A chief information security officer (CISO) is one of the latest additions to enterprise C-suite roles, offering executive oversight, strategic vision, and management of an organization’s IT security operations. As global organizations adopt more IT infrastructure, the cybersecurity of client and proprietary data is progressively critical, prompting the need for CISOs.
This article looks at the role of CISO, how it compares to other executive positions, the necessary skills and responsibilities, and the prospective road to becoming a CISO.
In this definition...
What is a Chief Information Security Officer (CISO)?
Chief Information Security Officers (CISOs) are the executive leaders responsible for an organization’s IT environment’s cybersecurity and digital risk management posture. First adopted in the mid-1990s, CISO positions often lead security-specific IT personnel and report to the company’s Chief Information Officer (CIO) or directly to the Chief Executive Officer (CEO).
CISO vs Similar C-Suite Roles
The CISO often gets compared to other executive roles for enterprise organizations in the digital era, including Chief Risk Officer (CRO), Chief Technology Officer (CTO), and Chief Data Officer (CDO).
| Role | Manages … | Reports to … |
| CIO | Internal IT infrastructure and resource development | CEO |
| CRO | Risk posture, regulatory compliance, and mitigation strategy | CEO |
| CISO | Detection, prevention, and response and cybersecurity systems | CIO or CEO |
| CTO | Emerging IT solutions and product technology | CIO or CEO |
| CDO | Leveraging analysis of organization-wide data and systems | CIO or CEO |
Chief information officers have long been the overarching IT leaders for organizations. Of the executive-level positions listed, CIO and CRO are typically the two most senior roles, with CISO, CTO, and CDO reporting to the CIO. Still, a wave of newer positions has led to CTO and CDO roles taking on many of the same responsibilities.
Read more: CIO vs CISO: What are the 5 Big Differences? | CIO Insight
While CISOs increasingly interact with risk management through data protection, CROs usually hold a background in accounting, law, underwriting, or economics and manage the entirety of an organization’s risk management strategy and enforcement.
CISO Skills and Responsibilities
- Hire, lead, and delegate responsibilities to an information security team
- Execute vision and long-term cybersecurity strategy for an organization
- Knowledge of regulatory compliance standards for organization data security
- Minimize and reduce risk regarding the delivery of or access to digital services
- Ensure inbound and outbound organization traffic protects data integrity
- Assess and present findings for an organization or executive use
- Detection and response and incident management skills for remediation
Also read: Cybersecurity: Executive Q&A with CISO Deepen Desai at Zscaler | Datamation
How To Become a CISO
Because information technology – and cybersecurity, by extension – are maturing and vital parts of SMB to enterprise organizations, veteran CISOs are a rare commodity. Traditional academia only recently started offering advanced IT and cybersecurity-specific degrees, meaning most of today’s CISOs trained and learned the game through self-learning and experience.
Besides spending years in a SOC, routes to gaining the needed expertise include:
- Academic degrees (BS, MS, PhD) in computer science, IT, or cybersecurity
- Boot camps offering cybersecurity-specific training and accreditation
- Vendor-neutral industry certifications for cybersecurity professionals
Computer Science and Cybersecurity Degrees
Computer science and cybersecurity degrees from traditional universities and colleges are a maturing academic discipline with many undergraduate and graduate degree options to choose from. Professionals with degrees in engineering, business, and law are also suitable when considering the rarity of cybersecurity doctorates.
(Purdue University photo/Vince Walter)
The length of terms and tuition rates for undergraduate, graduate, and doctoral studies varies by school and program. Several universities offer a bachelor’s (BS) or master’s (MS) of science in computer science or information technology with a concentration in cybersecurity, if not a full-fledged major. Courses and concentrations include information security leadership, digital forensics, data compliance, and ethical hacking.
Best Cybersecurity Degree Institutions in 2022
- Carnegie Mellon University
- Columbia University
- Georgia Tech
- Massachusetts Institute of Technology (MIT)
- Pennsylvania State University
- Purdue University
- University of Maryland
- University of California, Berkeley
- University of Southern California
Read more: The Security Issues Keeping CISOs Up at Night | CIO Insight
Cybersecurity Boot Camps
After the success of coding boot camps offering in-person and remote training programs to develop a generation of software developers, cybersecurity boot camps have been the natural extension for building expertise and accreditation in IT security.
Many programs – some attached to traditional universities – offer intensive boot camps of varying length, tuition, and concentrations. Typical cybersecurity boot camps can last from 6 to 24 weeks and cost anywhere from $5,000 to $20,000, depending on the service provider.
Best Cybersecurity Boot Camps in 2022
- BrainStation
- ClaimAcademy
- CodeFellows
- Eleven Fifty Academy
- Evolve Academy
- Flatiron School
- Fullstack Academy
- Ironhack
- Springboard
Certifications for CISOs
Certified Information Security Manager (CISM)
The Certified Information Security Manager (CISM) certification by ISACA (Information Systems Audit and Control Association) offers candidates to prove their technical expertise across security systems, incident management, governance, and risk management.
The CISM designation also requires five years of work experience to complete the certification. Still, waivers are available for 2 of the 5 years for candidates with a post-graduate information security degree, active CISA or CISSP status, skill-based certifications, and management experience. Uniquely, ISACA offers candidates that do not pass on their first attempt three more tries in 12 months.
| Questions | Length | Passing Score | Cost
(Member) |
Cost (Nonmember) |
| 150 | 240 minutes | 450 on scale of 200 – 800 | $575 | $760 |
Certified Information Systems Security Professional (CISSP)
The Certified Information Systems Security Professional (CISSP) is one of many designations offered by (ISC)², founded as the International Information System Security Certification Consortium in 1989. The CISSP covers eight domains, including identity and access management (IAM), vulnerability assessments, security architecture, asset security, and security operations.
Candidates must also have five years of field experience with a waiver for 1 of the 5 with an undergraduate degree. Exam takers who pass the CISSP without the prerequisite experience can still obtain an Associate of (ISC)².
| Number of Questions | Length | Passing Score | Cost |
| 100 – 150 | 180 minutes | 70% | $749 |
Certified Chief Information Security Officer (CCISO)
Existing CISOs developed the Certified Chief Information Security Officer (CCISO) program to train the next generation of IT security leaders. The EC-Council CCISO program includes emphasizing leadership over technical skills and covers five domain areas:
- Governance, Risk, and Compliance
- Information Security Controls and Audit Management
- Security Program Management & Operations
- Information Security Core Competencies
- Strategic Planning, Finance, Procurement, and Third-Party Management
Candidates for certifications must meet CCISO eligibility through five years in at least 3 of the 5 domains, including overlapping experience. Without this experience, interested candidates can sit for the EC-Council Information System Manager (EISM) exam.
| Questions | Length | Passing Score | Cost |
| 150 | 150 minutes | 72% | $999 |
Also read: Top 5 Cybersecurity Certifications to Advance Your Career | ServerWatch
History of the CISO Role
In 1995, Citigroup hired the first-known instance of a CISO by appointing budding IT security leader Steve Katz. CISOs are increasingly a part of enterprise executive teams in the past decade and traditionally report to the CIO. With growing attention on cybersecurity, some CISOs report directly to CEOs and sit on par with CIO leaders.
Recent Coverage
- Huge List of IT and Computer Certifications | Webopedia
- CISOs: It’s time to get back to security basic | TechRepublic
- Splunk Hires Former Citiback Exec as CISO | Datamation
- Chief Security Officer (CSO) | Job Description & Salary | Channel Insider
- The C-Suite Gets Serious About Security | CIO Insight
