HOW TO BECOME A CISO (CHIEF INFORMATION SECURITY OFFICER)

group of technology officers meet with management team

Search for programs near you

ZIP or Postal Code

High school graduation year

Highest level of education

What is a CISO?

A Chief Information Security Officer (CISO) is a security professional who has reached the pinnacle of their profession. They lead the cyber security operations of an organization and must communicate cyber security risk to other C-level executives and stakeholders. The path to becoming a CISO is not an easy one, but it is one that you can tackle if you are patient and determined—and willing to be a lifelong learner.

In This Article

Job description of a CISO
CISO vs CIO
Career paths
Similar jobs
Salary and job outlook

Challenges
CISO best practices
Trends
CISO leaders and resources
Final say

What does a CISO do?

A CISO has many responsibilities which vary depending on the employer and their particular security needs. Typically, CISOs oversee all of the security policies and procedures for an organization. They are current with the latest trends and technologies in cyber security—including new software—as well as how modern cybercriminals are behaving.

Depending upon the size of your organization, you might work alongside the Chief Information Officer (CIO) who coordinates the general IT functions of the corporation, and if present the Data Protection Officer.

CISOs must know how their company's decisions are made so that they can provide input from a security standpoint. For instance, various web browsers or online tools might pose certain threats and security risks. When a CISO is aware of the software needs of the organization to satisfy business goals, they can factor that into their decisions regarding firewall technology, network security and database integrity.

CISO job description

Every CISOs job description varies slightly, but in general, CISO roles and responsibilities include the following job duties:

Develop and implement security protocols to prevent, mitigate and resolve cyber security attacks

Develop and implement cyber security training for both the security team and employees at large

Perform ongoing assessments of the organization's security procedures, strategies and frameworks to identify upgrades or improvements

Communicate to other C-suite executives how cyber security operations factor into the organization's business goals and risks

Evaluate budgets to determine and justify the cost of cyber security upgrades

Manage and direct the organization's technology personnel as they pertain to cyber security

Report on the status of cyber security operations to supervisors and executive teammates, such as the Chief Executive Officer (CEO), Chief Financial Officer (CFO), a Board of Directors and more

Manage cyber governance, risk and compliance (GRC) processes

"CISOs are the leader of the cyber security organization and the experts within it, tasked to develop and articulate the business case for the necessary resources to strengthen the organization (which includes the people, processes and technology) with the objective to minimize cyber-risk exposure and to mitigate the potential impact of a cyber event that may occur, thus enabling the organization to continue critical operations in order to achieve its strategic objectives to benefit key stakeholders," said David Ulicne, Executive Director of Executive Education at Carnegie Mellon University's Heinz College. "Considering the escalating cyber-threat landscape, CISOs should be viewed and valued like any other corporate executive in level of strategic and operational importance to the organization."

"Considering the escalating cyber-threat landscape, CISOs should be viewed and valued like any other corporate executive in level of strategic and operational importance to the organization."

Required skills for CISOs

The role and job scope of the CISO can change rather significantly from company to company depending on that organization's size, security needs, products and more. It's difficult, therefore, to make a comprehensive list of all the skills you need to be a successful CISO that applies to CISOs everywhere. If you are considering climbing the corporate ladder to the CISO position, honing these skills is a great place to start:

Technical skills	Soft skills
Familiar with leading cyber security standards from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO)	Business acumen and knowledge of high-level business operations
Advanced knowledge of network security and best practices	Ability to communicate effectively and transform technological concepts into the business language that other C-suite executives understand
Remain up to date with emerging trends in technology and cyber security, such as artificial intelligence (AI)	Strong management and leadership skills
Knowledge of cloud and application security	Ability to negotiate and advocate for the cyber security needs of an organization
Ability to design, implement and continually improve cyber security protocols and procedures for an organization	Ability to stay calm under pressure and respond swiftly to any cyber security breaches

"To be effective, CISOs need to be excellent communicators to gain influence in the organization and get stakeholders on-board with their strategy. CISOs also need to have a solid business and financial acumen so they can develop a strategy that integrates and supports the overall strategy of the organization, while being good stewards of the resources in the implementation of this strategy," Ulicne said. "Finally, CISOs need to be resilient to be able to handle the cyber events of any given day, and to assist the organization through a difficult process to respond, recover from incidents that will likely occur on their watch."

