What Does a Chief Information Security Officer Do?
Chief Information Security Officers (CISOs) are leaders with a background in information technology or security. A chief information security officer works with other executives across different departments to design security systems and assets for a company. People in this role must have experience and high-level knowledge of risk management and auditing.
The chief information security officer is mainly responsible for creating and implementing an information security program designed to protect enterprise communications, systems, and assets from any potential threats. This career is one that comes with great responsibility as it’s important for chief information security officers to adhere to legal security practices while designing these complex systems.
Overall a CISO must be a skilled leader and have a strong understanding of information technology to protect the company and prevent any security breaches from occurring.
Are you a job seeker?
of job openings
and apply online
National Average Salary
Chief information security officer salaries vary by experience, industry, organization size, and geography. To explore salary ranges by local market, please visit our sister site zengig.com.
The average U.S. salary for a Chief Information Security Officer is:
Chief Information Security Officer Job Descriptions
It’s important to include the right content in your job description when hiring a chief information security officer. The following examples can serve as templates for attracting the best available talent for your team.
Because of our deep commitment to satisfaction, [Your Company Name] is looking for an experienced chief security officer. The CISO supervises assigned personnel, including making and monitoring work assignments, evaluating performance, providing training, corrective instruction and assistance, and conducting security meetings as needed. As an ideal candidate, you have proven experience developing and implementing strategic security programs and managing the security of personnel and both physical and digital assets. As a leader and trusted advisor, the CISO will work to advance the organization’s mission, vision and core values.
Typical duties and responsibilities
- Implements and oversees strategies to assess and mitigate risk
- Safeguards the corporation and its assets
- Crisis management
- Develops, implements, and maintains security processes and policies
- Fosters a culture of physical and digital security awareness by conducting training sessions and communicating with personnel
- Identifies and reduces risks
- Limits liability and exposure to informational, physical, and financial risks
- Ensures the organization is compliant with local, national, and global health, privacy, and safety regulations
- Researches and executes security management solutions to help keep the organization safe
- Works with management to develop and implement appropriate budgets for security programs
Education and experience
- A bachelor’s degree in safety management, information technology systems, or a similar field
- 3+ years of experience working as a security manager
Required skills and qualifications
- Exceptional knowledge of state and federal information security laws
- Proficiency in developing physical and digital security protocols and procedures
- Strong verbal and written communication skills
- Solid interpersonal skills
- Excellent managerial and leadership skills
- Strong knowledge of information management systems and cybersecurity
- Ability to research and stay up to date with security trends and changing government and state laws
- Industry-related security certifications
- Master’s degree in cybersecurity
- A diverse IT background
ABC Company is seeking a Chief Information Security Officer (CISO) to lead our global cyber and data security programs to secure and enable our ability to deliver the premier self-service event platform. ABC Security is responsible for all aspects of information security across the enterprise, including Web and Mobile application security, Cloud, Infrastructure and device security, Security Awareness Training, Policy, and Compliance.
We’re seeking a proven leader with the ability to define and execute the cybersecurity strategy, adding rigor to our operations, while building a highly skilled and diverse team. This position will partner across functions to drive major security initiatives and will be responsible for effectively communicating goals, risks, and tradeoffs to executive leadership and the board of directors.
