A chief information security officer (CISO) is a senior-level executive within an

organization An organization or organisation (Commonwealth English; see spelling differences), is an entity—such as a company, an institution, or an association—comprising one or more people and having a particular purpose. The word is derived f ...

responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and

information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology syste ...

(IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve

ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...

certification for an entity or a part of it). The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner. Typically, the CISO's influence reaches the entire organization. Responsibilities may include, but not be limited to: *

Computer emergency response team A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...

/computer security incident response team *

Cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

Disaster recovery Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle.It employs policies, tools, and procedures. Disaster recovery focuses on ...

and business continuity management * Identity and access management *

Information privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data ...

* Information

regulatory compliance In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the viol ...

(e.g., US PCI DSS,

FISMA The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the ec ...

, GLBA,

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...

; UK

Data Protection Act 1998 The Data Protection Act 1998 (DPA, c. 29) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Prote ...

; Canada

PIPEDA The ''Personal Information Protection and Electronic Documents Act'' (PIPEDA; french: Loi sur la protection des renseignements personnels et les documents électroniques) is a Canadian law relating to data privacy. It governs how private sector ...

, Europe

GDPR The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in parti ...

) *

Information risk management IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...

Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of Risk management information systems, information risk management. It typically involves preventing or re ...

and information assurance * Information security operations center (ISOC) * Information technology controls for financial and other systems * IT investigations,

digital forensics Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and comp ...

, eDiscovery Having a CISO or an equivalent function in organizations has become standard practice in business, government, and non-profits organizations. By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006. In 2018, ''The Global State of Information Security Survey 2018'' (GSISS), a joint survey conducted by CIO, CSO, and PwC, concluded that 85% of businesses have a CISO or equivalent. The role of CISO has broadened to encompass risks found in

business process A business process, business method or business function is a collection of related, structured activities or tasks by people or equipment in which a specific sequence produces a service or product (serves a particular business goal) for a parti ...

es, information security, customer privacy, and more. As a result, there is a trend now to no longer embed the CISO function within the IT group. In 2019, only 24% of CISOs report to a chief information officer (CIO), while 40% report directly to a

chief executive officer A chief executive officer (CEO), also known as a central executive officer (CEO), chief administrator officer (CAO) or just chief executive (CE), is one of a number of corporate executives charged with the management of an organization especiall ...

(CEO), and 27% bypass the CEO and report to the board of directors. Embedding the CISO function under the reporting structure of the CIO is considered suboptimal, because there is a potential for conflicts of interest and because the responsibilities of the role extend beyond the nature of responsibilities of the IT group. In corporations, the trend is for CISOs to have a strong balance of business acumen and technology knowledge. CISOs are often in high demand and compensation is comparable to other C-level positions that also hold a similar

corporate title Corporate titles or business titles are given to corporate officers to show what duties and responsibilities they have in the organization. Such titles are used by publicly and privately held for-profit corporations, cooperatives, non-profit ...

. A typical CISO holds non-technical certifications (like CISSP and CISM), although a CISO coming from a technical background will have an expanded technical skillset. Other typical training includes project management to manage the information security program, financial management (e.g. holding an accredited MBA) to manage infosec budgets, and soft-skills to direct heterogeneous teams of information security managers, directors of information security, security analysts, security engineers and technology risk managers. Recently, given the involvement of CISO with Privacy matters, certifications like CIPP are highly requested. A recent development in this area is the emergence of "Virtual" CISOs (vCISO, also called "Fractional CISO"). These CISOs work on a shared or fractional basis, for organizations that may not be large enough to support a full-time executive CISO, or that may wish to, for a variety of reasons, have a specialized external executive performing this role. vCISOs typically perform similar functions to traditional CISOs, and may also function as a "interim" CISO while a company normally employing a traditional CISO is searching for a replacement. Key areas that vCISOs can support an organization include: * Advising on all forms of cyber risk and plans to address them * Board, management team, and security team coaching * Vendor product and service evaluation and selection * Maturity modeling operations and engineering team processes, capability and skills * Board and management team briefings and updates * Operating and Capital budget planning and review

References

External links

* * * {{corporate titles Management occupations *

See also

References

External links