What is the difference?

The concepts of CIO (Chief Information Officer) and CISO (Chief Information Security Officer) are often confused due to the fact that both perform a similar set of tasks in many organizations.

In many Russian companies, IT directors often perform part or even all (depending on the size of the organization) of the responsibilities for ensuring information security. This is due to the fact that organizations often do not have the appropriate budgets to hire a separate CISO. And besides, information security in companies often grows out of regular IT, and it is logical that it is the CIO who manages everything related to information technology, including information security.

But if we consider CIO and CISO as different people, then, as a rule, the CIO has more work experience, he develops and implements the entire IT strategy, supervises all IT personnel and manages budgets. This means that he takes responsibility for all software, hardware and infrastructure, including hardware and software updates, network optimization, as well as general data management. Thus, the CIO is a more responsible position, paying more attention to the business as a whole.

That said, the original CSO job description, which is still used in many organizations, involves ensuring the security of both physical and digital assets. This may include controlling access to corporate websites, monitoring, and liaising with law enforcement and external business partners. It will also include managing the security staff. In some cases, the CSO’s responsibilities will also include ensuring the physical security of employees, such as in factories or banks, including security procedures and emergency response plans.

Thus, in addition to the CIO and CISO, the CSO and the CEO of the organization are also involved to one degree or another in the process of ensuring information security.

Necessary skills and qualifications

A CISO will need to have a wide range of different knowledge and skills. Since this is a management position, skills such as leadership, communication, and strategic thinking are a must. And in addition, the CISO will definitely need experience as a technical information security specialist.

In many Western companies, the thesis about the “effective manager” is quite popular. Roughly speaking, this is a professional manager who, without really working in executive positions, immediately began to manage something. Perhaps, in some industries, such an approach will work, but both CISO and CIO must necessarily have technical experience in order to understand all the specifics of the work of information security and IT systems in general. So this work requires a high level of technical knowledge.

As for education, a CISO must have a degree in computer science, information technology, engineering, or cybersecurity. It is not necessary to specialize in information security at a university. You can get a higher technical education at a university and then take state-recognized courses to improve your qualifications in information security.

In addition, CISOs typically have other certifications, such as an information systems security specialist certification, an information security manager certification, or a cybersecurity analyst certification. CISOs must also stay current on new threats and technical developments in information security.

Why is it important to have a CISO in a company?

All companies, from the largest to the smallest, need someone to keep an eye on the security of their data. However, the size of the organization usually determines how many employees can be assigned to security functions and, therefore, whether they can afford to retain the position as a specialist.

If the budget allows hiring both a CIO and a CISO, it is important to correctly distribute responsibilities between the IT and IS management. It is important that the information security manager reports directly to the CEO. It will not be very good if the CISO reports to the CIO, or is somehow significantly dependent on him.

In order for the information security service to effectively ensure the protection of IT systems, it must, to a certain extent, monitor the actions of IT specialists – engineers and administrators. As a rule, security specialists have their own server infrastructure, which is located in a separate server room. For these reasons, among other reasons, CISO and CIO should not be subordinate to each other.

Also in the West, smaller companies that can’t afford to hire a CISO are encouraged to hire a vCISO – an external consultant or consulting firm that works for the company part-time. The benefit of this is that the vCISO is likely to have a higher level of expertise than the company could otherwise afford. Some types of organizations will need a dedicated CISO more than others: for example, those that use large amounts of data, or those where the legal and reputational consequences of a breach would be particularly severe.

However, in Russia such outsourcing is rarely found, since our managers and business owners do not really like to let outside specialists and organizations into corporate secrets.

How to become a CISO

From the above description of the job responsibilities of the information security manager, we can draw some conclusions about the requirements for such specialists. This includes both specialized education and relevant certificates, as well as practical experience as an information security specialist.

It’s important to understand, however, that this is just the beginning: the CISO role is far from an entry-level position. Most people moving into this role will have five to 10 years of experience in other IT roles, whether as a security analyst, security engineer, network administrator, or network architect. Some level of management experience will also be required. This could mean becoming a cybersecurity manager, security director, or security administrator, or even a deputy CIO in a large enough organization. Aspiring CISOs should aim to gain as much experience as possible, from governance and compliance to incident management. Of course, CISO roles will be easier to obtain in smaller organizations.

The Future of CISO Jobs

Over the decades, the role of CISO has steadily increased as cybersecurity threats have spread. At the same time, privacy and data security regulations have become increasingly stringent. In Russia, there are a number of legislative acts regulating various areas of information security. These include, first of all, Federal Law No. 152 On Personal Data and Federal Law No. 187 On the Protection of Critical Infrastructure.

As a result, CIOs now work more directly with the CEO to accomplish their tasks, and they take on broader scope and increased responsibility, with a greater focus on strategy. According to a Gartner survey, nearly nine out of ten boards view cybersecurity as a business risk rather than a technology risk. Meanwhile, new technologies such as the cloud, artificial intelligence, and the Internet of Things continually introduce new threats and, therefore, require new strategies to combat them. At the same time, the shift to remote work has created new challenges. And as ransomware reaches wider, so too do the consequences of security failures, especially given the increasing prevalence of ransomware attacks.

Therefore, the CISO must be prepared to respond quickly to new challenges from attackers.

Conclusion

In summary, the role of a CISO is one that is responsible for all aspects of an organization's information security policy and requires a broad range of technical and managerial skills. And as the threat landscape continues to expand, its importance is constantly increasing. The CIO has a broader range of responsibilities than the CISO, but the CIO is responsible for all IT services in the organization, not just security, thus being the chief IT officer in the organization.

In conclusion, we invite you to the upcoming open lessons, which will be held as part of the course “CISO / Chief Information Security Officer”: