Chief information security officers (CISOs) manage the cybersecurity needs of an organization, including the team, the technologies, and the initiatives. These relatively new C-suite executives typically report to the chief information officer (CIO), who then reports to the chief executive officer (CEO).
Created as a response to cybercrime, the CISO position will continue to grow as long as cybercrime grows. According to Cybersecurity Ventures, cybercrime could reach $10.5 trillion in annual damages by 2025. As the field expands and matures, CISOs will need to stay vigilant in their research, education, and skills training.
Here, we explore the CISO career in detail. We look at the path into the career, the responsibilities, and the outlook.
History of Chief Information Security Officers
In 1995, following a multimillion dollar hack into their electronic funds transfer system, Citicorp recruited Steve Katz to take on the world's first CISO position. While Katz and others held security leadership roles before this, the new CISO position was designed to manage and mitigate business risk related to cybersecurity.
Over time, the scope of cybersecurity has grown immensely. Contemporary CISOs need to adapt to constantly emerging cybersecurity technologies, regulatory changes, new hacker methods and motives, and the business expansion into the digital world. Along with technological expertise, CISOs need to provide insight into how business decisions impact cybersecurity and vice versa.
Similar Specializations and Career Paths
The CISO career path may look different for every individual. Some see the CISO position as a terminal career. Some, however, use the position as a stepping stone to other executive roles, such as chief information officer (CIO), chief technology officer (CTO), and chief executive officer (CEO).
Rising through the ranks may require additional experience or training. Research from Study.eu found that 64% of global CEOs hold master's degrees and 10% hold doctorates. In North America, 54% of CEOs have MBAs.
Despite the importance of cybercrime for CEOs, only a small percentage of CEOs come from a technology path, as per Deloitte. Traditionally, CEOs come from business, operations, and finance, but that may change in the future as cybercrime grows.
CISOs in technology industries or those with strong cybersecurity needs may find CEO roles more accessible. In smaller organizations, CISO careers may not be available. In these places, cybersecurity specialists may take on security analyst or security manager roles.
Career | Description | Required Education | Required Experience | Median Annual Salary |
---|---|---|---|---|
These analysts assess the strength of an organization's cybersecurity systems by looking for vulnerabilities and available upgrades. |
Bachelor's degree |
Less than five years |
$102,600 |
|
Top Executive |
Top executives set goals for their division and create the programs and policies necessary to accomplish them. |
Bachelor's degree |
Five years or more |
$98,980 |
Computer and Information Systems Manager |
These managers oversee IT teams and projects. They also report to top executives on technological initiatives. |
Bachelor's degree |
Five years or more |
$159,010 |
Computer and Information Research Scientist |
Research scientists study and design new computing technologies and new ways of using computers. |
Master's degree |
None |
$131,490 |
Source: BLS
What Does a Chief Information Security Officer Do?
The primary goals for CISOs include overseeing the cybersecurity systems, practices, and policies. Many, if not all, business and cybersecurity decisions have an effect on the other. CISOs need to analyze these decisions and measure and evaluate their potential impact and risk.
CISOs typically oversee a team of IT and cybersecurity professionals. They collaborate and report to other managers and C-suite executives, including CIOs, CTOs, and CEOs.
The CISO career value increases alongside the growth in cybercrime. The speed of evolution in cybercrime, however, creates many challenges for cybersecurity professionals. They need to respond to new technologies, new targets, growing sophistication, and the increasingly remote structure of organizations.
Below, we highlight some of the skills that CISOs can acquire to improve their chances of success in this complex role.
Key Soft Skills for CISOs
Communication: CISOs need to communicate with their teams and other managers to complete projects. They also need to report on cybersecurity issues in an understandable and meaningful way. Leadership: CISOs often manage teams of IT professionals, which requires them to adapt their leadership style based on the individual. They also need the skills to oversee projects, budgets, and policy implementation. Decision-making: CISOs need the ability to absorb complex and often conflicting information to make sound business decisions. Their decisions need to take various factors into consideration and represent the needs of the stakeholders, staff, and consumers. Problem-solving: CISOs encounter many cybersecurity challenges that need to be approached with care and consideration. They need to analyze the problems and come up with effective solutions before the issue grows.
Key Hard Skills for CISOs
Business operations: CISOs need to understand how businesses operate and how operations impact cybersecurity. They also need to know how cybersecurity decisions impact operations and how stakeholders prioritize business matters. Cybersecurity systems: CISOs need cybersecurity system expertise to discuss these matters with managers and stakeholders. They need to know their system capabilities, where the technology is going, and what influence system changes might have. Security standards: CISOs need to know the security best practices and standards to know how their system and processes measure up. They may also need to know cybersecurity laws and regulations. Risk Analysis: CISOs need to analyze business decisions for risk. They need to evaluate and report on how new business and new systems fit in with the cybersecurity systems in place.
