What is a Chief Information Security Officer?
As the world becomes more and more reliant on digital technology, a company’s data and information require new methods of protection and defense against bad actors. With the advent of e-commerce, consumers have become more aware of the risks of putting their financial information "out there," and are increasingly demanding that companies handle their financial and personal data with care; in some industries, information security is dictated by law (HIPAA, GDPR, etc). As databases replace filing cabinets across the world, organizations are replacing physical locks and keys with digital ones.
The CISO is a relatively new designation, born from the increasing urgency of cyber security needs. Historically, cyber security has fallen under the umbrella of the Information Technology department, and has been distributed among department heads and units within the organization — with the assumption that each unit understands best how to protect the data within their realm of responsibility. As digital information replaces physical files, and organizations rely more and more on strong cybersecurity, the role of information security often becomes more centralized. A chief overseeing information security offers a level of accountability not previously possible, and raises the overall standard of an organization’s security practices. The CISO is an expansion of that role: an executive team member focused entirely on information security, elevating information security to the same level as other key business lanes (joining the ranks of the Chief Executive Offers, Chief Operating Officer, Chief Financial Officer, Chief Technical Officer, and other C-suite titles that represent a company’s full investment in that area of expertise). The CISO may report to the CEO, the CTO, or a company’s board of directors.
What does a CISO do?
The role of a Chief Security Officer is commonly described with four key functions (these are from Carnegie Mellon University’s Software Engineering Institute):
Protect, Shield, Defend, and Prevent
Monitor, Detect, and Hunt
Response, Recover, and Sustain
Govern, Manage, Comply, Educate, and Manage Risk
The CISO enacts policies, processes, and practices, and hires and trains staff, to ensure that an organization is entirely protected from security threats. The CISO is responsible for making sure that policies and staff are effectively monitoring day to day operations, actively hunting suspicious behavior, and taking steps to respond and recover from any attacks.
The establishment of a CISO can be a strategic move for an organization, and one that demonstrates to customers, shareholders, and other observers a strong commitment to information security. Often this comes after a publicly visible breach of security. Organizations in the fields of medicine, finance, government, and pharmaceuticals are particularly security-sensitive, and are more likely to prioritize security by naming a Chief Information Security Officer. But even smaller companies and those in other fields may see the benefit of establishing such a role early on, in order to build a solid security foundation as they grow. As data breaches and "hacked" systems make headlines, organizations begin to shift funding and resources to this sensitive and vital area. Moving forward, economists expect information security jobs to increase in both pay and availability.
CISO Salary & Earnings
According to Salary.com’s data, "The median annual Chief Information Security Officer salary is $216,211, as of April 29, 2018, with a range usually between $188,924-$249,607." The site warns, however, that this can vary widely dependent upon a number of factors. PayScale data comes in a bit lower, at a median of $156,778 for base salary. Factoring in bonus and profit sharing earnings, PayScale lists total pay at a range of $104,099 - $259,542.
These relatively high salaries represent the high level of this role, and the considerable education and experience required to reach it. Below we’ll discuss the path to becoming a CISO, including education requirements, skills, and work experience. If you are early in your career, this will help you plan the next 5-7 years, preparing you to build the skills and experience necessary to qualify for this top-level information security role. If you are further along in your career, you may find that much of your pre-existing experience will assist you in your goal of being a CISO; the information below can help you fill in the gaps in your experience, skills, or education.
Path to becoming a CISO
The paths to becoming a Chief Information Security Officer can vary greatly, but they generally consist of strong IT backgrounds, coding knowledge, and management experience. This experience is often gleaned in the workplace, as an IT engineer, for example, who takes a particular interest in the security aspects of his job. If you’re near the beginning of your career and have your sights set on achieving the title of Chief Information Security Officer, you would do well to begin as a Systems, Network, or Security Administrator. You should then focus on moving "up the ladder" into higher-level and higher responsibility IT positions, with a particular focus on information security. Such jobs may include Security Engineer or Security Analyst, moving up to similar roles that include “Manager,” “Lead,” Director,” or “VP” in their titles. On average, you should expect to have 7 to 12 years of increasingly responsible experience before you can apply to be a CISO.
In addition to relevant work experience, a rise to these highest levels of an organization often requires specialized education. This is a C-level job, so at minimum, you should expect to hold a bachelor’s degree. Most likely, though, a master’s degree (or two) will be needed.
