How to write a CISO job description
- 25 July, 2017 19:00
Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board. The job description is also a baseline that helps security team managers keep pace as many roles evolve.
A good job description will spell out the role’s duties and priorities. It also outlines where the role falls in the reporting structure. It should also provide the role’s requirements, which could include certifications, skills, experience and education. This series focuses on the duties and requirements, because the priorities and reporting structure will be unique to each company.
A chief information security officer (CISO) is a C-level management executive responsible to oversee the general operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations and the budget for the prime mission: protection of an organization’s information assets.
The job requires a strong background and experience in IT strategy and security architecture, along with the high-level communication and people skills needed to assemble and manage an IT security team and to consult with internal and third-party executives and government agencies.
As a C-level position, it requires more than technical knowledge and skills. A good CISO must be able to, “speak the language of business,” if he or she is to be a successful strategic partner in the executive suite. Different titles for the same, or similar, duties include chief security architect, security manager, corporate security officer or information security manager, depending on the company's structure and existing titles.
The duties outline the tasks and goals for which the CISO is responsible. That may vary depending on your company’s needs or industry. They include:
- Direct and approve the design of security systems. Update as necessary.
- Ensure that disaster recovery and business continuity plans are in place and tested.
- Review and approve security policies, controls and cyber incident response planning.
- Approve and oversee identity and access management (IAM) policies.
- Understand the IT threat landscape for the industry.
- Ensure continued compliance with laws and applicable regulations.
- Schedule periodic security audits.
- Conduct security awareness training to all personnel and enforce compliance.
- Manage all teams, employees and third parties involved in IT security, which may include hiring.
- Hire, train and mentor security team members.
- Become a trusted business adviser. Brief the executive team on risk management, including strategy and necessary budget.
- Choose and purchase security products from vendors.
- Conduct electronic discovery and digital forensic investigations.
Skills and competencies
This section outlines the technical and general skills required, as well as any certificates or degrees that a company might expect an information security architect to have.
Key technical skills include:
- The ability to quantify the risks different IT architectures, and then communicate to other executives how to manage that risk.
- The ability to work with data scientists to detect and respond to threats.
- The ability to oversee pen testing to find vulnerabilities in all elements of a security system.
- Disaster recovery, including detecting an intrusion, isolating it and neutralizing it before it can cause further damage.
- Data and information management, including classification, retention and destruction. It also means keeping corporate and personal data both private and secure while needed, and destroyed when it is no longer needed.
- Digital forensics, which means finding out what allowed an intrusion to occur so it can be prevented in the future.
- Security information and event management (SIEM) expertise.
- Knowledge of all applicable laws and compliance frameworks to enforce compliance.
General skills include:
- Communication and presentation, to be both the subject matter expert and advocate for risk management in the executive suite.
- Policy development and administration.
- Planning and strategic management.
- Leadership, collaboration and conflict resolution.
- Supervisory and management.
- Possible certification requirements are:
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM), issued by ISACA
- Certified Information Systems Security Professional (CISSP), offered by (ISC)2.
Wes Simpson, COO of (ISC)2, says the basic qualifications for any CISO role are essentially the same. “We’re all suffering from the same problems,” he says. “It transcends every industry.”
Different industries do have different IT systems and infrastructure, he says. One example is healthcare, where besides the specific compliance requirements of the Health Insurance Portability and Accountability Act (HIPAA) and management of Electronic Health Records (EHR), there would likely be a need for certification as a Health Care Information Security and Privacy Practitioner (HCISPP). “But it still all comes down to the security of the assets and PII (personally identifiable information),” he says.
Pamela Fusco, an adviser to the Information Security Systems Association, agrees that the basics are the same, but says each industry has its own regulatory regime. She notes that regulations on the pharmaceutical industry require, “no changes to systems unless they are duly noted. It can be something as simple as pushing a patch,” she says.
She adds that any CISO in the financial sector will have to be very familiar with Sarbanes-Oxley, more commonly known as SOX, but with the much more lengthy title of “Public Company Accounting Reform and Investor Protection Act.”
That is the message from Michael Lines, vice president, strategy, risk and compliance advisory services at Optiv, as well. While the core skills are similar across industries, the regulatory framework differs, “for example HIPAA in healthcare, FFIEC (Federal Financial Institutions Examination Council) in financial services and NERC CIP (North American Electric Reliability Corporation, Critical Infrastructure Protection) in energy,” he says, adding that, “The time to learn (these variations) is not when you are in the hot seat.”
His colleague at Optiv, Norman Kromberg, executive director of CISO services, said he believes different industries can require different overall skill sets. “Government and banking require people who can maintain a program and have the skill to work with regulators, auditors, boards, etc.,” he says, “while healthcare, IT services and tech firms need a visionary. These areas likely face more and more threats, have less mature programs and executives who are less aware of security success factors.”
How to attract the best
PayScale’s 2015 estimates put the CISO median salary at $131,322, but they can range from $81,000 to $240,000 or even more. Simpson says given the demand, the best candidates can, “write their own ticket” when it comes to money.
He and others say that, as is the case in most of IT careers, there are factors more important than money. It has long been noted that CISOs are frequently viewed as the scapegoats when anything goes wrong, and Simpson says good candidates, “want to be seen as strategic partners. They want to report to the CEO and they want a seat at the table.
Lines agrees, saying, “independence from the CIO is a must. The CISO should report directly to the board, a board committee, or senior management and not IT operations management.”
Fusco also agrees. The CISO has “traditionally been under the CIO,” she says, “but that is truly a conflict. The CIO is focused on money and availability, and with the responsibility a CISO carries, that doesn’t work. That’s why there’s so much turnover.”
Simpson says the company culture is also important. “They need to say why they are so special compared to their competitors,” he says. “They also want the opportunity for growth, and that the company is behind them.”
In order to been seen as a partner, however, Kromberg says CISOs need to have business knowledge as well as technical skills. “They have to know how to develop metrics to tell their story in a non-technical manner. They have to express a threat in a way the business leaders can understand why they need to act."
Simpson saya the company culture is also important. “They need to say why they are so special compared to their competitors,” he says. “They also want the opportunity for growth, and know that the company is behind them.”