[1]What is a CISO? Responsibilities and requirements for this vital

[1]What is a CISO? Responsibilities and requirements for this vital
leadership role:

This was a common topic on the late lamented PVC Security podcast.
Let's dive in!

CISO definition

The chief information security officer (CISO) is the executive
responsible for an organization's information and data security.
While in the past the role has been rather narrowly defined along
those lines, these days the title is often used interchangeably with
CSO and VP of security, indicating a more expansive role in the
organization.

Ambitious security pros looking to climb the corporate latter may
have a CISO position in their sights. Let's take a look at what you
can do to improve your chances of snagging a CISO job, and what your
duties will entail if you land this critical role. And if you're
looking to add a CISO to your organization's roster, perhaps for the
first time, you'll want to read on as well.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job
is to learn what day-to-day responsibilities that fall under its
umbrella. While no two jobs are exactly the same, Stephen Katz, who
pioneered the CISO role at Citigroup in the '90s, [2]outlined the
areas of responsibility for CISOs in an interview with MSNBC. He
breaks these responsibilities down into the following categories:
* Security operations: Real-time analysis of immediate threats, and
triage when something goes wrong
* Cyberrisk and cyber intelligence: Keeping abreast of developing
security threats, and helping the board understand potential
security problems that might arise from acquisitions or other big
business moves
* Data loss and fraud prevention: Making sure internal staff doesn't
misuse or steal data
* Security architecture: Planning, buying, and rolling out security
hardware and software, and making sure IT and network
infrastructure is designed with best security practices in mind
* Identity and access management: Ensuring that only authorized
people have access to restricted data and systems
* Program management: Keeping ahead of security needs by implementing
programs or projects that mitigate risks - regular system patches,
for instance
* Investigations and forensics: Determining what went wrong in a
breach, dealing with those responsible if they're internal, and
planning to avoid repeats of the same crisis
* Governance: Making sure all of the above initiatives run smoothly
and get the funding they need - and that corporate leadership
understands their importance

For a deeper dive, check out the whitepaper from SANS, "[3]Mixing
Technology and Business: The Roles and Responsibilities of the Chief
Information Security Officer."

CISO requirements

What does it take to be considered for this role? Generally
speaking, a CISO needs a solid technical foundation.
[4]Cyberdegrees.org says that, typically, a candidate is expected to
have a bachelor's degree in computer science or a related field and
7-12 years of work experience (including at least five in a
management role); technical [5]master's degrees with a security
focus are also increasingly in vogue. There's also a laundry list of
expected technical skills: beyond the basics of programming and
system administration that any high-level tech exec would be
expected to have, you should also understand some security-centric
tech, like DNS, routing, authentication, VPN, proxy services and
DDOS mitigation technologies; coding practices, [6]ethical hacking
and threat modeling; and firewall and intrusion detection/prevention
protocols. And because CISOs are expected to help with regulatory
compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX
compliance assessments as well.

But technical knowledge isn't the only requirement for snagging the
job - and may not even be the most important. After all, much of a
CISO's job involves management and advocating for security within
company leadership. IT researcher Larry Ponemon, speaking to
SecureWorld, [7]said that "the most prominent CISOs have a good
technical foundation but often have business backgrounds, an MBA,
and the skills needed to communicate with other C-level executives
and the board."

Paul Wallenberg, Senior Unit Manager of Technology Services at
staffing agency LaSalle Network, says that the mix of technical and
nontechnical skills by which a CISO candidate is judged can vary
depending on the company doing the hiring. "Generally speaking,
companies with a global or international reach as a business will
look for candidates with a holistic, functional security background
and take the approach of assessing leadership skills while
understanding career progression and historical accomplishments," he
says. "On the other side of the coin, companies that have a more web
and product focused business lean on hiring specific skillsets
around application and web security."