CISO vs CIO: Know the difference

A CISO is chiefly concerned with the security of the computer systems and databases in a corporation. The Chief Information Officer (CIO) on the other hand, works with the general technical issues that face the company. For example, the CIO might work with a budget for new desktop computers or for a new software upgrade. They might also help coordinate how the IT department operates the network and installs new hardware.

The CISO comes into the IT picture with a single focus—security. While they need to be fully aware of all the systems in play in their corporation, they assess all of those purchases and roll-outs in the context of security. CISOs make sure that network upgrades proceed without disabling the necessary security software, or they might know how to best take databases offline while the IT department installs new server software.

When the CIO and CISO work in tandem, the business operations of a company can maintain maximum safety and efficiency.

The path to becoming a CISO

The journey to becoming a CISO is as varied as they come—take a look at the resumes of CISOs everywhere and you'd find a diverse range of backgrounds in a variety of industries that all lead to the CISO role.

There do tend to be some commonalities though which can be helpful to identify for aspiring CISOs wondering where to begin. In general, the path to becoming a CISO begins with a solid education in information technology/security followed by years of experience in the IT/IS field, including substantial experience as a manager and team leader. To supplement their experience, many CISOs also possess various IT/IS certifications.

"For CISOs to be successful, a blend of technology/domain skills, business fundamentals and leadership training is recommended. This training and education could come from traditional degree programs (bachelor's/master's degrees in a tech and/or business discipline), skills training in specific technical areas from leading industry/certification providers (ex. SANS Institute) and also certificate programs designed to prepare experienced professionals for the role," Ulicne said. For example, Carnegie Mellon University's Heinz College, of which Ulicne is the Executive Director of Executive Education, has a CISO certificate program.

Education requirements

While it's possible for anyone with a bachelor's degree related to cyber security and a lot of experience to climb the corporate ladder to the CISO position, more often than not you may need extra degrees and certifications.

Many CISO positions require or strongly prefer CISOs to have a master's degree such as a Master of Business Administration (MBA) or a master's degree in cyber security or a related field. A master's degree is great for not only advancing your technical skills but also refining the soft skills that are essential to succeed as a CISO, such as leadership, managerial and communication skills. Some people go straight to a master's degree after their undergraduate education, but many professionals get some working experience before returning to school to get an advanced degree.

Certifications

Certifications are also essential for practically any cyber security or technology role, and the same is true for CISOs. Certifications demonstrate a level(s) of expertise and validate industry-specific skills after several years of experience. The types of security certifications that a given employer may require their CISO to have depend on the organization and their particular needs. At any rate, there are many certifications out there that could benefit any prospective CISO, including:

Certified Chief Information Security Officer (CCISO) program from EC-Council
Chief Information Security Auditor (CISA) from ISACA
Certified Information Security Manager (CISM) from ISACA
Certified Information Systems Security Professional (CISSP) from (ISC)²

Career paths leading to a CISO

Following their education, it's common for cyber security professionals to get their feet wet in the cyber security world with an entry-level security and/or technology position. Following several years of experience in these early career roles, professionals tend to move on to more niche positions based on their particular expertise. It's also at this time that some people may choose to obtain a certification to back up the experience they've acquired so far. Later, it's essential that any future CISO get experience managing and leading a team. Here's a sample of some of the career paths a CISO may take on their way to the C-suite:

Early career jobs to get exposure to the industry:

Cyber security analyst
Software developer
Incident responder
IT support specialist

Mid-level jobs to help hone your experience:

Senior-level jobs to get experience leading a team:

"CISOs typically ascend from a front-line operational leadership role, whether a director and/or manager of incident response, security operations, cyber risk management, cyber threat intelligence, or other technical cyber security roles," Ulicne said. "Some CISOs also have career paths in general information technology roles you would see as part of the CIO organization."

