of responsibilities that extend far beyond dealing with firewalls and antivirus software. They are responsible for hiring IT personnel, for providing necessary policy direction to protect the company from emerging threats., and for directly managing senior IT team leaders to ensure they are prioritising the right aspects of a strategy at any given time.

A CISO must also spearhead the company's IT security hardware strategy and make sure necessary activities are undertaken by the appropriate department, whether this is IT staff or other IT security personnel.

A female IT worker in front of multiple monitors displaying code

Innovation also plays a key role in any organisation's security posture. As such, the CISO will also be tasked with keeping corporate security policies, standards and procedures fresh and fit for purpose, and making sure staff across the board comply on a day-to-day basis without fail.

CISOs are expected to work with the entire organisation to ensure everyone is pulling in the same direction. After all, ensuring security is a continuous process rather than something that can be auctioned once and then left alone. It needs to evolve and change as the threat landscape does. Success here, then, will include conversing regularly with senior management and employees to make sure all IT security policies are deployed, revised, sustained and overseen effectively.

Emulating what might happen in the real world is one way of ensuring everyone is on the same page when it comes to the threat of breaches and data theft. By essentially phishing employees to see who clicks on what - in your own, controlled environment - you can be more sure of any awareness gaps and training needs. Showing employees the damage that could have been done, but thankfully wasn't, will also ensure security remains front of mind in future.

As part of this, existing IT infrastructure must be audited and assessed for any security risks and CISOs are responsible for using the data they have at hand to predict any risks and deal with them accordingly. They need to be continuously assessing vulnerabilities and finding fixes before an incident occurs.

A CISO also needs to develop policies around security incidents and create an Emergency Response Team to act as and when a security breach is looming or has happened. As well as this, they may be in charge of developing a disaster recovery plan to allow for business continuity post-cyber-attack.

Like many businesses and IT decision-makers, CISOs are constrained by budgets, so resources need to be prioritised and allocated efficiently and financial forecasts prepared to ensure appropriate cover for security assets. A CISO needs to show that investments can be used to protect an organisation's assets and safeguard its data and reputation if the worst should happen.

What skills are needed to be a CISO?

To be a competent CISO, several key skills are required, beyond common sense. These include:

  • Communication and presentation skills
  • Policy development and administration skills
  • Knowledge about government (e.g. relevant legislation both current and incoming)
  • Collaboration expertise
  • Financial, planning and strategic management skills
  • Supervisory and incident management skills
  • And, finally, knowledge of regulation and standards compliance.

However, the most valuable skill for a CISO is the ability to articulate IT security and technical issues in a non-threatening, clear and actionable manner to non-technical leadership.

Generally speaking, it is also expected that someone applying for a CISO role is very experienced, with many roles specifying at least 10-plus years in senior risk management and security roles.

How much does a CISO get paid?

A CISO in the UK can expect to be paid on average around £90,000 a year, and many companies also offer additional benefits and bonuses. The average annual bonus for a CISO is around £11,500 in the UK.

While the average UK salary is £90,000, some companies at the highest level are offering salaries of circa £138,000.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

How to spot a failing digital transformation project
digital transformation

How to spot a failing digital transformation project

22 Jan 2021
CTO job description: What does a CTO do?
Business strategy

CTO job description: What does a CTO do?

22 Jan 2021
Building our future leaders
Business strategy

Building our future leaders

21 Jan 2021
Best business tablets 2021
Hardware

Best business tablets 2021

19 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021