So you want to be a CISO?

The chief information security officer role has evolved greatly over recent years. Are you up for the challenge?

Today’s growing and ever-changing cybersecurity threat and the increasingly mobile and open enterprise have greatly changed the role of the chief information security officer (CISO). No longer a function mostly limited within the IT and security realm, today’s CISO will find himself or herself working within an expanded set of people in security-related areas such as audit, HR and even the board of directors and top executives.

In the years I’ve been marketing security software, I’ve spent a lot of time with CISOs and have studied their position and the problems they need to solve. One big difference today from years past is the CISO finally has the executive’s ear, but they have more pressure, too. They now have to juggle all of the typical IT stuff – compliance, audits, etc. – along with business-level reporting requirements.

To do this effectively, they need a broader view of the business, so they can articulate how those business goals can be supported and enhanced by the security strategy, while still enforcing very strong security over access to systems, apps, and private corporate and customer information.

The many hats of a CISO

If you want to be a CISO, you’re mindset should relish this expanding responsibility and challenge. CISOs get to wear a lot of different hats – collaborator, negotiator, leader, techie, and sometimes still Bad Cop. They’re required to understand the needs of their users, both internal and external, to learn what’s important to them, how they go about their day, what they truly need and how the organization can deliver on those requirements in a secure way.

The CISO also must don the very specific marketing hat in today’s environment. First, a major part of their job is to evangelize security and risk management as a collaborative effort, and everyone needs to chip in to make sure the company isn’t the next data breach headline. They need to market their own efforts.

Second, the business needs to establish strong engagement with their customers, which involves gathering more info on the customer’s needs and attributes. The CISO needs to adopt security strategies that will support these marketing initiatives, while still enforcing effective privacy of the customer’s information.

Sounds simple, right? Not so fast! 

CISOs are faced a number of complex, and often interrelated challenges:

  • Business push-back to security initiatives (they look for security workarounds)
  • Balancing security with ease of use for users
  • Anticipating regulatory/industry/technology shifts; placing the right bets at the right time
  • Anticipating and mitigating new attack vectors, techniques, forms of breaches, malware
  • Adapting to business changes and user expectations
  • Limited budget (what else is new)?
  • Managing the avalanche of business requests
  • Developing security awareness within the organization, and enforcing security policy across employees and partners
  • Being able to easily prove compliance to auditors


So, CISOs: does this resonate with you? Are there any major elements of your role and its challenges that should be added?

Sumner is a director in the security business unit at CA. Previously, he managed the…


Modern Software Factory Hub

Your source for the tips, tools and insights to power your digital transformation.
Read more >
Makinde Adeagbo is Tackling Tech's Diversity ProblemHow Spark is Transforming CA's Training StrategyHow to Address the Prime Forces Influencing Network Operations