A chief information security officer (CISO) is a senior-level executive within an

organization An organization or organisation (Commonwealth English; see spelling differences), is an entity—such as a company, an institution, or an association—comprising one or more people and having a particular purpose. The word is derived from ...

responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and

information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...

(IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve ISO/IEC 27001 certification for an entity or a part of it). The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner. Typically, the CISO's influence reaches the entire organization. Responsibilities may include, but not be limited to: *

Computer emergency response team A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...

/computer security incident response team * Cybersecurity *

Disaster recovery Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle.It employs policies, tools, and procedures. Disaster recovery focuses on t ...

and business continuity management * Identity and access management * Information privacy * Information

regulatory compliance In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the viol ...

(e.g., US

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its use i ...

, FISMA, GLBA,

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 19 ...

; UK

Data Protection Act 1998 The Data Protection Act 1998 (DPA, c. 29) was an Act of Parliament of the United Kingdom designed to protect personal data stored on Computer, computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Da ...

; Canada

PIPEDA The ''Personal Information Protection and Electronic Documents Act'' (PIPEDA; french: Loi sur la protection des renseignements personnels et les documents électroniques) is a Canadian law relating to data privacy. It governs how private sector ...

, Europe GDPR) *

Information risk management IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...

Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

and

information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, n ...

Information security operations center An information security operations center (ISOC or SOC) is a facility where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and d ...

(ISOC) * Information technology controls for financial and other systems * IT investigations, digital forensics,

eDiscovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often refe ...

Having a CISO or an equivalent function in organizations has become standard practice in business, government, and non-profits organizations. By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006. In 2018, ''The Global State of Information Security Survey 2018'' (GSISS), a joint survey conducted by CIO, CSO, and PwC, concluded that 85% of businesses have a CISO or equivalent. The role of CISO has broadened to encompass risks found in

business process A business process, business method or business function is a collection of related, structured activities or tasks by people or equipment in which a specific sequence produces a service or product (serves a particular business goal) for a parti ...

es, information security, customer privacy, and more. As a result, there is a trend now to no longer embed the CISO function within the IT group. In 2019, only 24% of CISOs report to a chief information officer (CIO), while 40% report directly to a

chief executive officer A chief executive officer (CEO), also known as a central executive officer (CEO), chief administrator officer (CAO) or just chief executive (CE), is one of a number of corporate executives charged with the management of an organization especially ...

(CEO), and 27% bypass the CEO and report to the board of directors. Embedding the CISO function under the reporting structure of the CIO is considered suboptimal, because there is a potential for conflicts of interest and because the responsibilities of the role extend beyond the nature of responsibilities of the IT group. In corporations, the trend is for CISOs to have a strong balance of business acumen and technology knowledge. CISOs are often in high demand and compensation is comparable to other C-level positions that also hold a similar

corporate title Corporate titles or business titles are given to corporate officers to show what duties and responsibilities they have in the organization. Such titles are used by publicly and privately held for-profit corporations, cooperatives, non-profit or ...

. A typical CISO holds non-technical certifications (like

CISSP CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)². As of January, 2022 there ...

and CISM), although a CISO coming from a technical background will have an expanded technical skillset. Other typical training includes project management to manage the information security program, financial management (e.g. holding an accredited MBA) to manage infosec budgets, and soft-skills to direct heterogeneous teams of information security managers, directors of information security, security analysts, security engineers and technology risk managers. Recently, given the involvement of CISO with Privacy matters, certifications like CIPP are highly requested. A recent development in this area is the emergence of "Virtual" CISOs (vCISO, also called "Fractional CISO"). These CISOs work on a shared or fractional basis, for organizations that may not be large enough to support a full-time executive CISO, or that may wish to, for a variety of reasons, have a specialized external executive performing this role. vCISOs typically perform similar functions to traditional CISOs, and may also function as a "interim" CISO while a company normally employing a traditional CISO is searching for a replacement. Key areas that vCISOs can support an organization include: * Advising on all forms of cyber risk and plans to address them * Board, management team, and security team coaching * Vendor product and service evaluation and selection * Maturity modeling operations and engineering team processes, capability and skills * Board and management team briefings and updates * Operating and Capital budget planning and review

References

External links

* * * {{corporate titles Management occupations *

See also

References

External links