Understand Variations of the CISO Role

CISO and security leadership roles are ever-evolving, and expand to cover almost every aspect of daily organizational operations, from software development to HR, accounting, and beyond. Companies need to entrust information security strategy to leaders with skillsets that complement their unique IT and organizational infrastructure. 

This piece details some emerging security leadership roles in the modern enterprise space. These roles expand upon the traditional CISO leadership roles in various ways, addressing some of the major challenges organizations face when hiring security leadership. 

CISO Role & Responsibilities

When it comes to defining their information security leadership roles, today's organizations have more options than ever before. To illustrate just how dynamic the CISO role has become, it's helpful to review the traditional responsibilities this role includes. 

• The CISO's primary responsibility is establishing and executing the organization's information security strategy. That means actively protecting current data assets and developing infrastructure to efficiently protect future assets also. 
• On a more detailed level, the CISO also handles information security compliance, develops and enforces cybersecurity policies, and leads the process of acquiring and implementing new security technologies. The role is oriented heavily towards technology, compliance, risk management and now business leadership reporting. 

READ:  What Is the Ideal CISO Reporting Structure? 

CISO Hiring Challenges

Organizations working to fill a CISO role often face looming challenges that have multiplied in recent years. 

• Enterprise-level security tech stacks are large, inefficient, and overly complicated. The average enterprise uses 75 different security tools. Many of these tools suffer rushed, ad-hoc implementations without any underlying strategy in place. Often, that's a major reason the company is now hiring a CISO. 
• The market is very competitive when searching for top qualified information security leadership and CISOs are commanding top dollars. Many employers are choosing to compromise on fewer years technical experience with less proven business leadership skills as a result. 
• When attracting potential candidates - there is a massive global shortage of qualified cybersecurity talent from which to build a security team and program. Finding and retaining an entry-level security analyst is hard enough.  
• With an ever-changing threat landscape, organizations must balance keeping the organization secure while working through the sometimes-lengthy recruiting and hiring process. 

Almost every organization’s CISO role requirements are unique and always evolving. No two organizations share the same cybersecurity risk profile, making each CISO approach completely different. In fact, the position's responsibilities can vary widely between organizations. It's not uncommon for an individual to be a star-performer at one company, only to produce lackluster results after moving to another. 

These challenges are responsible for several innovations in the CISO role itself. Modern enterprises are increasingly looking for specific variations of the CISO archetype, hoping to find an individual with the ideal fit for their needs. 

GET STARTED: CISO Compensation & Budget Benchmark Survey

Types of CISO Leadership Variations 

There is no one-size-fits-all solution to cybersecurity leadership. It’s helpful to define your organization’s CISO role fully and filter leadership candidates to attract individuals better suited to the particularities of the organization and open position itself.

Many of the defining characteristics of these variations that complement the CISO role are not set in stone. However, it is possible to draw a few broad conclusions about each, so that business leaders can better identify the security leadership role that best fits their needs: 

Chief Information Officer (CIO) 

Unlike other security roles, the CIO is not a new role. However, it does have significant overlap with the responsibilities attributed to security leadership positions. The CIO focuses on strategic planning for company-wide information technology initiatives, all of which include a cybersecurity element. 

Growing businesses are likely to hire a CIO before filling the CISO position. As a result, information security initiatives will often fall under the CIO's purview before a dedicated CISO enters the picture. For this reason, it’s vital that the CIO understands the responsibilities required for cybersecurity leadership. 

To a great degree, the success of a new CISO can depend largely on how the CIO has prepared the IT security environment for them. A security-oriented CIO can pave the way to information security excellence and smooth transition for an incoming CISO. 

Business Information Security Officer (BISO)

The BISO role has evolved in response to the distribution of IT resources throughout various lines of business. There is a growing need to embed some responsibilities of the CISO role inside the operational decision-making processes of individual business units. 

While a CISO may occupy their time developing high-level strategies that enable security performance, the BISO role is more tactical in nature. This leadership position bridges the gap between security needs and operational business performance. It can play a vital role transforming cybersecurity spend from a cost to a value-generating asset in the eyes of managers and leaders throughout the organization. 

In a large enterprise, multiple BISOs may be scattered across different business units and regional teams. In this scenario, they would report to the CISO or CIO and provide executive presence throughout the organization. 

READ: Build a Stronger Security Culture with a BISO 

Technical Information Security Officer (TISO)

The TISO specializes in developing, maintaining, and managing cybersecurity technologies and their corresponding infrastructure. In an enterprise environment, this role may include equal parts operational improvement and strategic decision-making. In both cases, the goal is to optimize the organization's security tech stack deployment to meet its long-term strategic needs. 

In most cases, the TISO reports to the CIO or CTO. It is a highly technical position that focuses on the granular details of how individual elements in the enterprise tech stack coordinate with one another. In a large enterprise with dozens of individual technologies, this can be an incredibly complex task that requires significant resources and reliable leadership. 

Deputy Chief Information Security Officer (DCISO)

The DCISO is among the newest security leadership roles currently being defined and trending in larger corporate contexts. Since the role usually focuses on operational security for individual business units, there is some degree of overlap between the BISO and the DCISO, but there are important differences as well. 

In general, the DCISO role focuses less on executing cybersecurity initiatives and more on collecting and communicating metrics to report on the success of those initiatives. Building, interpreting, and refining data is a key part of the DCISO role, often formalized in highly visual presentations with detailed performance metrics and highlighting opportunities for improvement. 

DCISOs can help security leaders maintain security emphasis throughout the organization, and keep stakeholders focused on continuous security improvement. Defining the value of cybersecurity investment through dashboards and key performance indicators helps ‘keep eyes’ on the big picture, contributing to a more successful security culture throughout the organization. 

Virtual Chief Information Security Officer (VCISO)

The VCISO role has emerged as a result of the challenges employers face finding highly qualified security leadership talent. It is particularly valuable for smaller organizations that may not have the resources (or the IT infrastructure necessary) to hire a full-time cybersecurity leader. 

In this case, a proven information security executive may work on retainer, or on a part-time consulting basis, offering insight and guidance without becoming a full-time member of the executive team. This role may also be called a "Fractional CISO" role. Some security firms even provide CISO-as-a-Service solutions that offer strategic security guidance on an as-needed, pay-as-you-go basis.  

READ:  How to Structure the Information Security Function 

How to Tailor CISO Roles to Your Organization

• Recognize that every security leadership role serves a unique purpose and business case. Not every CISO or leadership candidate is the right fit for your team! 
• Build a security leadership skillset description that's based on your organization's unique risk profile, IT infrastructure, and long-term strategy. 
• Investing in security audits and compliance initiatives will help you identify the specific challenges your organization's security leader must address. 
• Security leadership addresses both technology and culture. High-tech solutions only work if employees follow policy when using them. 
• Smaller organizations can save time and money hiring virtual security leaders on retainer, or opting for CISO-as-a-service solutions. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.