- Define and own a multi-year cybersecurity roadmap and key performance indicators focused on reducing cyber risk
- Build and inspire a highly skilled and diverse Security team. Foster a culture of trusted cross functional partnership, service, and continuous improvement
- Create quarterly, annual and long-term cyber security and cyber risk management goals, articulate strategies, define metrics, and provide necessary updates to executive leadership and the Board of Directors
- Partner with Product & Engineering leadership for the development, planning, and execution of major security initiatives. Support Eventbrite’s secure Software Development Lifecycle
- Collaborate with peer members of the Cyber Security Governance Committee (CSG), Audit Committee to establish appropriate security standards and provide an effective governance structure to ensure cyber compliance and accountability
- Lead Security Incident Response, Third Party Information Security Assessment, Data Protection and Encryption, Identity & Access Management and Privileged User Access to protect customer and employee data
- Define cyber security governance and control strategies for emerging technologies such as cloud & containerization, block-chain and distributed computing
- Keep well informed of developing security threats, and proactively create strategies to understand and mitigate potential security problems that might arise from acquisitions or other big business moves
- A Degree in Information Technology or Engineering (Advanced Degree Preferred)
- Key Industry certifications in Information Security, such as CISSP, CISM and CISA
- 15+ years of experience in Information/Cybersecurity in a public or large private technology company with a global customer base
- 7+ years people management experience across a global organization, with hands-on experience building diverse teams while promoting an inclusive organization
- A demonstrated knowledge of information security standards (e.g., NIST, ISO-27001), rules and regulations related to information security and data confidentiality (e.g., PCI, NIST, NSA) and other various security standards and policies
- A strong understanding of Cloud Security Mode and key principles, such as CSPs Shared Responsibility Models, Security and Infrastructure as Code, Preventive/Reactive Guardrails, Containerization, Server-less Computing, Continuous monitoring/drift detection, and the importance of end-to-end automation
- Strong interpersonal and communication skills with the ability to influence at all levels of the organization, while being able to simplify complex topics for understanding and critical decision making by Executive Management and the Board
- Ability to understand not only emerging industry trends as far as cyber security is concerned but also the landscape of emerging threats, making appropriate adjustments within the cybersecurity program
The Chief Information Security Officer will be directly responsible for all global aspects of security technology, strategy, and operations within ABC Company. As an innovative and resourceful partner entrusted to protect the ABC Company environments, systems, data, customers, and users, it is critical for ABC Company to build and maintain appropriate security safeguards that are designed to protect the confidentiality and integrity of our products and systems for our customers and internal users. You will scale the security organization and drive the program to its next level of maturity as we all work to make ABC Company grow and improve. You will report to and partner closely with the Chief Risk Officer to work with leaders across the organization to develop and implement a robust framework and appropriate technology and tools. Also, you’ll interact with broader executive leadership to communicate on our evolving needs, matching the size and complexity of our organization with security strategy and operations right-sized for our stage of growth and the information we safeguard.
- Attract, hire, and retain a high-performing team of world-class security talent who will continue to evolve to address the information security needs of the company
- Develop, implement, and monitor a strategic, comprehensive enterprise-wide information security and risk management program
- Provide strategic and tactical vision around adversary and threat detection, incident response, and asset fortification
- Partner and align with Product and Engineering teams to reinforce product security to drive and automate secure development practices while maintaining business needs
- Advise the CRO, executive leadership, and technical leads on security issues and threats
- Identify, track, and communicate detailed metrics indicating overall security risk factors
- Guide technical development of security tools and product features in order to reduce security risk across the company
- 15+ years of broad technology experience in encompassing SaaS environments, application development, Information Security, incident response leadership, architecture, policy regulations, risk and compliance, and infrastructure services with a strong record of successfully managing information security
- 10+ years of experience in building, mentoring, and managing global security teams for a cloud based SaaS offering and providing structure for professional development of team members
- Experience with pre & post IPO readiness and the different stages that companies go through during that journey
- Demonstrated experience representing an organization’s information security program in presentations and discussions with customers, partners, and other external parties
- Experience implementing controls and mitigating risks related to GDPR, PCI, HIPAA and other information security and data privacy standards
- Experience implementing cloud security technologies, including encryption, network security, intrusion detection, cloud monitoring, and digital forensics
- Experience triaging and remediating organizational incidents with wide-ranging business or customer impact
- Well-versed in the rapidly evolving threat landscape with a strategic mindset to mitigate threats and an established personal network for standard methodologies and information sharing around emerging challenges in the security space
- Strong business sense with an ability to balance “business value” vs “security risk”
- Good communication skills with an ability to build strong narratives to highlight the importance of security to employees internally and customers/shareholders externally, including both technical and non-technical audiences
What we’re looking for:
ABC Company is a rapidly scaling business and we are looking for our first Chief Information Security Officer (CISO) to lead and scale our Security and IT teams. The CISO will work closely with the Senior Leadership Team to define our strategic goals for enterprise security, application security, and IT, a roadmap to achieve these goals, and work with their team and stakeholders to execute.