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn't
hurt to burnish your resume with certifications. As [8]Information
Security puts it, "These qualifications refresh the memory, invoke
new thinking, increase credibility, and are a mandatory part of any
sound internal training curriculum." But there are a somewhat
bewildering number to choose from - [9]Cyberdegrees.org lists seven.
We asked Lasalle Network's Wallenberg for his picks, and he gave us
a top three:
* "Certified Information Systems Security Professional (CISSP) is for
IT professionals seeking to make security a career focus."
* "Certified Information Security Manager (CISM) is popular for those
who are looking to climb the ladder within the security discipline
and transition into leadership or program management."
* "Certified Ethical Hacker (CEH) is for security professionals
looking to obtain an advanced awareness of issues that can threaten
enterprise security."

CISO vs. CIO vs. CSO

Security is a role within an organization that inevitably butts
heads with others, since a security pro's instincts are to lock down
systems and make them harder to access - something that can conflict
with IT's job of making information and applications available in a
frictionless way. The way that drama plays out at the top of the org
chart can be as a CISO vs. CIO battle, and the contours of that
fight are often established by the lines of reporting within an
organization. (CSO discussed this in depth in the article "[10]Does
it matter who the CISO reports to?") Even though both titles have
"C" in the name, it's relatively common for CISOs to report to CIOs,
which can constrain CISO's ability to execute strategically, as
their vision ends up being subordinated to the CIO's overall IT
strategy. CISO's definitely gain clout when they report directly to
the CEO or the board, which is becoming [11]an increasingly common
practice. This might involve a change of title - according to the
[12]Global State of Information Survey 2018, CISOs are more likely
to be subordinated to a CIO, whereas a security exec with the title
of Chief Security Officer (CSO) is more likely to be on the same
level as the CIO - and to have non-tech security responsibilities to
boot.
[13]3 who is in charge of the person in charge IDG / Getty Images

Placing CIOs and CISOs on equal footing can help tamp down conflict,
not least because it sends a signal to the whole organization that
security is important. But it also means that the CISO can't simply
be a gatekeeper vetoing technical initiatives. As Ducati CIO
Piergiorgio Grossi [14]told i-CIO magazine, "it's up to the CISO to
help the IT team provide more robust products and services rather
than simply saying 'no.'" This shared responsibility for strategic
initiatives changes the dynamics of the relationship - and can mean
the difference between success and failure for new CISOs.

CISO job description

If you're part of a search for a promising CISO for your
organization, part of that involves writing a job description - and
much of what we've discussed so far lays the foundation for how
you'd approach that. "Companies first decide if they want to hire a
CISO and obtain approvals for the level, reporting structure, and
official title for the position - in smaller companies, CISOs can be
VPs or Director of Security," says Lasalle Network's Wallenberg.
"They also need to set the minimum requirements and qualifications
of the role, and then go to market for external candidates or post
for internal applicants."

CSO Senior Editor Michael Nadeau lays out in some detail how you'd
approach [15]writing a CISO job description. One of the important
things he points out is that your description should make your
organization's commitment to security very clear from the get-go,
because that's how you're going to attract a high-quality candidate.
You should highlight where the new CISO will end up on the org chart
and how much board interaction they'll have to really make this
point clear. Another important point he makes is to keep the job
description fresh, even if you have someone in the role - after all,
you never know when that person will move on to another opportunity,
and this is a crucial job that you don't want to leave unstaffed.

CISO salary

CISO is a high-level job and CISOs are paid accordingly. Predicting
salaries is more of an art than a science, of course, but the strong
consensus is that salaries above $100,000 are typical. As of this
writing, [16]ZipRecruiter has the national average at $153,117;
Salary.com pegs the typical range even higher, as [17]between
$192,000 and $254,000.

If you check out Glassdoor, you can see [18]salary ranges for
current CISO job openings, which can help you get a sense of which
sectors pay more or less. For instance, at this writing there's an
open CISO position in the federal government that pays between
$164,000 and $178,000, and one at the University of Utah that pays
between $230,000 and $251,000.

