Chief Information Security Officer (CISO)

Image of a CISO considers security optionsA chief information security officer (CISO) is one of the latest additions to enterprise C-suite roles, offering executive oversight, strategic vision, and management of an organization’s IT security operations. As global organizations adopt more IT infrastructure, the cybersecurity of client and proprietary data is progressively critical, prompting the need for CISOs.

This article looks at the role of CISO, how it compares to other executive positions, the necessary skills and responsibilities, and the prospective road to becoming a CISO.

What is a Chief Information Security Officer (CISO)?

Chief Information Security Officers (CISOs) are the executive leaders responsible for an organization’s IT environment’s cybersecurity and digital risk management posture. First adopted in the mid-1990s, CISO positions often lead security-specific IT personnel and report to the company’s Chief Information Officer (CIO) or directly to the Chief Executive Officer (CEO).

CISO vs Similar C-Suite Roles

The CISO often gets compared to other executive roles for enterprise organizations in the digital era, including Chief Risk Officer (CRO), Chief Technology Officer (CTO), and Chief Data Officer (CDO).

Role Manages … Reports to …
CIO Internal IT infrastructure and resource development CEO
CRO Risk posture, regulatory compliance, and mitigation strategy CEO
CISO Detection, prevention, and response and cybersecurity systems CIO or CEO
CTO Emerging IT solutions and product technology CIO or CEO
CDO Leveraging analysis of organization-wide data and systems CIO or CEO

 

Chief information officers have long been the overarching IT leaders for organizations. Of the executive-level positions listed, CIO and CRO are typically the two most senior roles, with CISO, CTO, and CDO reporting to the CIO. Still, a wave of newer positions has led to CTO and CDO roles taking on many of the same responsibilities.


Read more: CIO vs CISO: What are the 5 Big Differences? | CIO Insight

While CISOs increasingly interact with risk management through data protection, CROs usually hold a background in accounting, law, underwriting, or economics and manage the entirety of an organization’s risk management strategy and enforcement.

CISO Skills and Responsibilities

  • Hire, lead, and delegate responsibilities to an information security team
  • Execute vision and long-term cybersecurity strategy for an organization
  • Knowledge of regulatory compliance standards for organization data security
  • Minimize and reduce risk regarding the delivery of or access to digital services
  • Ensure inbound and outbound organization traffic protects data integrity
  • Assess and present findings for an organization or executive use
  • Detection and response and incident management skills for remediation

Also read: Cybersecurity: Executive Q&A with CISO Deepen Desai at Zscaler | Datamation

How To Become a CISO

Because information technology – and cybersecurity, by extension – are maturing and vital parts of SMB to enterprise organizations, veteran CISOs are a rare commodity. Traditional academia only recently started offering advanced IT and cybersecurity-specific degrees, meaning most of today’s CISOs trained and learned the game through self-learning and experience.

Besides spending years in a SOC, routes to gaining the needed expertise include:

  • Academic degrees (BS, MS, PhD) in computer science, IT, or cybersecurity
  • Boot camps offering cybersecurity-specific training and accreditation
  • Vendor-neutral industry certifications for cybersecurity professionals

Computer Science and Cybersecurity Degrees

Computer science and cybersecurity degrees from traditional universities and colleges are a maturing academic discipline with many undergraduate and graduate degree options to choose from. Professionals with degrees in engineering, business, and law are also suitable when considering the rarity of cybersecurity doctorates.

Image of students learning the skills needed to become a CISO.
Cybersecurity students enrolled at Purdue’s Polytechnic Institute working on Rolls-Royce security systems in partnership with Carnegie Mellon’s CyLab.
(Purdue University photo/Vince Walter)

The length of terms and tuition rates for undergraduate, graduate, and doctoral studies varies by school and program. Several universities offer a bachelor’s (BS) or master’s (MS) of science in computer science or information technology with a concentration in cybersecurity, if not a full-fledged major. Courses and concentrations include information security leadership, digital forensics, data compliance, and ethical hacking.

Best Cybersecurity Degree Institutions in 2022

  • Carnegie Mellon University
  • Columbia University
  • Georgia Tech
  • Massachusetts Institute of Technology (MIT)
  • Pennsylvania State University
  • Purdue University
  • University of Maryland
  • University of California, Berkeley
  • University of Southern California

Read more: The Security Issues Keeping CISOs Up at Night | CIO Insight

Cybersecurity Boot Camps

After the success of coding boot camps offering in-person and remote training programs to develop a generation of software developers, cybersecurity boot camps have been the natural extension for building expertise and accreditation in IT security. 

