The top of the Security organizational chart is occupied by the Chief Information Security Officer (CISO). This executive-level position is at the top of the corporate ladder in the arena of Information Technology and Security. As such, the position requires many varied skills and contains many varied responsibilities. Some of the different facets of the position include making staffing decisions, interacting with leadership, a good amount of creative freedom and public relations. While not all security personnel reach this level, it is where all roads lead in the realm of Information Technology and Security.
Foundations – Education
A strong educational background in computer technology, information technology and mathematics provide the basis for all security and technology careers. Computer Science, Computer Engineering, Security and Architecture are among the more technical degrees that comprise the requirements for advancement to the upper levels of the field. A Master’s Degree is becoming the standard for upper management levels as well as expertise in all elements of information security (cryptography, system architecture, analytics and information security).
Foundations – Experience and Certifications
Typically, a candidate will have 10+ years’ experience in Information Technology before considering an executive level position; much of this experience must be within the realm of information security. Additionally, management experience is a requirement since the position is less “hands-on” technical work and more ethereal in its practice. A solid understanding of all elements of information security, system architecture, current encryption standards and network framework is necessary for the successful CISO.
Certification is required for the Chief Information Security Officer; there are several organizations that administer accredited certification programs:
ISACA (Information Audit and Control Association):
Certified Information Systems Auditor (CISA)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Security Manager (CISM)
Certified in the Governance of Enterprise IT (CGEIT)
ISC2 (International Information Systems Security Certification Consortium, Inc.):
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Management Professional (CISSMP)
GIAC (Global Information Assurance Certification):
GIAC Security Leadership Certification (GSLC)
EC-Council (International Council of Electronic Commerce Consultants (EC-Council):
Certified Chief Information Security Officer (CISO)
Foundations – Continuing Education
The Security industry is ever-changing in nature; the “half-life” of technology is shrinking incredibly fast. Staying on top of news, trends and new methodology via continuing education is critical for the long-term success of the Chief Information Security Officer. New defenses and new threats must be recognized, evaluated and changes implemented in short order to maintain the security and integrity of an organization’s network, data and information. The CISO must be knowledgeable of changes and trends to ensure a safe information environment. Trade publications, news sites, blogs and information from affiliated organizations keep the CISO abreast of current events; continuing education programs, classroom training/seminars and field exercises help keep their skills sharp. Many other professional roles have specific requirements for continuing education; in the computer security and technology field, many certifications must be refreshed periodically. It is in everyone’s best interest that the CISO understands that trends and technology will change over time. The successful CISO keeps growing in knowledge about the world of computer security.
Employment Opportunities – Job Titles
The common path to the role of Chief Information Security Officer has many steps and thresholds along the way. These job titles include: Security Administrator, Network Administrator and System Administrator; Security Specialist, Analyst, Engineer, Consultant and Auditor and Security Manager, IT Project Manager, Security Architect and Security Director.
While Chief Information Security Officer is the common job title, the role may have slightly different names including:
Chief Security Officer (CSO)
Information Security Officer (ISO)
Head of Information Security
Obviously, each organization provides their own titles for specific jobs; the above path and ultimate job titles represent a sample of these titles.
Employment Opportunities – Job Duties, General
The Chief Information Security Officer is a role with much authority and power; as such, it also includes much responsibility. As a leadership/executive position, interaction with organizational leadership is a daily requirement. There will be opportunities to engage with stakeholders, the press, and the public as well as peripheral groups within the organization. The CISO must be articulate, organized and personable.
