A chief information security officer (CISO) is one of the latest additions to enterprise C-suite roles, offering executive oversight, strategic vision, and management of an organization’s IT security operations. As global organizations adopt more IT infrastructure, the cybersecurity of client and proprietary data is progressively critical, prompting the need for CISOs.
This article looks at the role of CISO, how it compares to other executive positions, the necessary skills and responsibilities, and the prospective road to becoming a CISO.
Chief Information Security Officers (CISOs) are the executive leaders responsible for an organization’s IT environment’s cybersecurity and digital risk management posture. First adopted in the mid-1990s, CISO positions often lead security-specific IT personnel and report to the company’s Chief Information Officer (CIO) or directly to the Chief Executive Officer (CEO).
The CISO often gets compared to other executive roles for enterprise organizations in the digital era, including Chief Risk Officer (CRO), Chief Technology Officer (CTO), and Chief Data Officer (CDO).
Role | Manages … | Reports to … |
CIO | Internal IT infrastructure and resource development | CEO |
CRO | Risk posture, regulatory compliance, and mitigation strategy | CEO |
CISO | Detection, prevention, and response and cybersecurity systems | CIO or CEO |
CTO | Emerging IT solutions and product technology | CIO or CEO |
CDO | Leveraging analysis of organization-wide data and systems | CIO or CEO |
Chief information officers have long been the overarching IT leaders for organizations. Of the executive-level positions listed, CIO and CRO are typically the two most senior roles, with CISO, CTO, and CDO reporting to the CIO. Still, a wave of newer positions has led to CTO and CDO roles taking on many of the same responsibilities.
While CISOs increasingly interact with risk management through data protection, CROs usually hold a background in accounting, law, underwriting, or economics and manage the entirety of an organization’s risk management strategy and enforcement.
Because information technology – and cybersecurity, by extension – are maturing and vital parts of SMB to enterprise organizations, veteran CISOs are a rare commodity. Traditional academia only recently started offering advanced IT and cybersecurity-specific degrees, meaning most of today’s CISOs trained and learned the game through self-learning and experience.
Besides spending years in a SOC, routes to gaining the needed expertise include:
Computer science and cybersecurity degrees from traditional universities and colleges are a maturing academic discipline with many undergraduate and graduate degree options to choose from. Professionals with degrees in engineering, business, and law are also suitable when considering the rarity of cybersecurity doctorates.
The length of terms and tuition rates for undergraduate, graduate, and doctoral studies varies by school and program. Several universities offer a bachelor’s (BS) or master’s (MS) of science in computer science or information technology with a concentration in cybersecurity, if not a full-fledged major. Courses and concentrations include information security leadership, digital forensics, data compliance, and ethical hacking.
After the success of coding boot camps offering in-person and remote training programs to develop a generation of software developers, cybersecurity boot camps have been the natural extension for building expertise and accreditation in IT security.
Many programs – some attached to traditional universities – offer intensive boot camps of varying length, tuition, and concentrations. Typical cybersecurity boot camps can last from 6 to 24 weeks and cost anywhere from $5,000 to $20,000, depending on the service provider.
The Certified Information Security Manager (CISM) certification by ISACA (Information Systems Audit and Control Association) offers candidates to prove their technical expertise across security systems, incident management, governance, and risk management.
The CISM designation also requires five years of work experience to complete the certification. Still, waivers are available for 2 of the 5 years for candidates with a post-graduate information security degree, active CISA or CISSP status, skill-based certifications, and management experience. Uniquely, ISACA offers candidates that do not pass on their first attempt three more tries in 12 months.
Questions | Length | Passing Score | Cost
(Member) |
Cost (Nonmember) |
150 | 240 minutes | 450 on scale of 200 – 800 | $575 | $760 |
Certified Information Systems Security Professional (CISSP)
The Certified Information Systems Security Professional (CISSP) is one of many designations offered by (ISC)², founded as the International Information System Security Certification Consortium in 1989. The CISSP covers eight domains, including identity and access management (IAM), vulnerability assessments, security architecture, asset security, and security operations.
Candidates must also have five years of field experience with a waiver for 1 of the 5 with an undergraduate degree. Exam takers who pass the CISSP without the prerequisite experience can still obtain an Associate of (ISC)².
Number of Questions | Length | Passing Score | Cost |
100 – 150 | 180 minutes | 70% | $749 |
Existing CISOs developed the Certified Chief Information Security Officer (CCISO) program to train the next generation of IT security leaders. The EC-Council CCISO program includes emphasizing leadership over technical skills and covers five domain areas:
Candidates for certifications must meet CCISO eligibility through five years in at least 3 of the 5 domains, including overlapping experience. Without this experience, interested candidates can sit for the EC-Council Information System Manager (EISM) exam.
Questions | Length | Passing Score | Cost |
150 | 150 minutes | 72% | $999 |
In 1995, Citigroup hired the first-known instance of a CISO by appointing budding IT security leader Steve Katz. CISOs are increasingly a part of enterprise executive teams in the past decade and traditionally report to the CIO. With growing attention on cybersecurity, some CISOs report directly to CEOs and sit on par with CIO leaders.