If you're interested in learning from real-world CISOs how they climbed the corporate ladder, check out Cisco's Journey of a CISO video series where they sit down with current CISOs and discuss their career, including how they got their start and what kinds of jobs led them to the CISO role.

Similar jobs to CISO

The CISO may be the ultimate role to many in the computer security field, but there are other similar jobs that can carry equivalent status, salary and responsibility. The CIO position, for instance, is highly prized by many in the corporate world and operates at the same C-level as a CISO in most corporate structures.

The difference is that the CIO is more concerned with the day-to-day and long-term business operations of a company. For example, they might be in charge of determining what new software should be rolled out to handle the company's email, word processing and corporate presentations. The CIO would work with the CISO to ensure that software and installations are secure and don't compromise the corporation's security in any way.

Note: Some corporations may use the term Chief Security Officer (CSO), which is virtually the same job as CISO. It's important to understand however that different companies will have their own unique needs and expectations for a CISO or CSO.

Another C-suite executive with similarities to the CISO is the Chief Technology Officer (CTO). These professionals oversee the technological aspects of the company with more of a focus on external technological products rather than the internal security of the company.

There are also several other cyber security management positions out there that don't quite reach the level of responsibility of a CISO but which are still paramount to protecting the digital safety of an organization. Security directors, for example, oversee the security operations of an organization, including investigating security breaches, creating security protocols and managing the cyber security team. Security architects are also experienced cyber security professionals that design the computer systems and network infrastructure for an organization. Both of these positions may report to the CISO, or if the company is not large enough to have a CISO, they may be the top security professionals within their particular organization.

CISO salary and job outlook

Every corporation organizes its compensation structure differently, and that is even truer at the top. When you seek a CISO position, you may be involved in a lengthy negotiation process in which aspects of compensation such as company cars, moving allowance, health insurance, bonus structure, stock option plans and base salary are on the table. Here you can leverage your education and experience to command the best compensation package possible.

According to the 2022 Occupational Employment and Wage Statistics from the U.S. Bureau Labor Statistics (BLS), the median annual salary for computer and information systems managers is $164,070, while those in the upper 25% of the profession earned $207,850 or more annually. Keep in mind that many people who command higher cyber secuirty salaries may also live and work in more expensive regions, such as San Francisco, the San Jose/Sunnyvale area, New York City, Seattle and Washington DC, which are known for higher costs of living. That being said, even the bottom earning 10% of this category of professionals still made $97,430.

The BLS also estimates that the employment of computer and information systems managers will increase 15.4% through 2032, much faster than the average across all occupations. The BLS attributes this rapid job growth to the need for competent cyber security professionals that can keep up with ever-evolving technology and, in turn, the evolution of cybercrime.