CISO jobs

The CISO job landscape is always changing, and CSO has plenty of
material to keep you up to date - how to get a CISO job, and how to
navigate the career landscape. You might want to check out:
* "[19]A CISO's guide to avoiding certain CISO jobs" : Not all CISO
jobs are created equal, and some will set you up for failure that
can have negative career implications down the line. Here's some
tips on red flags to watch out for.
* "[20]Why do CISOs change jobs so frequently?": The average CISO
only stays on the job for 24-48 months, according to market
research. Find out what these fast moves mean for the industry and
how you can react.
* "[21]What is a virtual CISO?": C-level execs aren't immune to the
trend towards "on-demand" employees who work on part time contracts
rather than occupying full-time positions. This article will
explain what virtual CISOs can and can't do, which is important if
you're competing against them for jobs - or want to become one
yourself.

[22]Let's block ads! [23](Why?)

(Via [24]CSO Online)

A few notes:

The CISO/CSO and analogs suffer from a short life span and a need to
impress the Board of Directors. Most CISO's are in poor situations at
the start, and anyone who aspires to such a role needs to know the
disadvantages,

The CISO/CSO often reports to the CIO, which is a conflict of interest.
I generally recommend reporting to CEO directly or else the COO or CFO.

CISO/CSO roles require strong reporting managers and talented teams
plus reliable managed security service providers. The best way to
determine their value is by measuring them. Yet many enterprises I
visit fail to measure even the most obviously valuable metrics but want
their Top Ten lists.

This is a solid summary of the CISO role. If you target this in your
career path, this article is useful.
__________________________________________________________________

My original entry is here: [25]What is a CISO? Responsibilities and
requirements for this vital leadership role. It posted Thu, 04 Apr 2019
09:58:51 +0000.
Filed under: business,

References

1. https://www.csoonline.com/article/3332026/it-careers/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html#tk.rss_all
2. https://www.cnbc.com/2018/07/20/what-is-ciso-chief-information-security-officer.html
3. https://www.sans.org/reading-room/whitepapers/assurance/mixing-technology-business-roles-responsibilities-chief-information-security-officer-1044
4. https://www.cyberdegrees.org/jobs/chief-information-security-officer-ciso/
5. https://www.csoonline.com/article/3294206/security-awareness/top-bachelors-and-masters-cybersecurity-degree-programs.html
6. https://www.csoonline.com/article/3238128/hacking/what-is-ethical-hacking-penetration-testing-basics.html
7. https://www.secureworldexpo.com/industry-news/ciso-vs-cio-relationship
8. https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/
9. https://www.cyberdegrees.org/jobs/chief-information-security-officer-ciso/
10. https://www.csoonline.com/article/3278020/leadership-management/does-it-matter-who-the-ciso-reports-to.html
11. https://www.wsj.com/articles/companies-cut-ciso-reporting-ties-with-technology-1524515201
12. https://www.idg.com/tools-for-marketers/2018-global-state-information-security-survey/
13. https://images.idgesg.net/images/article/2018/05/3_who-is-in-charge-of-the-person-in-charge-100758153-orig.jpg
14. https://www.i-cio.com/management/role-of-the-cio/item/the-changing-relationship-between-the-cio-and-ciso
15. https://www.csoonline.com/article/3209964/security/how-to-write-a-ciso-job-description.html
16. https://www.ziprecruiter.com/Salaries/Chief-Information-Security-Officer-Salary
17. https://www1.salary.com/Chief-Information-Security-Officer-Salary.html
18. https://www.glassdoor.com/Salaries/ciso-salary-SRCH_KO0,4.htm
19. https://www.csoonline.com/article/3166061/it-careers/a-cisos-guide-to-avoiding-certain-ciso-jobs.html
20. https://www.csoonline.com/article/3245170/security/why-do-cisos-change-jobs-so-frequently.html
21. https://www.csoonline.com/article/3259926/it-careers/what-is-a-virtual-ciso-when-and-how-to-hire-one.html
22. https://blockads.fivefilters.org/
23. https://blockads.fivefilters.org/acceptable.html
24. http://www.csoonline.com/index.rss
25. https://www.prjorgensen.com/?p=2700