By Sue Poremba
So, you want to take the next step up the security corporate ladder and become a CISO. Or perhaps your company’s decision leaders are re-considering their approach to cyber security and want to create a CISO position. What is a real, down-to-earth CISO job description? What can a CISO expect an average day to look like?
The “average” day will depend on several different factors, according to Dan Lohrmann, former CISO for the
“Some government and business CISOs are one-man security teams that are very hands-on in smaller organizations,” he said. “In larger organizations with Security Operations Centers and centralized authority and budget control over all enterprise security, the CISO is usually a part of the Chief Information Officer’s management team and supports the overall technology program.”
With today’s security landscape, the CISO needs to be more than the person in charge of making sure the firewall keeps out hackers. Often, the CISO needs to think like a CFO and work with individual departments on developing a security budget, like a lawyer to understand compliance and government regulations the industry must follow, and like an HR manager in order to work closely with staff and ensure they are following security protocols.
Not surprisingly, Lohrmann said to expect a lot of meetings as part of a CISO’s day. One of the responsibilities of the CISO is to be the security liaison across departments, and that means a lot of outreach with managers and staff, as well as with other business executives. There are also security vendors to meet. Depending on the size of the company and its security staff, the CISO may be asked to guide the staff on implementing security functions and to oversee security training opportunities, or the CISO may be the one actually performing these duties. In any case, the CISO can expect to play a role in how cyber security efforts within the company operate.
This CISO job description can help you understand your company's position on cyber security and the value of a CISO position.
“The CISO needs to be a champion to get things done and build the appropriate executive buy-in, funding, resources and awareness of key projects,” Lohrmann said. “This means having one foot in the executive suite and one foot in day-to-day operations.”
Having a good strategic plan in place can help provide direction in the daily routine, he added. This allows the CISO to deliver positive results in meeting cyber security goals and milestones. “The CISO drives cultural change in the organization by helping people understand risks and making better decisions. These plans help close audit findings and address enterprise security weaknesses,” Lohrmann added.
But not everything the CISO does should be focused on in-house cyber security activities,
Ondrej Krehel, formerly CISO of IDT911 and the founder of security company, LIFARS, advised. He suggested that CISOs regularly keep track of what is happening in their company’s industry at large and learn what security threats are evolving against that industry, and what is being done to protect the network and data against those threats. This is an important step in remaining competitive in a changing business world where potential customers and clients are taking closer looks at a company’s security profile.
That directly correlates with another job duty for the average CISO – making sure that the company is using its security tools to their fullest. It’s the CISO’s responsibility to understand the features of each cyber security tool, said Krehel, and then see how the security department can maximize its potential. “You already have these tools,” he added, “so you might as well get what you are paying for. Rather than spending more money, you are better off seeing if you can enable more features.”
In a smaller company, the CISO role will require a lot more time focused on the day-to-day operations of the security mechanisms, while in a larger company, the job will mirror those of other C-level executives. But in the end, one thing remains the same: the number one priority of the CISO will be to keep the company’s data and network secure from attacks and other disasters. And if the worst-case scenario happens, then nothing is average or ordinary.
Additional Reading:
1. The Year In Cyber Security: Sony’s Hack Scandal And Various Retail Data Breaches
2. 5 Information Security Breaches You’ve Never Heard About…But Should Have
3. The #1 Cyber Security Threat To Information Systems Today
