Chief information security officers are the crème de la crème in the infosec universe — the head of the class, literally and figuratively. In information security, there is no loftier goal than aspiring to be a chief infosec officer.
At corporations, it’s a c-suite level position, meaning one of the most powerful and influential officers in any given company, and generally reports directly to the CEO. As such, it’s a position that requires extensive experience, knowledge, expertise, and hands-on skills in as many aspects of information security as possible.
Ad
cybersecurityguide.org is an advertising-supported site. Clicking in this box will show you programs related to your search from schools that compensate us. This compensation does not influence our school rankings, resource guides, or other information published on this site.
Featured Cybersecurity Training| School Name | Program | More Info |
|---|---|---|
| UC Berkeley School of Information | Online MS in Cybersecurity | No GRE/GMAT Required | website |
| Southern New Hampshire University | Online BS in Cybersecurity or Online MS in Cybersecurity | website |
| UC Berkeley | Berkeley Cybersecurity Boot Camp | website |
| Northwestern | Northwestern Cybersecurity Boot Camp | website |
| Syracuse University | Online MS in Cybersecurity | Complete in 15 Months | website |
Five steps to becoming a chief information security officer
1. Self-analysis:The chief information security officer is not a career path suited to everyone. It requires exceptional drive, determination, dedication, leadership skills, an ability for forward-thinking, and a desire to remain continually educated on the latest trends in the field.
By the very nature of c-suite positions, chief infosec officers also interface with most other departments within the same organization, and with high ranking officials in other companies, as well as government agencies. Successful CISOs must possess a high level of each of these qualities, and more, in order to excel. So be honest in the self-assessment before deciding to charge ahead on a career targeted at becoming a chief information security officer.
2. Education:Laying the groundwork for a future in a position with such wide-reaching and varied responsibilities as a chief infosec officer can take any number of forms. Obviously, an undergraduate degree in any infosec discipline or business administration is a good starter, but nearly any computer-related or business management field could do just fine. Security training for protecting people and facilities may also serve as a great kick start. Of course, for c-suite officers like CISOs, additional education is often, if not usually expected. Masters degrees and, when desired or required, doctorate degrees in more focused fields under the infosec umbrella will serve you best.
3. Career path:As with education, career paths following an almost endless variety of permutations can lead to chief infosec officer positions. The possibilities are far too numerous to list here. For invaluable insight into how best to work toward being a CISO and how the position is evolving now and in the near future, watch this CyberSpeak interview of long-time infosec professional and current CISO Joshua Knight of Dimension Data. Also, it is helpful to review the education and experience requirements listed by EC-Council for a candidate to be eligible to take the exam for the certification of chief information security officers.
4. Professional certifications: Here too, there are dozens of certifications that can help a candidate attain the level of CISO. It’s probably best to remember to add certifications in every discipline worked in along the way, and any ancillary specialties that may apply to the positions on a resume.
The CCISO certificate is the pinnacle achievement for chief infosec officers. Also valuable are the training opportunities and certifications offered by such organizations as OSCP (Offensive Security Certified Professional), SANS Technology Institute, ISFCE (International Society of Forensic Computer Examiners), IACIS (The International Association of Computer Investigative Specialists), GIAC (Global Information Assurance Certification), CISSP (Certified Information Systems Security Professional), (ISC)2 (International Information Systems Security Certification Consortium) IEEE (Institute of Electronic and Electrical Engineers), Cellebrite, AccessData, BlackBag, and EnCase. More basic certifications, such as CompTIA A+, which certifies IT operational and technical support skills, can also be helpful. ISACA (Information Systems Audit and Control Association) offers a certification directed at infosec managers – Certified in the Governance of Enterprise IT (CGEIT), and another directed at infosec auditors, called Certified Information Systems Auditor.
5. Keep current:As is the case in most cybersecurity career positions, it is vital to remain current with what is happening in the industry. Keeping skills and knowledge up to date with the latest trends is even more critical for CISOs as they are charged with deciding how the entirety of any company’s varied infosec resources will be deployed now and in the future. Being a member of any and all relevant information security trade associations and training organizations is imperative for infosec leaders.