Computer and Information Systems Managers

National data

Median Salary: $164,070

Projected job growth: 15.4%

10th Percentile: $97,430

25th Percentile: $127,180

75th Percentile: $207,850

90th Percentile: N/A

Projected job growth: 15.4%

State data

State	Median Salary	Bottom 10%	Top 10%
Alabama	$127,150	$72,940	$198,550
Alaska	$127,430	$83,630	$174,130
Arizona	$151,490	$89,980	$222,190
Arkansas	$108,560	$66,190	$170,580
California	$198,950	$111,020	N/A
Colorado	$168,800	$117,380	N/A
Connecticut	$149,150	$97,820	$216,170
Delaware	$206,550	$123,880	$231,190
District of Columbia	$175,880	$126,470	N/A
Florida	$145,000	$93,690	$222,470
Georgia	$165,890	$100,480	N/A
Hawaii	$128,210	$79,980	$178,240
Idaho	$120,650	$74,870	$186,160
Illinois	$159,100	$96,510	$228,460
Indiana	$126,030	$76,490	$174,150
Iowa	$129,450	$83,750	$174,760
Kansas	$133,290	$83,020	$202,540
Kentucky	$121,170	$74,750	$178,840
Louisiana	$121,760	$73,640	$185,570
Maine	$133,020	$91,210	$211,810
Maryland	$165,360	$101,520	$224,990
Massachusetts	$167,950	$105,590	N/A
Michigan	$133,740	$89,310	$212,770
Minnesota	$158,280	$99,500	$214,180
Mississippi	$102,710	$62,010	$167,420
Missouri	$133,670	$80,600	$204,810
Montana	$103,340	$78,990	$187,130
Nebraska	$123,940	$79,790	$170,820
Nevada	$109,430	$71,870	$182,790
New Hampshire	$152,990	$98,800	$220,470
New Jersey	$177,010	$130,100	N/A
New Mexico	$126,740	$79,920	$180,650
New York	$197,860	$122,420	N/A
North Carolina	$152,400	$98,020	$221,710
North Dakota	$126,930	$85,990	$176,480
Ohio	$138,210	$85,500	$218,170
Oklahoma	$124,430	$74,980	$186,450
Oregon	$140,310	$86,630	$216,130
Pennsylvania	$149,980	$97,240	$212,430
Rhode Island	$156,000	$113,760	$220,590
South Carolina	$131,500	$81,480	$210,820
South Dakota	$154,650	$108,730	$205,500
Tennessee	$128,720	$80,210	$208,550
Texas	$155,590	$89,890	$215,470
Utah	$137,510	$84,600	$214,660
Vermont	$126,500	$77,090	$230,980
Virginia	$172,760	$107,290	N/A
Washington	$174,680	$121,510	N/A
West Virginia	$133,920	$82,410	$203,730
Wisconsin	$136,250	$98,600	$206,270
Wyoming	$102,200	$76,710	$220,000

Source: U.S. Bureau of Labor Statistics (BLS) 2022 median salary; projected job growth through 2032. Actual salaries vary depending on location, level of education, years of experience, work environment, and other factors. Salaries may differ even more for those who are self-employed or work part time.

Challenges faced by CISOs

The challenges that a CISO may encounter in their career are as varied as the types of organizations they may work for.

"The CISO role can be both very rewarding (from a compensation perspective), but also very stressful due to the dynamic threat landscape," Ulicne said. "Although cyber security budgets have increased over the years, some sectors are still underfunded which creates a challenging environment for CISOs to be effective in their roles. CISOs need to be well versed on risk management best practices, which helps them prioritize where to place the resources necessary to mitigate the highest levels of cyber risk faced by the organization."

In Cisco's Journey of a CISO video series, Diego Souza, CISO of Cummins, said that one of the biggest challenges CISOs are facing today has to do with a shift in job scope. Traditionally, CISOs have been expected to focus solely on leading the cyber security measures of an organization. While that is still true to some extent, Souza said that the CISO role has changed a bit in recent years. Nowadays, CISOs are as much a part of the high-level business-centric conversations—and decisions—as other C-suite executives. That means that CISOs must be prepared to communicate regularly with the company's leadership and explain how cyber security impacts other aspects of the business, particularly business risk. As a result, CISOs should have a sufficient business acumen to complement their technical skills.

Nowadays, CISOs are as much a part of the high-level business-centric conversations—and decisions—as other C-suite executives.

Another new challenge that has emerged in the last few years is the security risk posed by remote work. In 2020, the COVID-19 pandemic forced employees to work from home practically overnight. This created new attack surfaces for cybercriminals to capitalize on, including the fact that many employees were using personal devices for work. In addition, being able to work practically anywhere can be risky if the network someone is using isn't secure. Virtual private networks (VPNs) were quickly set up as one way to address this issue. These and other consequences of hybrid and remote work—which by most estimates is here to stay—mean new security challenges that CISOs must be prepared for.