As the role of CISO is less specifically task-oriented than other positions in an organization, general duties on any given day may include the following:
Create and lead a team of IT security experts
Develop strategic plans to deploy information security technologies and/or program enhancements
Oversee development of organizational security policies, standards and procedures
Integrate IT systems and deploy security strategies
Develop IT security risk management programs
Evaluate existing systems and provide risk assessments
Learn about new security threats and strategies to combat them
Supervise the monitoring of the network for vulnerabilities
Create response strategies for security incidents
Coordinate research and investigation of security incidents
Evaluate, prioritize and allocate security resources
Present initiatives with cost data for maintenance, expansion and protection of security assets
Leadership, train and guide security staff – including development of advancement opportunities
Engage organizational leadership to ensure IT protection policies are administered effectively
Oversee education programs to enhance the skills of security staff and educate all team members in the organization
Meet with stakeholders about the current condition of the organization’s information security
Cooperate with law enforcement to research and investigate any data breach
Meet with members of the press to provide public statements about the organization, security or related matters
Employment Opportunities – Job Duties, “Hard” Skills
Because the Chief Information Security Officer role is at the peak of the job ladder, it is expected that all appropriate technical skills be mastered on the way up. These hard skills include:
C, C++, C#, Java and/or PHP programming languages
Windows, UNIX and Linux operating systems
ISO 27002, ITIL and COBIT frameworks
TCP/IP, computer networking, routing and switching
PCI, HIPAA, NIST, GLBA and SOX compliance assessments
Firewall and intrusion detection/prevention protocols
Network security architecture development and definition
Secure coding practices, ethical hacking and threat modeling
Security methodology and concepts including DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies
3rd party auditing and cloud risk assessment techniques
IT strategy, enterprise and security architecture
Employment Opportunities – Job Duties, “Soft” Skills
Somewhat more universal skills required for excellence in the field include:
Intelligence (and common sense)
Strong ethics and good judgment/discernment
Above the technical acumen, the CISO needs strong interpersonal skills as they are expected to interact with technical and non-technical individuals and groups. Negotiation skills, cooperation, team-building expertise and development of strategy are valuable assets for the CISO. The CISO is akin to the top-ranked military officer – they have vision, good judgment and an ability to motivate others to achieve the objective. The successful CISO will keep a long-term goal in view and recognize the steps required to reach the target.
On top of it all, the CISO must be able to handle pressure and stress well. There are many ideas, circumstances and people that must be properly prioritized and handled effectively without overwhelming the officer. Maintaining a calm demeanor and choosing words judiciously are imperative for the effective CISO.
Employment Opportunities – Job Duties, Private Sector
Businesses and non-governmental organizations require network and data security. Both the internal network and the customer-facing systems contain vulnerabilities and risks that must be met with excellent security measures. The Chief Information Security Officer will oversee all operations of the organization, managing and directing multiple security teams to ensure the integrity of the organization’s network and information.
There are three primary industries that rely heavily on information security in their daily operations.
Online retailers depend on data encryption to protect their customers’ private data within their transactions. The secure webpage is designed to provide the consumer with the confidence that the business’ online security is robust enough to allow buyers to purchase with confidence. That level of confidence is administered by the CISO and security teams who use their skills to create a safe environment for the transaction. Once limited to military applications, “strong encryption” techniques are now commonplace throughout all retail business sectors.
Nearly all businesses and organizations survive on email and internal “chat” communications. Encryption programs protect this confidential conversation and require monitoring, evaluation and upgrades in order to maintain a high level of information security and integrity. The CISO must be aware of current technologies and be able to lead the security teams in monitoring, evaluating current security and determining necessary enhancements to the protection of the communication network. The CISO will obtain information about vendors that offer encryption software, or oversee a development team to create proprietary protection software.
A newer trend involves cellphone providers who are researching encryption technology for cell phone signals to ensure privacy of conversations and prevent unauthorized access. While the idea of verbal communication security is not necessarily new, access to individual handsets and cellular networks have been a hot topic in recent events – particularly in the investigation of the San Bernadino shooting (referenced in the case FBI v Apple), phone security and privacy issues are at the forefront of business thought.
As an alternative to staff positions, consultant positions can be lucrative for the seasoned CISO. Smaller companies may not be able to keep a CISO on staff, but a “CISO by the hour” is a viable alternative. Outsourcing is commonplace in many industries; information security included. There will be more ‘hand-on’ technical efforts within the field of consulting, but the freedom to work on a contract basis can be attractive to many successful information security professionals.
Employment Opportunities – Job Duties, Public Sector
The National Security Agency (NSA) is considered to be “security central” when it comes to information security. Data protection is critical within all governmental agencies, military and federal law enforcement teams. The NSA has several positions for CISO and CISO-related roles. Because the organization is massive, there are many leadership positions and titles covering various departments and agencies. Whether the particular team assists law enforcement in solving crimes, mitigating threats or other security concerns; or they provide security of communications within and around specific agencies; the duties of a CISO are in demand.
Additionally, each branch of the military requires data and information security similar to that of the NSA; the nuance of the added priority being the national defense. Troop/personnel orders, statistics and locations must be shared with appropriate individuals and kept away from enemy combatants. Launch codes, weaponry locations and other critical data must be protected as well. The CISO role will oversee all information and data security measures – and have access to the latest technology.
The Chief Information Security Officer role is uniquely challenging as they must stay informed of all advances in security technology and the threats against it. This is a role that has universal application and a never-ending learning curve!