Boot camps can offer classroom education and training like this group with Fullstack Academy.

Many programs – some attached to traditional universities – offer intensive boot camps of varying length, tuition, and concentrations. Typical cybersecurity boot camps can last from 6 to 24 weeks and cost anywhere from $5,000 to $20,000, depending on the service provider.

Best Cybersecurity Boot Camps in 2022

  • BrainStation
  • ClaimAcademy
  • CodeFellows
  • Eleven Fifty Academy
  • Evolve Academy
  • Flatiron School
  • Fullstack Academy
  • Ironhack
  • Springboard

Certifications for CISOs

Logo for Certified Information Security Manager, a key skillset for the CISO.Certified Information Security Manager (CISM)

The Certified Information Security Manager (CISM) certification by ISACA (Information Systems Audit and Control Association) offers candidates to prove their technical expertise across security systems, incident management, governance, and risk management.

The CISM designation also requires five years of work experience to complete the certification. Still, waivers are available for 2 of the 5 years for candidates with a post-graduate information security degree, active CISA or CISSP status, skill-based certifications, and management experience. Uniquely, ISACA offers candidates that do not pass on their first attempt three more tries in 12 months.

Questions Length Passing Score Cost 

(Member)

Cost (Nonmember)
150 240 minutes 450 on scale of 200 – 800 $575 $760

​​

Logo for CSSP certification on the way to a CISO role.Certified Information Systems Security Professional (CISSP)

The Certified Information Systems Security Professional (CISSP) is one of many designations offered by (ISC)², founded as the International Information System Security Certification Consortium in 1989. The CISSP covers eight domains, including identity and access management (IAM), vulnerability assessments, security architecture, asset security, and security operations.

Candidates must also have five years of field experience with a waiver for 1 of the 5 with an undergraduate degree. Exam takers who pass the CISSP without the prerequisite experience can still obtain an Associate of (ISC)². 

Number of Questions Length Passing Score Cost
100 – 150 180 minutes 70% $749

Logo for CCISO certification on the way to a CISO role.Certified Chief Information Security Officer (CCISO)

Existing CISOs developed the Certified Chief Information Security Officer (CCISO) program to train the next generation of IT security leaders. The EC-Council CCISO program includes emphasizing leadership over technical skills and covers five domain areas:

  • Governance, Risk, and Compliance
  • Information Security Controls and Audit Management
  • Security Program Management & Operations
  • Information Security Core Competencies
  • Strategic Planning, Finance, Procurement, and Third-Party Management

Candidates for certifications must meet CCISO eligibility through five years in at least 3 of the 5 domains, including overlapping experience. Without this experience, interested candidates can sit for the EC-Council Information System Manager (EISM) exam.

Questions Length Passing Score Cost
150 150 minutes 72% $999
Also read: Top 5 Cybersecurity Certifications to Advance Your Career | ServerWatch

History of the CISO Role

In 1995, Citigroup hired the first-known instance of a CISO by appointing budding IT security leader Steve Katz. CISOs are increasingly a part of enterprise executive teams in the past decade and traditionally report to the CIO. With growing attention on cybersecurity, some CISOs report directly to CEOs and sit on par with CIO leaders.

Recent Coverage

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for Webopedia, eSecurity Planet, ServerWatch, and Channel Insider.

Related Articles

RSA SecurID

RSA SecurID is multi-factor authentication (MFA) technology used to protect network resources, such as applications and websites. Its purpose is to mitigate risk and...

IoT Security

IoT (Internet of Things) security helps enterprises protect their networks from threats exacerbated by internet-connected devices, which often aren't designed with advanced security features...

Identity and Access Management (IAM)

Identity and access management (IAM), also known as identity management (IdM), is a combined term used to create and manage digital and electronic user...

Password Fatigue

Password fatigue is the term given to the feeling of exhaustion or resistance to creating and using complex passwords. This behavior often results in...

Agile Project Management

Agile project management enables business teams to approach their projects and tasks with...

Private 5G Network

A private 5G network is a private local area network (LAN) that utilizes...

Rich Communication Services (RCS)

Rich communication services (RCS) is a mobile messaging approach in which session initiation...