Two such professional trade associations are The International Society of Forensic Computer Examiners®, or ISFCE, and The Scientific Working Group on Digital Evidence (SWGDE). Another source of articles and information on specific subjects in infosec is SearchSecurity. EC-Council also provides articles, podcasts, etc. by other CISOs on its CISO Resources page. The Information Systems Audit and Control Association (ISACA) is also a great source of training and professional interaction. Infosec Institute offers a variety of resources and training for infosec professionals. This interview by IBMBusinessInstitute with Glen Gooding, Director of IBM Institute for Advanced Security, discusses the ever-changing infosec world and the CISOs continually evolving role within the industry.
What is a chief information security officer?
CISOs are alternatively known as chief security architects, corporate security officers, security managers, or information security managers. Some companies entrust this officer-level person with all aspects of security within the organization, including employees and facilities. In these cases, the position may carry the title of chief security officer.
A CISO by any name is still the head of all information security operations within a given organization. Chief infosec officers usually report directly to the CEO (chief executive officer), and sometimes are afforded a seat on the board of directors. CISOs are tasked with determining the overall direction of the infosec resources under his/her domain, how the resources will be apportioned within the various disciplines, managing all of the people in his/her department, and interacting with all other departments in the organization. CISOs are often the face of an organization’s infosec operations in interaction with outside actors. In larger corporations in particular, this may often entail dealing with government oversight, regulatory agencies, policymakers, and law enforcement agencies.
Chief information security officers skills and experience
Specific skill requirements likely to be encountered with employers include:
- Significant experience with business management and a working knowledge of information security risk management and cybersecurity technologies and strategy
- Strong understanding of Linux, virtualization, and networking concepts
- Familiarity with industry security standards including NIST, ISO, SANS, COBIT, CERT
- Familiarity with current data privacy regulations, including GDPR and regional standards.
- Strong understanding and experience with Secure SDLC and DevSecOps or security automation
- Capable of understanding and communicating business and profit impact that infosec operations have on the organization
Because chief information security officers are at the top of the infosec heap, there aren’t a lot of certifications recognized for the position. EC-Council provides the most highly sought after program, called Certified CISO, or CCISO.
Soft skills sought by employers include: Superior interpersonal, written and oral communication skills, ability to work under pressure, organized and flexible, strong leadership skills experience in strategic planning and execution.
What do chief information security officers do?
Information security in the 21st century has become one of the most critical operations in any organization. The chief information security officer is responsible for providing direction, processes, and resources for every aspect of the infosec operation. And the direction and processes must be continuously reviewed, reimagined and revamped to keep pace with changes in the infosec world at large, as well as compliance, regulatory and legal requirements. The CISO must also be a motivational leader, as well as an interdepartmental and inter-organizational communicator of an organization’s infosec direction and processes.
There are considered to be five “towers” of responsibility within the typical CISO’s purview. Chief infosec officers must have extensive experience and knowledge in each of these towers.
- Governance and risk management (policy, legal, and compliance)
- Information security controls, compliance, and audit management
- Security program management & operations
- Information security core competencies
- Strategic planning, finance, procurement, and vendor management
The relative weight and importance that each varies from organization to organization, but these represent the focus areas for gaining experience in order to be competitive for a CISO position.
Chief information security officers job description
Potentially, tasks will include some or all of the following:
- Design and develop an information security program roadmap to align and scale with company growth
- Lead security assessment and testing processes, including but not limited to penetration testing, vulnerability management, and secure software development
- Develop and extend security tooling and automation efforts across the organization
- Proactively identify security issues and potential threats and continuously build processes and design systems to watch for and protect against them
- Lead compliance activities including external audits, regulatory compliance projects, and overall information security reviews
- Communicate infosec operational goals, direction, and business impact to c-suite officers and board of directors
- Interface with outside stakeholders, partners, compliance agencies, and regulatory and legal authorities
- Provide strategic risk guidance and consultation for corporate IT projects, including the evaluation and recommendation of technical standards and controls
- Establish and implement a process for incident management to effectively identify, respond, contain and communicate a suspected or confirmed incident
Outlook for chief information security officers
According to InfoSec Institute, there is a worldwide shortage of nearly three million in the ranks of cybersecurity professionals, half a million in North America alone. Demand for qualified infosec employees significantly outstrips supply in nearly every specialty under the information security umbrella. As a percentage of the demand, this shortfall becomes magnified as we climb higher up on the organizational chart. The availability of candidates capable of managing any organization’s entire infosec operation thus becomes even more glaring. It is also an even more vexing problem to overcome because it takes so long to groom candidates for these higher-level posts.
