With more organizations relying on computer technology, the need to protect these vital systems is rising as well. Enter the chief information security officer or CISO. This relatively new and desirable C-level position was created to help corporations protect their computer systems and networks from hackers, spies, and other cyber threats.
CISOs work alongside company officers, business managers, cyber security teams, and IT managers to effectively monitor and maintain the security of their organization’s applications, databases, computers, and websites. They’re also tasked with establishing enterprise-wide security policies, developing data breach resiliency plans, overseeing system update communications, and managing the information security financials.
It’s no wonder that chief information security officers must work long hours and have extensive IT education and experience. However, they’re paid exceptionally well for their efforts and have excellent job security.
Would you like to learn more? Let’s review a CISO job description—including CISO duties and responsibilities, salary and job outlook projections, and how to become a CISO.
Your primary responsibility as a chief information security officer is to understand the security operations and challenges in the current and future state of your business’s operations. This will help you prepare employees in your organization with the right tools, skills, resources, relationships, and capabilities to protect against information security risks.
However, successful CISOs also have a great deal of enterprise business acumen. Since they work within the C-suite of executives, they must understand other business disciplines such as finance, HR, and compliance. And they’ll need an in-depth knowledge of their organization’s operations and functions to make effective business decisions.
Your specific CISO duties and responsibilities can vary greatly depending on your enterprise size, hierarchy, industry, and compliance regulations. These responsibilities typically cover many functional company domains, including:
Security operations—evaluating the IT threat landscape, devising cyber security policy and controls to reduce risk, leading auditing and compliance initiatives, and more.
Disaster recovery—developing cyber resiliency so your organization can rapidly recover from hacking, security incidents, or infringements.
Security finance management—determining if your data security initiatives are worth the financial investments.
Documentation—contributing to a variety of security policy domains associated with compliance, governance, risk management, incident management, HR management, and additional domains.
Compliance—ensuring that your organization is adaptable to evolving compliance regulations.
Program onboarding—weighing business opportunities against security risks that can potentially compromise your organization’s long-term financial rewards.
HR management—establishing a system that reduces human error and its impact on your organization’s security posture.
Even though these titles sound similar, they actually serve very different functions. A chief information officer (CIO) works to optimize an organization’s hardware and software infrastructure—improving its data flow, storage, reporting, and management. Whereas a CISO works to secure a firm’s data and information.
Of course, these roles can overlap from time to time. And in smaller organizations, they will sometimes be combined into one CIO or CISO job description. But because information security is such an important and complex responsibility, these smaller firms will often allow a CIO serving as a CISO to employ outside security consultants for their additional expertise and advice.
Becoming a chief information security officer isn’t easy, but it’s definitely rewarding. To reach this coveted C-level position, you’ll need to serve many years in many roles of IT and cybersecurity. But with the right education, years of service, and management skills, you can then reap the rewards of an executive leadership role—including a great office, outstanding pay, annual bonuses, and lots of prestige.
To begin, you’ll need to get your bachelor’s degree in cybersecurity or information technology. If you do choose to pursue an IT degree, make sure to stack your undergraduate program with as many security-related courses as possible since that will be your primary focus as a CISO.
You can also start accruing your years of experience by working in information technology while you get your bachelor’s. Online programs, like WGU’s, offer accredited and respected IT degrees that you can earn while working. In fact, many of WGU’s students work full-time since they can access learning materials, complete coursework, and take tests when and where it best fits their schedules.
In addition to your B.S., you should earn several certifications (aka “certs”) to broaden your knowledge and make you a more desirable candidate for future job opportunities or promotions. Some schools, like WGU, include these certs in their undergraduate programs, which can save you a lot of time and money.
Here are the key certs you should look for with a CISO career in mind:
Certified Cloud Security Professional (CCSP) – Associate of (ISC)² designation
Systems Security Certified Practitioner (SSCP) – Associate of (ISC)² designation
Certified Encryption Specialist (EC-Council ECES)
Cybersecurity Analyst Certification, CySA+ (CompTIA)
Network Vulnerability Assessment Professional (CompTIA)
Network Security Professional (CompTIA)
Security Analytics Professional (CompTIA)
IT Operations Specialist (CompTIA)
Secure Infrastructure Specialist (CompTIA)
Since the world of IT and security changes rapidly, you’ll need to continue your education throughout your career. This means acquiring new certs and staying current with antivirus software, firewalls, and other security systems. You should also target positions with the best opportunities, experiences, and challenges to broaden your information security skills.
Once you get a sizable amount of experience under your belt, you should next consider earning an MBA or MBA in IT management. Very few C-level positions today are attainable without a master’s degree. And earning your master’s in business administration will give you an even greater understanding of your profession, as well as the essential management skills you’ll need to fulfill higher-level roles.
To become a CISO, you’ll need to demonstrate your technical chops in the trenches, become the security de facto leader for your organization, and work your way up to claim the role of its official cybersecurity executive. This is why CISOs are often more involved with the business in which they work than in the technology their teams use. Cybersecurity is also gaining more visibility in the boardroom, so to succeed in your C-level role, you’ll need excellent leadership and management skills.
Other skills that you should master include:
Financial fluency. You need to not only understand but also lead discussions on the financial topics relevant to your business. This will enable other leaders to take intelligent financial risks (pertaining to information security gains) and will help you contribute directly to the financial discussions about those risks.
Communications. You must be able to communicate effectively with a variety of different people—crossing the divide between technical and business audiences. This means not only delivering presentations well but also communicating effectively in interpersonal situations.
Empathy. You’ll need this critical skill to successfully connect with your organization’s business leaders, customers, and employees so you can determine the right level of risk tolerance for your IT security initiatives. Without empathy, cybersecurity becomes nearly impossible to do well.
Ambition. You’ll need a strong desire to become an executive. The CISO job isn’t for everyone. It comes with great responsibility, risk, and reward. And you’ll have to take many risks in your career to get there, such as taking jobs with smaller or struggling organizations to get a seat at the executive table.
CISOs earn an excellent wage and report high job satisfaction. According to PayScale, the median annual salary for a chief information security officer is $164,000, with the lowest 10% earning $104,000 and the highest 10% earning $229,000. CISOs working in Fortune 500 companies can earn considerably more.
This wide range in income implies how important your years of experience and education level are. PayScale cites that for every five years you work as a CISO, your annual salary can increase by $20,000. And CBS News reports that many tech jobs pay up to 17% more to those with a master’s degree. What industry and city that you work in can also affect your pay. Glassdoor finds that financial companies pay their CISOs the most, followed by tech and retail businesses.
Because the demand for cybersecurity and chief information security officers continues to grow, the outlook for the CISO occupation is very good. Aspiring CISOs will also benefit from the 150,000 new executive positions that the Bureau of Labor Statistics expects to be added over the next 10 years.
We should also note that the CISO role is fairly new, so there aren’t many people with the right experience and qualifications to fill open jobs. That’s why now is a perfect time to move into this booming profession. Whether that means going back to school or brushing up on your leadership skills, there’s a world of opportunity that you can cash in on!