The role of a Chief Information Security Officer (CISO) or the Information Systems Security Manager (ISSM) is a very important role for any organization, especially in today’s context of growing threats to information security.

Army commander – Photo by British Library on Unsplash

That said, I received the following comment from a colleague at a conference:

It’s been 10 years since I finished school, and now 3 years in the CISO role, as I’m a C-level, why am I not on the company board?

Being an information security expert does not automatically guarantee a place on the executive committee.

I came across an article that said that to be a CISO, you first need to be capable of being a leader and having the moral authority to make decisions..

Then to also be an officer, i.e. the legal designation which indicates that the holder is a high-level executive within an organization, responsible for providing strategic direction and advice.

So a CISO needs to be one who can make decisions and be legally accountable for them.

Here are a few situations that show you’re not a true CISO:

  • You’re more than two levels below the organization’s management.
  • You have no direct access to the organization’s board of directors or governance team.
  • You have to write the policies, but you don’t have the authority to enforce them.
  • The security team is so small that your job description also includes front-line security analyst duties.
  • The CISO’s work is lost in other roles and responsibilities.
  • You don’t take part in the organization’s strategy meetings, and you’re not consulted by those in charge of strategy, but you learn about it once all the decisions have been made.
  • The security program budget is managed by someone else.
  • Others may accept information security risks without consulting you.

Why am I not a CISO?

So I’ll take up the question of my colleague, an information security expert with the necessary certifications, and answer his question: why isn’t he a real CISO?

  • Do you lack management skills, since the executive committee requires an understanding of marketing, finance, operations, etc.?
  • The executive committee needs people with a broader vision of the company. Do you provide solutions? Do you solve problems?
  • Do you have the self-confidence to communicate issues, ideas and action plans clearly?
  • Are you useful to the other business units, or do you focus your energy on a single aspect, such as compliance?
  • Can you take risks? Since business decisions go far beyond “IT risk management”, decisions are based on other aspects such as market competitiveness, customer satisfaction and so on. Do you create value? And do you know what it means to create value?
  • Does management or the human resources group know what a CISO is?
  • And finally the last but, in my opinion, most important is modesty, do you think you know it all when you’ve focused on just one area. Many CISOs I meet wrongly exaggerate their importance in the organization.

Role – Sample job description

A CISO’s job description generally includes the following elements:

  • Security leadership: Define the strategic vision for information security within the organization, in alignment with business objectives.
  • Risk management: Identify, assess and mitigate information security risks, taking into account the ever-changing threat landscape.
  • Regulatory compliance: Ensure that the company complies with all relevant laws, regulations and standards relating to data security and protection.
  • Policies and procedures: Develop, implement and maintain information security policies and procedures to protect company assets.
  • Training and awareness: Promote a safety culture within the organization by training and raising employee awareness of best safety practices.
  • Incident management: Lead responses to security incidents, minimizing impact and coordinating recovery.
  • Evaluation and continuous improvement: Monitor the effectiveness of existing safety measures and initiate continuous improvements.

Day-to-day responsibilities

On a day-to-day basis, a CISO’s responsibilities may include:

  • **Monitoring **: Use advanced tools and techniques to continuously monitor threats and vulnerabilities within the organization’s infrastructure.
  • Strategic meetings: Participate in meetings with other senior managers to discuss safety strategy and its alignment with overall corporate objectives.
  • Team management: Lead and manage a team of security professionals, ensuring that everyone is well equipped and informed to carry out their tasks.
  • Reporting and analysis: Prepare reports on the state of information security, analyzing trends and recommending actions.
  • Strategic intelligence: Keep up to date with the latest security threats, vulnerabilities and technologies to ensure that the company stays ahead of malicious actors.
  • Project management: Oversee information security projects, ensuring they are completed on time and on budget.

I invite you to click on “Follow” to continue learning more about the field of information security.