There is no shortage of interesting, prestigious, and exciting opportunities for qualified CISOs. A quick search of open positions shows such organizations as the National Security Agency (NSA), several large national and international banks, at least two state governments, and several large healthcare companies.
How much do digital forensics experts make?
In 2019, Payscale.com reports that chief information security officers are making from about $105,000 to about $225,000 per year, with an average annual salary of $160,000. Bonuses, commissions and profit-sharing can add as much as $350,000 annually.
Looking for more information about careers in cybersecurity?LEARN MORE.
FAQs
What qualifications do I need to be a CISO? ›
- Communication and presentation skills.
- Policy development and administration skills.
- Knowledge about government (e.g. relevant legislation both current and incoming)
- Collaboration expertise.
- Financial, planning and strategic management skills.
- Supervisory and incident management skills.
An academic degree in cybersecurity or a related IT discipline is usually required for a job as a chief security officer. Graduating with an online bachelor's degree in cybersecurity, business, or a related field can provide a strong business background with a solid technical foundation.
Is being a CISO hard? ›Today's CISOs face daunting challenges. They are constantly fending off increasingly sophisticated attacks, balancing scarce resources, and working with a board that too often doesn't understand the inevitability of a breach and the criticality of the CISO's role.
Does a CISO need to be technical? ›2. Policy Development and Administration. Policies are the responsibility of a CISO, but technical prowess isn't needed.
What is the average age of a CISO? ›The average age of an employed chief information officer is 52 years old. The most common ethnicity of chief information officers is White (82.0%), followed by Hispanic or Latino (6.6%), Asian (6.5%) and Black or African American (3.0%). Chief information officers are most in-demand in New York, NY.
Does a CISO need an MBA? ›Chief Information Security Officer (CISO):
The minimum education they require is a bachelor's degree, but they prefer those with a master's degree and 10+ years of experience in IT, risk management, or information security (cyber security).
A commander or chief is the director of all security personnel within an organization, agency, or company.
What does a CISO do day to day? ›A key responsibility for a CISO within your organisation is to provide guidance on your cybersecurity program on a strategic level. Along with guidance, it is a CISO's responsibility to make sure organisations remain compliant with cybersecurity standards, policy, regulations and legislation.
How long does IT take to become chief? ›It takes approximately five years to become a chief executive. While the requirements for the position may vary depending on the company and the responsibilities being delegated to that chief executive, most will need five years of managerial experience and a four-year degree, preferably in business.
How many hours does a CISO work? ›The job of Chief Infosec Officer is usually a daytime role, working an average 40 hours per week although, as a senior C-level employee, you may be expected to work above and beyond these hours when required to do so.
Are CISO in demand? ›
CISOs are in high demand. It depends on what your perspective is as a customer, what your budget is and what the mission is. The CISO job can cover a multitude of sins and sometimes it isn't always necessarily a CISO role.
Who is higher CISO or CIO? ›CIO stands for Chief Information Officer, and they're typically the highest ranking person in a company when it comes to IT.
What skills should a CISO have? ›- They have a technical background. ...
- They're good communicators. ...
- They're organized. ...
- They can manage people effectively. ...
- They're ethical. ...
- They're proactive. ...
- They're resourceful. ...
- They're innovators.
- The Technical Information Security Officer (TISO) ...
- The Business Information Security Officer (BISO) ...
- The Strategic Information Security Officer (SISO)
Enter the CISO
In those cases, the CISO will often report to a CIO and be primarily occupied with first-line matters such as operating security monitoring tools and processes, incident response, and the architecture and deployment of preventative and detective controls.
Most chief information security officers have at least seven to 10 years of professional experience, including time supervising others, before becoming CISOs. After graduating from college, you might gain perspective as a CISO from entry-level jobs in computer programming, networking analysis or systems analysis.
Can CISO work from home? ›Chief Information Security Officer (CISO) Assistant
Position can be REMOTE.
Turnover among key business leaders isn't unusual, but as a factual matter, CISO average tenure is relatively short – approximately 24 to 48 months. Several reasons exist for this turnover rate.
Is CISO C level? ›Importantly, it means that the CISO can make a case for cybersecurity directly to the CEO and the board, usually resulting in improved threat awareness and greater allocation of budget. However, CISOs should remember that this is a C-level position.
