Just before you look at the typical roles and responsibilities of a Chief Information Security Officer (CISO) or Information Security Manger (ISM), take a moment to reflect on your own role in your organisation.

What responsibilities do you have at your organisation? Are they confined to a very specific area or are they more wide-ranging? Write down any thoughts you have.

Make a note of your responsibilities before you take a look at the typical responsibilities of a CISO below.

Diagram: Semi-circular diagram showing CISO roles: Co-ordinate information assurance;Create information assurance policies; Communicate information assurance policy;Qualify the risk appetite of the business;Monitor emerging threats and establish guidelines;Monitor and report on security measures;Create a security culture

Figure 1:CISO roles

CISO responsibilities

As technology continues to grow and expand, the role of a CISO becomes wider and more extensive, needing to address a range of different duties.

In this section, you'll look at those tasks and see why they are now essential parts of a modern CISO or ISM's remit. As mentioned, given how technology only continues to grow the expectations of the CISO will also. 

The principal responsibilities for CISO (or ISM) include:

Coordinating Information Assurance (IA) across the enterprise. This is at the core of what cyber security needs to do. It means assuring information and managing risks related to the use, processing, storage, and transmission of information. It also involves protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of user data. IA deals with physical as well as data protections and includes data in transit and data at rest.
The creation of IA-related policies. The CISO needs to create policies that outline the security controls of the business. They then need to map those policies to functions within the business. The organisation will then be able to react to threats in the best possible manner. You need to put in place these policies to foster IA. You need to communicate company-wide IA policy that will co-ordinate all departments as a unified front. For example, an information specific security policy that clearly spells out that employees may not connect their personal devices to the company's network should be enough to keep employees from doing so or provide a way to discipline them if they refuse to comply.
Your duties also call for the monitoring of emerging threats and establishing guidelines for how the enterprise will respond to these.
You also need to monitor and report on the effectiveness of current security measures to senior management. This is key, given that any breaches or potential breaches affect the entire company. If the business were extremely risk averse, strict policies might lead to extremely locked down IT systems and tight human-oriented processes, but if the risk appetite is greater, then a more managed approach may evolve. The balance to be struck is always decided by the various business imperatives that the CEO imposes on you. These typically include cost, usability, and staff morale.
You are responsible for the creation of a security culture that will use security to the benefit of the business. In many ways this is one of the most important tasks and also one of the most difficult. With each member of the company using the network in some way it's critical to impart a company-wide awareness of security and its threats. Instilling a security culture is not done overnight. However, creating one will make a huge difference in the organisation's long-term protection from attacks and help mitigate against any damage sustained.

Given the number of roles and responsibilities on the CISO's shoulders it's essential that they collaborate closely with a Security working group. You’ll be looking at how important that is in the next article.

Reflection

Before moving on, think back to your current responsibilities - how do they compare to those of a CISO? How do you think the responsibilities of the CISO will grow in the future?

The role of the Information Security Manager