CISO Education Requirements
There are several paths a student might take towards the goal of becoming a CISO. As this role requires skills in both technology and business, many CISOs hold MBAs. A Master of Business Administration has the benefit of a strong business sensibility, something that will serve the CISO well in working with the other executives on a team, managing a staff, and maintaining a strong security strategy that supports overall business goals. On the other hand, technical and security skills are incredibly important in this role, so many CISOs hold Master of Science degrees in technical fields including Information Systems & Technology, Cybersecurity, and Information Technology & Management.
As the position of CISO requires a depth of knowledge and experience in both information technology and business concepts, you may choose to earn both a general MBA and an MS in the technical field of your choice. Alternatively, you can earn one or the other, and pursue separate certifications in the areas not covered as extensively in your degree program.
CISO and the MBA Track
It’s quite common for executives in all branches of an organization to hold MBAs. This is a standard degree for those interested in moving up the ladder in the business world to the C-suite, and the CISO role is no exception. Like any other business executive, a CISO will be expected to understand management, finance and economics, budgeting, and other business concepts. The Master of Business Administration, particularly from a top-tier school, is the foundation upon which many successful executives have built their careers.
Most MBA programs allow students to specialize by choosing a concentration; among common concentrations are fields within Technology and Security. An MBA with a concentration in an information security-related field is an excellent foundation for a CISO career.
You might also supplement your MBA with focused certifications in the areas of Cybersecurity, Information Technology, and IT Forensics.
CISO and the MS Track
If business school isn’t in the cards, you may choose to earn a Master of Science in a technology field. These programs are just as deep and rigorous as an MBA, though they’re focused on the particular subject matter as opposed to general business topics. A CISO must have expertise in the field of information security, so an MS in Cybersecurity or a similar field is absolutely appropriate. Possible MS degree paths include:
Information Systems & Technology
Information Technology & Management
Digital Forensic Science
We would caution you, though, not to neglect the business aspects of your education if you’re intent on reaching CISO status. Should you choose to forego the MBA in favor of a specialized MS, make an effort to incorporate business electives wherever possible, or to separately pursue business certifications in the areas of management, finance, and strategy.
In order to carry out the high-level duties of a CISO, an individual must be a self-starter, capable of taking initiative and carrying out strategy from the highest level. Important soft skills include written and spoken communication; critical thinking skills to identify problems and determine the best course of action in a given situation; strong interpersonal, management, and leadership skills; and organizational and strategic planning skills.
Of course, hard skills are also an important part of a CISO’s day to day work. This is where the work experience and education listed above come in. A CISO must maintain a solid understanding of information security, including best practices and new developments in the field.
In addition to the degrees discussed above, you may find it useful to pursue specialized certifications. These programs can give you a leg up over the competition, and better prepare you for ongoing success in the information security field. In most cases, additional training or education is not required for these programs; rather, you will use the work experience and education earned in your own preparation for becoming a CISO to sit for a test and, upon passing, receive your certification. Each certification has its own requirements (for example, 5 years of relevant work experience and a bachelor’s degree) that must be met in order to qualify for the test, so this is most likely something you will pursue later in your career, as a culmination of your work and education, to help you move from a lower-level managerial information security role to that of a Chief Information Security Officer.
Here are some of the top-rated certifications in the information security field:
- "The CISA designation is a globally recognized certification for IS audit control, assurance and security professionals.
Being CISA-certified showcases your audit experience, skills and knowledge, and demonstrates you are capable to assess vulnerabilities, report on compliance and institute controls within the enterprise."
- "The uniquely management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security."
- "GIAC Certifications develops and administers premier, professional information security certifications. More than 30 cyber security certifications align with SANS training and ensure mastery in critical, specialized InfoSec domains. GIAC Certifications provide the highest and most rigorous assurance of cyber security knowledge and skill available to industry, government, and military clients across the world."
- "The Certified CISO (CCISO) program is the first of its kind training and certification program aimed at producing top-level information security executives. The CCISO does not focus solely on technical knowledge but on the application of information security management principles from an executive management point of view. The program was developed by sitting CISOs for current and aspiring CISOs."
- "This cybersecurity certification is an elite way to demonstrate your knowledge, advance your career and become a member of a community of cybersecurity leaders. It shows you have all it takes to design, engineer, implement and run an information security program."