What level is a CISO? ›The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats.
Can you make 200k in cybersecurity? ›
All security engineers are paid well, but some branches of cybersecurity have a higher pay scale than others. In fact, reports from the Bureau of Labor Statistics show that some positions may pay over $200,000 per year. How much you can earn depends on the following: Branch of cybersecurity.
What is the hardest position in the world? ›- Military. All military positions have their challenges, but demanding positions like mercenary and marine are among the toughest in the world. ...
- Healthcare worker. ...
- Oil rig worker. ...
- Alaskan crab fisherman. ...
- Cell tower climber. ...
- Iron and steel worker. ...
- Firefighter. ...
- Roofer.
Level 5 is considered an advanced or progressive cyber security posture, and seeks to reduce the risk of Advanced Persistent Threats (APTs).
What questions are asked in a CISO interview? ›- Tell me about yourself. ...
- Tell me about a time when you had to collaborate with stakeholders to establish an information security risk management program. ...
- Why should we hire you for this profile? ...
- Why do you want to work with us? ...
- How do you describe your management style?
With roughly 99% of Chief's revenue coming from membership fees, growing its paying membership base is critical for growth. Chief charges $5,800 a year for vice president-level women and $7,900 a year for those in the C-suite, with most fees getting covered by employers.
How much does it cost to join chief? ›A Chief membership costs an average of $6,500 a year and offers each member a monthly small-group meeting with an executive coach and access to various workshops and networking opportunities, Childers said.
Do you need a degree to be a chief? ›A college degree is essential if you want to make it to a senior-level role like chief executive. Some top executives have a bachelor's degree, but a master's degree might be required to advance into some chief executive roles.
How much does a Fortune 500 CISO make? ›U.S.-based CISOs reported median base compensation of $584,000, a 15% increase from last year. When taking into account bonuses and company equity, their total compensation rose to $971,000, up 4% from last year, according to the survey.
What do I do after CISO? ›Others see CISOs becoming chief risk officers and chief trust officers as well as chief product officers at security vendors. Meanwhile, Touhill says CISOs are well suited to move into a new, emerging executive role which has oversight of all security realms—cyber as well as physical and personnel-related.
How much does the CISO at Apple make? ›The base salary for CISO in companies like APPLE INC range from $253,643 to $334,953 with the average base salary of $290,253. The total cash compensation, which includes bonus, and annual incentives, can vary anywhere from $293,323 to $425,503 with the average total cash compensation of $353,853.
What is the hardest cyber security job? ›
Penetration tester or pentester is among the toughest roles to fill in this space, reports CyberSeek.org. CompTIA describes this position as a “white hat” or good/ethical hacker, with the goal of helping organizations improve their security practices to prevent theft and damage.
Who is higher CISO or CSO? ›The Chief Security Officer (CSO) is the executive leader responsible for the security of the physical and digital assets of the business. The Chief Information Security Officer (CISO) is the executive leader responsible for the security of digital information assets.
Is a CISO an executive? ›As we have seen, a CISO is a senior-level executive responsible for managing an organization's cybersecurity posture. Simply put, it's the responsibility of the chief information officer to: Establish the ideal security and governance practices that align with the organization's objectives.
Who does the CISO usually report to? ›According to a Cowen Partners survey, 61% of today's CISOs report to someone other than the company's CIO. Instead, CISOs report to people in a range of other positions, including chief technical officers (CTOs), chief risk officers (CROs), chief operating officers (COOs), general counsel, or even directly to the CEO.
How does a CISO differ from other IT roles? ›While a CIO does strategize, manage and oversee the entire operations associated with a company's IT systems – including its security/protection – a CISO focuses more directly on strategically and tactically managing the details of the company's IT security posture, typically in conjunction with the CIO.
What makes a successful CISO? ›Great CISOs align their programs with the mission values and purpose of the larger organization and understand how to communicate with business leaders in ways that are culturally aware and enable those leaders to make effective decisions.
What is the difference between a CIO and CISO? ›Traditionally, the CIO focuses on the strategic planning of the organization's information technology initiatives, while the CISO is more of an executive level specialist who focuses on maintaining information and data security.
What are 3 skills you must have for cyber security? ›- Problem-Solving Skills. ...
- Technical Aptitude. ...
- Knowledge of Security Across Various Platforms. ...
- Attention to Detail. ...
