What Does a Chief Information Security Officer Do?
Chief Information Security Officers (CISOs) are leaders with a background in information technology or security. A chief information security officer works with other executives across different departments to design security systems and assets for a company. People in this role must have experience and high-level knowledge of risk management and auditing.
The chief information security officer is mainly responsible for creating and implementing an information security program designed to protect enterprise communications, systems, and assets from any potential threats. This career is one that comes with great responsibility as it’s important for chief information security officers to adhere to legal security practices while designing these complex systems.
Overall a CISO must be a skilled leader and have a strong understanding of information technology to protect the company and prevent any security breaches from occurring.
Are you a job seeker?
of job openings
and apply online
National Average Salary
Chief information security officer salaries vary by experience, industry, organization size, and geography. To explore salary ranges by local market, please visit our sister site zengig.com.
The average U.S. salary for a Chief Information Security Officer is:
Chief Information Security Officer Job Descriptions
ABC Company is seeking a Chief Information Security Officer (CISO) to lead our global cyber and data security programs to secure and enable our ability to deliver the premier self-service event platform. ABC Security is responsible for all aspects of information security across the enterprise, including Web and Mobile application security, Cloud, Infrastructure and device security, Security Awareness Training, Policy, and Compliance.
We’re seeking a proven leader with the ability to define and execute the cybersecurity strategy, adding rigor to our operations, while building a highly skilled and diverse team. This position will partner across functions to drive major security initiatives and will be responsible for effectively communicating goals, risks, and tradeoffs to executive leadership and the board of directors.
- Define and own a multi-year cybersecurity roadmap and key performance indicators focused on reducing cyber risk
- Build and inspire a highly skilled and diverse Security team. Foster a culture of trusted cross functional partnership, service, and continuous improvement
- Create quarterly, annual and long-term cyber security and cyber risk management goals, articulate strategies, define metrics, and provide necessary updates to executive leadership and the Board of Directors
- Partner with Product & Engineering leadership for the development, planning, and execution of major security initiatives. Support Eventbrite’s secure Software Development Lifecycle
- Collaborate with peer members of the Cyber Security Governance Committee (CSG), Audit Committee to establish appropriate security standards and provide an effective governance structure to ensure cyber compliance and accountability
- Lead Security Incident Response, Third Party Information Security Assessment, Data Protection and Encryption, Identity & Access Management and Privileged User Access to protect customer and employee data
- Define cyber security governance and control strategies for emerging technologies such as cloud & containerization, block-chain and distributed computing
- Keep well informed of developing security threats, and proactively create strategies to understand and mitigate potential security problems that might arise from acquisitions or other big business moves
- A Degree in Information Technology or Engineering (Advanced Degree Preferred)
- Key Industry certifications in Information Security, such as CISSP, CISM and CISA
- 15+ years of experience in Information/Cybersecurity in a public or large private technology company with a global customer base
- 7+ years people management experience across a global organization, with hands-on experience building diverse teams while promoting an inclusive organization
- A demonstrated knowledge of information security standards (e.g., NIST, ISO-27001), rules and regulations related to information security and data confidentiality (e.g., PCI, NIST, NSA) and other various security standards and policies
- A strong understanding of Cloud Security Mode and key principles, such as CSPs Shared Responsibility Models, Security and Infrastructure as Code, Preventive/Reactive Guardrails, Containerization, Server-less Computing, Continuous monitoring/drift detection, and the importance of end-to-end automation
- Strong interpersonal and communication skills with the ability to influence at all levels of the organization, while being able to simplify complex topics for understanding and critical decision making by Executive Management and the Board
- Ability to understand not only emerging industry trends as far as cyber security is concerned but also the landscape of emerging threats, making appropriate adjustments within the cybersecurity program
The Chief Information Security Officer will be directly responsible for all global aspects of security technology, strategy, and operations within ABC Company. As an innovative and resourceful partner entrusted to protect the ABC Company environments, systems, data, customers, and users, it is critical for ABC Company to build and maintain appropriate security safeguards that are designed to protect the confidentiality and integrity of our products and systems for our customers and internal users. You will scale the security organization and drive the program to its next level of maturity as we all work to make ABC Company grow and improve. You will report to and partner closely with the Chief Risk Officer to work with leaders across the organization to develop and implement a robust framework and appropriate technology and tools. Also, you’ll interact with broader executive leadership to communicate on our evolving needs, matching the size and complexity of our organization with security strategy and operations right-sized for our stage of growth and the information we safeguard.
