Grey Round Patterns

A CISO Is...

The technical definition of a CISO is the Chief Information Security Officer but what does that mean?  What does this person do and what does it take to be a good CISO?

 

As with almost everything, if you ask 5 people to define something you will end up with 8 different opinions but this is what we believe the role of a CISO requires and the core duties they perform.

Behavioral Capabilities

  • A proactive and self-motivated leader

  • A creator and driver of the Information Security Vision and Strategy

  • A relationship builder

  • A coach and mentor

  • An excellent communicator to all levels and skillsets from executive to engineer to operations

  • Passionate with a hunger for research

  • Flexible, open-minded, creative, and energetic

  • Credible and trustworthy

  • An excellent negotiator

  • Confident and able to accept criticism

Functional Capabilities

  • Directs and approves the design of security systems

  • Reviews and approves security policies, controls, and cyber incident response planning

  • Approves user identity and access policies and management

  • Reviews investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities

  • Maintains a current understanding of the IT threat landscape for the industry

  • Ensures compliance with the changing laws and applicable regulations

  • Translates that knowledge to the identification of risks and actionable plans to protect the business

  • Schedules periodic security audits

  • Communicates cybersecurity policies and procedures to all personnel and ensure adherence

  • Manages all teams, employees, contractors, and vendors involved in IT security, which may include hiring

  • Continuously updates the cybersecurity strategy to leverage new technology and threat information

  • Briefs the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget

  • Communicates best practices and risks to all parts of the business, outside IT