- Communication Skills. ...
- Fundamental Computer Forensics Skills. ...
- A Desire to Learn. ...
- An Understanding of Hacking.
- Network Security.
- Cloud Security.
- Application Security.
- Internet of Things Security.
CISOs are highly concerned about end-users and see the need for more education to prevent ransomware and phishing attacks – especially in an era of remote work; however, their likelihood to outsource a solution is low.
What are the 7 types of cyber security? ›
- Network Security. Most attacks occur over the network, and network security solutions are designed to identify and block these attacks. ...
- Cloud Security. ...
- Endpoint Security. ...
- Mobile Security. ...
- IoT Security. ...
- Application Security. ...
- Zero Trust.
Jeffrey Gilbert is vice president and chief security officer for The Coca-Cola Company.
› wiki › Chief_information_secur... ›Chief information security officer
What is a CISO (chief information security officer)? Definition from ...
What does a CISO do?
While they're both high-ranking C-suite positions, a CIOs job is much more generalist. They need to have an understanding of how every part of IT infrastructure fits into the business, which is in contrast to CISOs who are much more focused on security.
Is CISO a stressful job? ›A recent survey from executive search firm Heidrick & Struggles shows stress and burnout are the top personal risks for CISOs. Pressure from the role is causing some CISOs to leave at an age or stage of life when they can clearly take on another operational role.
Are CISO in demand? ›CISOs are in high demand. It depends on what your perspective is as a customer, what your budget is and what the mission is. The CISO job can cover a multitude of sins and sometimes it isn't always necessarily a CISO role.
Is CTO higher than CISO? ›The CTO or Chief Technology Officer is an executive role typically report to the CIO. The CTO focuses their efforts on more long-term issues and new technology integration. CISO or Chief Information Security Officer will typically report to the CEO.
What skills should a CISO have? ›- They have a technical background. ...
- They're good communicators. ...
- They're organized. ...
- They can manage people effectively. ...
- They're ethical. ...
- They're proactive. ...
- They're resourceful. ...
- They're innovators.
Importantly, it means that the CISO can make a case for cybersecurity directly to the CEO and the board, usually resulting in improved threat awareness and greater allocation of budget. However, CISOs should remember that this is a C-level position.
Is CISO considered C suite? ›This is due to the fact that historically the CISO's main focus was on the technical cybersecurity activities of an organization. Those were and still are incredible valid focus areas but the role has also continued to evolve. The CISO is increasingly becoming a C-Suite business leadership peer.
How many hours does a CISO work? ›
The job of Chief Infosec Officer is usually a daytime role, working an average 40 hours per week although, as a senior C-level employee, you may be expected to work above and beyond these hours when required to do so.
What are the three common types of CISO? ›- The Technical Information Security Officer (TISO) ...
- The Business Information Security Officer (BISO) ...
- The Strategic Information Security Officer (SISO)
U.S.-based CISOs reported median base compensation of $584,000, a 15% increase from last year. When taking into account bonuses and company equity, their total compensation rose to $971,000, up 4% from last year, according to the survey.
How much does the CISO at Apple make? ›The base salary for CISO in companies like APPLE INC range from $253,643 to $334,953 with the average base salary of $290,253. The total cash compensation, which includes bonus, and annual incentives, can vary anywhere from $293,323 to $425,503 with the average total cash compensation of $353,853.
Can CISO work from home? ›Chief Information Security Officer (CISO) Assistant
Position can be REMOTE.
Penetration tester or pentester is among the toughest roles to fill in this space, reports CyberSeek.org. CompTIA describes this position as a “white hat” or good/ethical hacker, with the goal of helping organizations improve their security practices to prevent theft and damage.
Who gets paid more CIO or CTO? ›CTO: Average salary comparison. Average annual compensation for these two roles varies depending on the source. In 2022, Glassdoor indicated that total compensation for CIOs and CTOs were comparable -- with CTOs earning an average of $4,000 more than CIOs.
Who Earns More CTO or CIO? ›CIOs and CTOs are skilled and have a lot of responsibilities, so they earn a larger income. The average salary for both are roughly equal, according to Payscale.
Is a CISO a manager? ›A CISO is typically a skilled leader and manager with a strong understanding of information technology and security, who can communicate complicated security concepts to both technical and nontechnical employees. CISOs should have experience with risk management and auditing.