A Day in the Life of a Chief Information Security Officer
A CISOs responsibilities can vary, but they usually oversee the development and implementation of cybersecurity systems and processes. This may include system architecture, establishing best practices, and creating a backup and recovery plan. They can also develop training programs for organization's staff and system users.
CISOs regularly evaluate the system, make changes and upgrades, and report on their findings and progress. They provide cybersecurity insight regarding any business decisions as well.
CISO Career and Salary Outlook
While the Bureau of Labor Statistics (BLS) does not have a specific category for the CISO career, we can look at related fields to determine the outlook. For example, the BLS projects the addition of nearly 200,000 new top executive positions between 2021 and 2031, plus more than 300,000 annual openings.
Furthermore, the BLS projects 16% growth for computer and information systems managers during that same period. The projected 35% for information security analysts make it one of the fastest-growing careers available. Professionals often access the CISO career by way of these growing fields.
Along with the promising demand, top executives and computer leaders enjoy above-average wages. According to the Payscale, CISOs make average annual salaries of $172,912 as of October 2022. With bonuses and profit sharing, salaries range between $113,000-$275,000.
$172,912
Annual Average Salary
Source: Payscale
How to Become a Chief Information Security Officer
Becoming a CISO usually requires a bachelor's degree at minimum, though many top executives have a graduate degree. CISOs also need many years of experience, including IT experience, cybersecurity experience, and management experience. The time investment varies by individual, but CISOs can expect to spend at least 4-6 years in postsecondary education and around 10 years gaining experience.
The links below provide more information on becoming a CISO and some of the educational paths available.
Find out what steps professionals need to take to access the CISO career.
Learn about the leading schools and programs for aspiring cybersecurity professionals.
Check out what the various business and technology programs have to offer.
Uncover what a bachelor's in information technology covers and where it can lead.
Discover what students encounter in an information technology master's program and what the degree does for graduates.
Take a closer look at the various IT management degree types and the top programs in the field.
Resources for Chief Information Security Officers
EC-Council: The EC-Council provides cybersecurity training and professional certification, including the certified CISO credential. Members gain access to the organization's training courses, industry white papers, and expert network. ISACA: ISACA has more than 150,000 worldwide members, offering lifelong learning and professional development opportunities. The association provides members with industry guidance and best practices, access to research and events, and professional credentials. CISO Executive Network: This professional association connects members from across the world to share ideas and discuss various issues in the field. Members gain access to annual meetings and roundtables and thought leadership from some of the top professionals in the industry. Information Systems Security Association International: ISSA International aims to advance the cybersecurity profession and practice. Members have access to meetings, committees, events, continuing education, and professional development opportunities.
Learn More About Chief Information Security Officers
Questions About the Career of a CISO
-
What is the difference between a CIO and a CISO?
CIOs take leadership over more general IT issues, whereas CISOs specialize in cybersecurity. As a result, CISOs often report to CIOs. CIOs usually report to the CEO and other C-suite executives.
-
Are chief information security officers in demand?
Yes. Due to the growing impact of cybercrime, more organizations will seek out cybersecurity leaders. In fact, Cybersecurity Ventures predicts the percentage of board members with cybersecurity experience will double by 2025.
-
Is CISO the highest career level in cybersecurity?
Yes. In most organizations, CISO is the highest attainable title for cybersecurity professionals. CIOs and CTOs may have an impact on cybersecurity and sit higher on the hierarchy, but these roles typically fall in more general IT territory.
-
How many years does it take to become a CISO?
The number of years required for a CISO career depends on the individual. Many employers require candidates to have 7-12 years of experience to be considered for CISO roles.
Reviewed by: Monali Mirel Chuatico
In 2019, Monali Mirel Chuatico graduated with her bachelor's in computer science, which gave her the foundation that she needed to excel in roles such as a data engineer, front-end developer, UX designer, and computer science instructor.
Monali is currently a data engineer at Mission Lane. As a data analytics captain at a nonprofit called COOP Careers, Monali helps new grads and young professionals overcome underemployment by teaching them data analytics tools and mentoring them on their professional development journey.
Monali is passionate about implementing creative solutions, building community, advocating for mental health, empowering women, and educating youth. Monali's goal is to gain more experience in her field, expand her skill set, and do meaningful work that will positively impact the world.
Monali Mirel Chuatico is a paid member of the Red Ventures Education Integrity Network.
Page last reviewed Oct 24, 2022
Recommended Reading
Take the next step toward your future.
Discover programs you’re interested in and take charge of your education.