Best practices for CISOs

he cyber security needs of every organization is going to be a little different. The best practices for success, therefore, are going to vary, too. CISOs should always begin with a foundational understanding of the cyber security standards set forth by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).

One example of an emerging best practice for organizations (and therefore CISOs) is utilizing a zero trust architecture (ZTA) for security systems. Zero trust is the idea that no user is granted automatic access to user accounts. They must go through multiple authentication and authorization functions before each session. "Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary," according to NIST SP 800-207.

"Fostering a culture of security awareness is paramount to the success of the CISO role, in addition to driving cyber-hygiene best practices throughout the organization," Ulicne said. "Developing public-private partnerships with organizations like the FBI Cyber Division or DHS CISA will help the CISO better understand the evolving threat landscape, and to gain access to resources to assist if a cyber event would occur in their organization."

Future trends and technologies in cyber security

One particularly significant change in the cyber security today is the advancement of artificial intelligence (AI). AI refers to the science of simulating human intelligence within machines and programs. AI tools have made tremendous strides in the last few years, which poses a unique problem—it can be as helpful to cyber security professionals as it is to the cybercriminals they are trying to thwart.

AI can be advantageous to a CISO's cyber security efforts in a few ways:

It has the potential to detect actual cyber security attacks better than humans which would cause fewer false-positives results.
AI can rapidly analyze huge amounts of incident-related data, assisting cyber professionals in quickly containing a given threat.
AI can be used to simulate attacks and identify vulnerabilities and weaknesses in a security system.

However, AI can also lead to new cyber security threats:

Advancements in AI-generated audio and visual content means it's easier to create believable deepfakes to scam people.
As AI's ability to simulate human intelligence continues to improve, cybercriminals can use AI to implement more convincing social engineering schemes such as phishing.
Cybercriminals can use the power of AI's algorithms to guess passwords more efficiently.

Another prominent cyber security trend right now is the increased demand for cloud-based services and security, especially as more people work remotely. Unfortunately, cloud services are also a common target for attackers. In EC-Council's 2023 Certified CISO Hall of Fame Report, cloud security was identified as the top concern among the 281 C-suite information security leaders that they surveyed.

Aspiring CISOs must stay current with modern advances in technologies such as AI and cloud services, if they want to be successful. Networking with other cyber security professionals and attending industry events such as annual conferences is a must for staying in the know.

CISO leaders and resources

One of the best ways to set yourself up for success in any role is to find leaders that do the job well. By identifying who you admire within the field, you can begin to learn from their successes and get inspiration for your own career journey. There are tons of successful current and former CISOs out there—you might begin your search by checking out Secureframe's list of influential CISOs and cyber security leaders in 2023, which includes people like Alissa Abdullah, the Deputy Chief Security Officer for Mastercard and former Deputy Chief Information Officer for the Executive Office of the President.

Other notable names on their list include Geoff Belknap, CISO at LinkedIn who holds multiple patents for various information security innovations, and Mary Ann Davidson, CISO for the Oracle Corporation and a member of the CSIS Commission on Cyber Security for the 44th Presidency.

For more resources and conversations with leading CISOs, don't miss some of these invaluable CISO networks:

CISO Magazine is a publication from EC-Council for cyber security professionals that provides stories, trends, interviews and news from around the cyber security world.

Cisco's CISO Connections is an online hub of resources for CISOs, including curated articles, interviews with CISOs, podcasts and more.

Evanta's CISO Communities is a global CISO network that also hosts a Global CISO Executive Summit annually.

Final say

The ascension to the CISO role is a journey that takes years and years of experience in the cyber security field. As such, CISOs are tasked with the tremendous responsibility of protecting their organization's digital information and working with other executives to make business decisions that reduce their company's cyber security risk. If you think you have what it takes to succeed in this role, use our search feature to find schools and programs to set your cyber security career in motion.

Updated: August 18, 2023

Written and reported by:

Kendall Upton

Staff Writer

With professional insights from:

David E. Ulicne, Executive Director of Executive Education

Carnegie Mellon University's Heinz College