Chief information security officer
This article needs additional citations for verification. (May 2016) (Learn how and when to remove this template message)
A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve ISO/IEC 27001 certification for an entity, or a part of it).
Typically, the CISO's influence reaches the entire organization. Responsibilities may include, but not be limited to:
- Computer emergency response team/computer security incident response team
- Disaster recovery and business continuity management
- Identity and access management
- Information privacy
- Information regulatory compliance (e.g., US PCI DSS, FISMA, GLBA, HIPAA; UK Data Protection Act 1998; Canada PIPEDA, Europe GDPR)
- Information risk management
- Information security and information assurance
- Information security operations center (ISOC)
- Information technology controls for financial and other systems
- IT investigations, digital forensics, eDiscovery
Having a CISO or the equivalent function in the organization has become a standard in business, government, and non-profit sectors. Throughout the world, a growing number of organizations have a CISO. By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006. In 2018, in The Global State of Information Security Survey 2018 (GSISS), conducted jointly by CIO, CSO and PwC, 85% of businesses had a CISO or equivalent. Information Security function is now reputed not anymore related just to IT, but embracing all the business, so that only 24% of these security chiefs now report to a Chief Information Officer (CIO), while 40% reports to the Chief Executive Officer (CEO), and 27% to the board of directors. Having the CISO reporting to the CIO is nowadays considered a bad idea, because of conflicts of interests and because Information Security reaches far beyond IT systems, into business processes, Risk and even Privacy realm, places where IT is marginal and confined to the role of a commodity.
In corporations, the trend is for CISOs to have a strong balance of business acumen and technology knowledge. CISOs are often in high demand and compensation is comparable to other C-level positions who also hold a similar corporate title.
A typical CISO should hold non-technical certifications (like CISSP, CISM), although a CISO coming from technical roles might have expanded its skill set in the C-Level areas. Plus points are other training in Project Management to manage the Information Security Program, Financial (e.g. holding an accredited MBA) to manage InfoSec budgets and Soft-Skills to direct heterogeneous teams of Information Security Managers, Directors of Information Security, Security Analysts, Security Engineers and Technology Risk Managers roles in major corporations and organizations.
- Information security
- Board of Directors
- Chief data officer
- Chief executive officer
- Chief information officer
- Chief risk officer
- Chief security officer
- "Global State of Information Security Survey". PricewaterhouseCoopers. Retrieved 25 May 2019.