<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

3 Critical CISO Roles & Responsibilities

Melissa Stevens | June 28, 2016

A chief information security officer (CISO) is a senior-level executive who wears many hats in the realm of cybersecurity—but is primarily responsible for translating complex business problems into effective information security controls. 

You may have heard the well-known (and oft-repeated) triad of information security:
“Confidentiality, integrity, and availability,” or “CIA.”

  • Confidentiality takes into account what a company needs to do to ensure sensitive data and information stays private.
  • Integrity is focused on the life cycle of the data and ensuring that it is always accurate.
  • Availability means that your hardware and software systems have constant uptime and that everything is maintained properly.

CISOs are both problem solvers and Reporting-Cybersecurity-To-The-Boardleaders, are heavily involved in all angles of this triad, and are responsible for building out the full information security program. Below, we’ve detailed three critical CISO roles and responsibilities:

1. Risk & Compliance

A chief information security officer is concerned with how information security affects legal requirements and is therefore responsible for ensuring that the organization is in compliance with both internal and external policies. For example, is our organization in compliance with HIPPA or PCI? A CISO writes (and adjusts) policies based on new rules or compliances.

CISOs build out full-fledged vendor risk monitoring programs in addition to internal monitoring programs to ensure that the information security controls set in place are functioning as they are meant to.

See Also: The 1 Vendor Risk Issue That's Too Critical To Overlook

2. Technical Operations

A CISO of any organization will be regularly involved in running vulnerability scans, penetration tests, and web application security assessments—among other technical operations. In this role, they’re checking to ensure that the software and hardware configurations in their organization and their vendors’ organizations are compliant with company and regulatory standards.

See Also: Selecting The Right Vendor Management Software: 5 Things To Keep In Mind

3. Internal & Vendor Communication

A CISO also functions as a link between various departments at a company, and all of its third parties (insofar as cybersecurity is concerned). They don’t just manage the information security team—they have their hand in many different teams. Therefore, they need to have good relationships and visibility at all times into each vendor or department they work with.

A CISO will constantly check in with his or her team members, seeing both how they’re solving any information security issues and if there’s any level of risk that has recently come up that needs to be addressed. Increasingly, a CISO is also responsible for reporting cybersecurity to the board of directors.

See Also: 4 Cybersecurity & Information Security Metrics To Report To The Board

CISO Roles & Responsibilities, In Summary

Chief information security officers know they can’t simply take security, privacy, and risk and boil it down to a simple, standard formula.very organization is different. Accordingly, CISOs can’t put security controls in place just for the sake of having security controls. Instead, they must have their finger on the pulse of their organization so they can completely understand the unique business problems they face and solve them appropriately. A CISO is charged with building the best vehicle to support the organization’s information security challenges from top to bottom.

This is a vital role in today’s security landscape, and it isn’t without its challenges. But for an individual who wants to take large risks and boil them down to technical and legal controls in order to keep a company safe and secure, it’s also extremely rewarding.

New Call-to-action 

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...


Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...


New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Subscribe to get security news and updates in your inbox.