The role of CISO is an important one. It must be. It has Chief right in the title. The question, though, is what exactly does a company expect a CISO to do? You can’t meet or manage expectations if you don’t know what they are, and there’s a good chance you won’t keep your CISO job very long if you can’t meet expectations.
A CISO is responsible for securing and protecting information assets but the job description is broader than just security. In order to be “C-level” and have a seat at the table of executive management the CISO also has to have a grasp on business vision, finance, and human resources among other things.
Andrew Wild, CISO of Lancope, echoed this sentiment in a blog post earlier this year. “The transformation centers on the CISO – or whoever is responsible for information security – moving from being primarily responsible for implementing and managing technology solutions to someone who is seen as critical a risk management advisor for information security, analogous to how CFOs advise on financial risk and General Counsels advise on legal risk.”
A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. (Source: Wikipedia, Chief information security officer)
The primary goal of a CISO is security. It’s important, though, that the CISO view security from the perspective of the business. Enforcing draconian security measures can block innovation and hinder productivity. Sacrificing security can violate compliance mandates and put the company at risk. The CISO has to implement security measures that facilitate rather than obstruct business while finding a workable balance that protects information assets and shields the company itself from unnecessary risk. Simple, right?
As with any job at any level you need to sit down with whoever you report to—whoever is going to be assessing your performance and possibly dictating your future (or lack thereof) with the company—and establish clearly defined expectations. When you wake up each day and go to work you should already know the answer to the question “What do they want from me?”.
If you don’t feel you have the resources—tools, budget, employees, etc—that you need to effectively meet those expectations be prepared to say so. Part of your role as CISO is to make a business case for what you need to get the job done and be able to defend it.
Those are all broad generalities, though. The CISO role and the expectations placed on it vary from one organization to the next. What’s more important than knowing the crowdsourced definition of a CISO from Wikipedia is knowing precisely what your board and your executive management expect of you so you can meet or exceed those expectations.