This is a remote-friendly position that can be located anywhere in North America.
What you will do:
- Set the vision, strategy, and roadmaps for our Security and IT programs
- Lead and scale diverse technical teams to execute on the roadmap
- Collaborate with senior Engineering, Product, Legal Compliance, and other functional leaders to get buy-in into the strategy and roadmap
- Develop an effective strategy to assess and mitigate risk, manage incidents, maintain continuity of operations, and safeguard the company
- Prepare and report on our information security posture and status to Senior Management and the Board
- Actively mentor current and future leaders and individual contributors in your group through effective 1:1s, thoughtful feedback, career growth planning, and performance reviews
- Own compensation, team design, hiring, and retention plan for your group in alignment with company-wide policies
- Drive and influence software and infrastructure security across the organization
What skills will help you be successful:
- Bachelor’s Degree in Business, Computer Science, or other related field or equivalent experience
- 10+ years of experience in a combination of risk management, information security, and application security engineering roles
- 5+ years in a senior leadership role in security
- Demonstrated experience with Application Security, DevOps, or Cloud Security functions as a leader or in a people management role
- Experience with cloud computing technologies, especially AWS (Amazon Web Services), with security commitments to customers and partners
- Knowledge and understanding of relevant legal and regulatory requirements, such as HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley Act (SOX) and Payment Card Industry/Data Security Standard Personally Identifiable Information (PII), Service Organization Control (SOC), and California Consumer Privacy Act (CCPA)
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences
Candidate Certifications to Look For
- Certified Information Systems Security Professional (CISSP). Earning the CISSP is offered by (ISC)² and demonstrates that candidates have the skills and knowledge to effectively design, implement, and manage a best-in-class cybersecurity program. The CISSP is ideal for experienced security professionals, managers, and executives who are looking to prove their knowledge across a wide array of security practices and principles. To become certified as a CISSP, candidates are required to have at least five years of full-time, paid work as a security analyst in two or more of the eight domains covered in the CISSP, such as cryptography and software development security. Certification requires an annual maintenance fee, and they must take the test every three years to remain certified.
- Certified Information Security Manager (CISM). Administered by the Information Systems Audit and Control Association (ISACA), The CISM certification proves a candidate’s expertise in information security governance, program development and management, incident management, and risk management. To be eligible, they need to have 5+ years of experience in information security management. The course covers 4 main aspects of information security: governance, risk management, program development and management, and incident management. The CISM is valid for 3 years and must be renewed to maintain certification.
- Certified Information Systems Auditor (CISA). The CISA is recognized worldwide as the standard of achievement for professionals who audit, control, monitor, and assess an organization’s information technology and business systems. Offered by the ISACA, the CISA shows a candidate’s competence in incorporating privacy by design into technology platforms, products, and processes. CISA certification requires 5+ years of experience in IS/IT audit, control, assurance, or security. Topics include system auditing process, IT management, and protection of information assets.
Sample Interview Questions
- How would you go about training your staff in updated security procedures?
- How would you update the company’s cybersecurity policy?
- How would you handle a data security breach?
- What methods would you employ to foster a company-wide culture of security?
- How do you keep up to date on state and federal security laws?
- What resources do you use to keep up-to-date with cybersecurity threats?
- What are the principles around the use of encryption in data life cycle protection?
- Explain social engineering as if to another department leader.
- What are the biggest security concerns in using connected devices and the IoT?
- How should authentication be managed?
- Can you name three cloud-based security issues?
- Have you ever experienced a data breach? What steps did you take to contain it?
- Why is having a company-wide culture of security important?
- What are the different levels needed to classify data?
- How familiar are you with security auditing?
- How do you manage security for remote workers?
- How experienced are you in budget planning for security?
- What is a chain of custody and how do you create one?
- How important is key rotation?
- How often should security policies be revised?