- Attract, hire, and retain a high-performing team of world-class security talent who will continue to evolve to address the information security needs of the company
- Develop, implement, and monitor a strategic, comprehensive enterprise-wide information security and risk management program
- Provide strategic and tactical vision around adversary and threat detection, incident response, and asset fortification
- Partner and align with Product and Engineering teams to reinforce product security to drive and automate secure development practices while maintaining business needs
- Advise the CRO, executive leadership, and technical leads on security issues and threats
- Identify, track, and communicate detailed metrics indicating overall security risk factors
- Guide technical development of security tools and product features in order to reduce security risk across the company
- 15+ years of broad technology experience in encompassing SaaS environments, application development, Information Security, incident response leadership, architecture, policy regulations, risk and compliance, and infrastructure services with a strong record of successfully managing information security
- 10+ years of experience in building, mentoring, and managing global security teams for a cloud based SaaS offering and providing structure for professional development of team members
- Experience with pre & post IPO readiness and the different stages that companies go through during that journey
- Demonstrated experience representing an organization’s information security program in presentations and discussions with customers, partners, and other external parties
- Experience implementing controls and mitigating risks related to GDPR, PCI, HIPAA and other information security and data privacy standards
- Experience implementing cloud security technologies, including encryption, network security, intrusion detection, cloud monitoring, and digital forensics
- Experience triaging and remediating organizational incidents with wide-ranging business or customer impact
- Well-versed in the rapidly evolving threat landscape with a strategic mindset to mitigate threats and an established personal network for standard methodologies and information sharing around emerging challenges in the security space
- Strong business sense with an ability to balance “business value” vs “security risk”
- Good communication skills with an ability to build strong narratives to highlight the importance of security to employees internally and customers/shareholders externally, including both technical and non-technical audiences
What we’re looking for:
ABC Company is a rapidly scaling business and we are looking for our first Chief Information Security Officer (CISO) to lead and scale our Security and IT teams. The CISO will work closely with the Senior Leadership Team to define our strategic goals for enterprise security, application security, and IT, a roadmap to achieve these goals, and work with their team and stakeholders to execute.
This is a remote-friendly position that can be located anywhere in North America.
What you will do:
- Set the vision, strategy, and roadmaps for our Security and IT programs
- Lead and scale diverse technical teams to execute on the roadmap
- Collaborate with senior Engineering, Product, Legal Compliance, and other functional leaders to get buy-in into the strategy and roadmap
- Develop an effective strategy to assess and mitigate risk, manage incidents, maintain continuity of operations, and safeguard the company
- Prepare and report on our information security posture and status to Senior Management and the Board
- Actively mentor current and future leaders and individual contributors in your group through effective 1:1s, thoughtful feedback, career growth planning, and performance reviews
- Own compensation, team design, hiring, and retention plan for your group in alignment with company-wide policies
- Drive and influence software and infrastructure security across the organization
What skills will help you be successful:
- Bachelor’s Degree in Business, Computer Science, or other related field or equivalent experience
- 10+ years of experience in a combination of risk management, information security, and application security engineering roles
- 5+ years in a senior leadership role in security
- Demonstrated experience with Application Security, DevOps, or Cloud Security functions as a leader or in a people management role
- Experience with cloud computing technologies, especially AWS (Amazon Web Services), with security commitments to customers and partners
- Knowledge and understanding of relevant legal and regulatory requirements, such as HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley Act (SOX) and Payment Card Industry/Data Security Standard Personally Identifiable Information (PII), Service Organization Control (SOC), and California Consumer Privacy Act (CCPA)
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences
Sample Interview Questions
- How would you go about training your staff in updated security procedures?
- How would you update the company’s cybersecurity policy?
- How would you handle a data security breach?
- What methods would you employ to foster a company-wide culture of security?
- How do you keep up to date on state and federal security laws?
- What resources do you use to keep up-to-date with cybersecurity threats?
- What are the principles around the use of encryption in data life cycle protection?
- Explain social engineering as if to another department leader.
- What are the biggest security concerns in using connected devices and the IoT?
- How should authentication be managed?
- Can you name three cloud-based security issues?
- Have you ever experienced a data breach? What steps did you take to contain it?
- Why is having a company-wide culture of security important?
- What are the different levels needed to classify data?
- How familiar are you with security auditing?
- How do you manage security for remote workers?
- How experienced are you in budget planning for security?
- What is a chain of custody and how do you create one?
- How important is key rotation?
- How often should security policies be revised?