October 31, 2019

Last Updated on January 14, 2024

The role of the CISO (Chief Information Security Officer) is to build and maintain his or her company’s security vision, strategy and program to ensure information assets and technologies are adequately protected.
Due to the ever-greater scope and intensity of cybersecurity threats and compliance mandates, the role of the CISO is expanding. It’s clearly a senior-level position that involves leadership, strategic vision, technical savvy and program planning skills. But often the reporting relationship between the CISO and the CIO or CTO make the CISO an “influencer” rather than an “enforcer” with ultimate organizational authority.
In my experience, the CISO role can be among the most multidimensional roles in an organization, with responsibilities encompassing everything from security governance to cyber risk management to disaster recovery to access controls to data loss and fraud prevention to incident investigation.

“But fundamentally the CISO is a strategizer who is looking to leverage maximum security and protection from available time, money and effort.”

Consider this: A CIO focuses on systems and information from a specifically functional standpoint. A CFO focuses on aspects of the organization that has to do specifically with money. But to drive an information security program, a CISO needs to have an overarching view of all that and more—basically “everything” the organization is doing and how it’s interrelated—so he or she can figure out how best to protect all of it.
I see the role of a CISO as a lot like playing the classic strategy board game “Risk.” The globe on the board corresponds to your organizational landscape. You’re constantly moving pieces around to respond to threats, just like a CISO is constantly procuring, allocating and reallocating resources in response to dynamic internal and external risks, as well as to changing business processes and drivers.
Yes, sometimes the CISO role includes tactical, roll-up-your-sleeves information security manager kinds of activities. But fundamentally the CISO is a strategizer who is looking to leverage maximum security and protection from available time, money and effort.
Of course, like with a board game, chance and the roll of the dice can influence outcomes. But a solid strategy/battle plan generally trumps lucky cards and dice rolls (analogous to the real-world “security through obscurity” approach).
How does the vCISO role compare to the role of the CISO? Basically, the two require an equally broad and deep skill set, and both relate similarly to other senior management. The differences between vCISO and CISO really have more to do with the greater flexibility, lower cost and reduced business risk associated with outsourcing than with roles and responsibilities.
Contact Pivot Point Security to find out more about the advantages of our three-tier vCISO service offering, including how you can customize it even further to precisely meet your evolving needs for information security strategy, governance and execution.
For more information on this topic, check out this free white paper from SANS Institute on The Roles and Responsibilities of the CISO.