What is a Chief Information Security Officer (CISO)?

What is a CISO

A Chief Information Security Officer (CISO) is responsible for an organization’s data and information cybersecurity. The job primarily includes protecting these assets from threats and mitigating risks. With cyberattacks launched several times a day, the CISO’s role is an arduous one. However, because of the extensivity of cybersecurity, the CISO has numerous responsibilities. Such responsibilities include developing a security strategy, regulatory compliance, HR management, and stakeholder collaboration – among others. As cybersecurity becomes a more prevalent topic throughout organizations, the CISO’s role is expanding accordingly, and so is the need to have a cybersecurity strategy that supports the entire enterprise. Hence, CISOs are increasingly adopting a leadership role as they seek to maintain security throughout the company.

A Day in the Life of a CISO

Below is “A Day in the Life” of the beloved CISO character from our RDM series.

6:00 am – Routine and Stress Management

As the sun rises, so do I. Unlike me, cybercrime does not sleep, so I need to be up bright and early to make sure that I am on top of any potential breaches that occurred throughout the night. Knowing that I will have a busy day at the office, I make myself a healthy breakfast and cycle to work. This part of my day is more important than one would think. A Gartner study found that the top-performing CISOs are those who can better manage stress both in and out of the workplace. With such a demanding job (as you will read), it is essential that I take time out of my day to do activities that will alleviate any stresses. My morning commute is one of these activities.

8:00 am

I arrive at the office, and the first thing I do is check up on the organization’s security. Using various software deployed within the infrastructure, I can obtain a real-time analysis of any immediate threats. None to report today, thankfully.

8:15 am – Continuous Monitoring and Threat Assessment

Just because there is nothing to report today, that does not mean that we are safe. A large part of my job is to keep on top of evolving security threats which can arise from a range of sources; from new attack methods used by cybercriminals to engaging with new suppliers, the attack surface is always changing. Of course, monitoring every potential attack vector is almost impossible to do on my own. Therefore, I use security software solutions to automate the process. These solutions continuously monitor and manage the organization’s attack surface; updating whenever there is a change to the environment. I also make use of threat intelligence databases. Such databases keep me updated with the malicious tools and techniques used by bad actors.

8:45 am – Incident Response and Investigation

After covering the basics, I turn my attention to a cyber breach that was detected last week. Being the CISO means that any such incident is my responsibility to mitigate and investigate. When an incident is first identified, there must be immediate action to stop the attack. Following on from this is an investigation which ultimately determines what went wrong and why. Today I am doing one of these investigations. It can be a very tiresome task depending on the extent of the breach. However, this is a necessary part of the process as it helps me develop, and implement, long-term measures that will prevent a repeat of a similar crisis.

11:00 am – Stakeholder Engagement and Communication

I now have a meeting with the CEO and CFO in which I will present them with the various vulnerabilities within the organization. Both key players are more concerned with the financial aspects of the organization than those relating to cybersecurity. Cybersecurity can be a large financial investment that seems unnecessary to non-IT departments, and I need to gain approval for such investments from the organization’s key decision-makers. Hence, this meeting is an opportunity to increase their prioritization of cybersecurity. To do this, I will highlight how the cyber risks will decrease the enterprise’s profitability and potential growth if not dealt with in a timely and effective manner.

12:00 pm

Before lunch, I have a meeting with the CMO. Although marketing might not seem relevant to my job description, a strong cybersecurity posture is increasingly becoming a selling point to consumers. Research conducted by BT Security found that two-thirds of consumers consider an organization’s security measures when deciding who to buy from (trust center). Hence, my job indirectly covers brand perception. To improve this perception, I need to implement additional security measures; and support from the marketing team will make this process smoother. This meeting will highlight the advantages that increased security measures will bring to the marketing department. In doing so, I hope to gain their support and educate the CMO on how to use our current security posture as a selling point.

1:00 pm

After a long yet successful meeting, I take my lunch break and sit in the park to eat my meal. This is another one of my daily activities that reduce the stress that comes with the job. Hence, I take this break as a full hour to take some time away from work and refuel.

2:00 pm – Employee Training and Awareness

The next couple of hours are dedicated to training and educating staff in all departments, ensuring that cybersecurity is on everyone’s mind – not just those of the IT department. Educational activities are part of a process to improve all staff members’ approach to cybersecurity. The aim is to increase their awareness of the risks and teach them how they can take action to reduce the organization’s vulnerabilities. Enhanced knowledge of risks and threats is a simple way to prevent data loss and fraud stemming from human errors. Effective training will also enhance the overall cybersecurity hygiene of the organization at the human level (Employees Role in CyberSecurity).

4:00 pm – Regulatory Compliance and Strategy Development

As part of the more tedious tasks that my job entails, I need to fully understand various privacy regulations and frameworks that impact an organization’s cybersecurity approach such as GDPR, CMMC and CCPA. It is my responsibility to establish a cybersecurity strategy that details our cybersecurity approach. This plan, however, needs to comply with the relevant cybersecurity regulations and frameworks. Even more confusing is that many of these regulations are ambiguous and contradictory. But I use this hour and a half to improve my understanding.

5:30 pm – Organization Cybersecurity Strategy

I now continue my work on the aforementioned strategy that I have been working on for a while. The aim is to lay out how the organization can mitigate risks and improve its approach to cybersecurity in the future, and includes the current practices that are in effect. My earlier meetings and discussions with key stakeholders highlighted their goals for the organization, while my engagement with the various departments outside of IT provides clarity of their different functions. With this in mind, I can develop a comprehensive strategy that applies to the entire organization and the ranging goals, while ultimately improving our cybersecurity posture.

Included in the strategy are the security software solutions in place, and those that still need implementation. Additionally, the plan will set out the practices required to improve the organization’s cybersecurity posture. This includes identity and access management policies to ensure that only those who need access to restricted data are granted with such privileges. My responsibility to investigate any and all cyber incidents is another source of information; the lessons learned from an investigation are implemented into the plan. Furthermore, the plan needs to comply with the various legislations that impact cybersecurity efforts. As an intricate project, formulating the plan requires time and effort, so I have a team helping me. Delegating tasks is another common practice of successful CISOs as it reduces the unnecessary workload.

7:00 pm – Research and Technology Evaluation

I spend the last thirty minutes at the office doing research. As mentioned, the cybersecurity strategy that my team and I are developing will include a list of security software that needs to be acquired that will cover the entire IT infrastructure. To know which security software will be beneficial to our organization, I spend time researching various offers on the market and compare them to the data I have on the evolving attack surface. For example, I know that cybercriminals are more frequently deploying hardware attack tools, so I will be on high alert for security software solutions that offer mitigation against hardware attacks.

7:30 pm – Work-Life Balance and Responsibility

After a long day, I shut down my computer and leave the office. Although I try to leave work at work, my job title means I am responsible for a department that never sleeps. However, I sleep well at night knowing that I have done a good enough job. Moreover, that, should a perpetrator manage to exploit a vulnerability, I have deployed the relevant measures to ensure that the organization can defend itself until I arrive at the office in the morning.
See also Chief Information Security Officer (CISO) – Part 2.

February 22nd, 2021