What Does a Chief Information Security Officer Do?

The Chief Information Security Officer (CISO) is a high-level leadership role in the C-suite, alongside a company’s CEO and other chief executives. If you hope to climb to the top of the information security career ladder, you might have already set your sights on the title.

But before you commit yourself to this trajectory, you'll need to understand the job and what your road to it might look like.

What Are the Responsibilities of a CISO?

The CISO is responsible for the security of a company’s network and data, as well as the CIA Triad, according to Glen Mitchell, a cybersecurity instructor at Southern New Hampshire University (SNHU) with decades of security experience.

"I am retired as a Chief Warrant Officer 3 (CW3) from the U.S. Army Reserves after 25 years," Mitchell said. "I worked in the cyber field in the military before they used the term cyber."

He noted that the CIA Triad refers to:

• Confidentiality
• Integrity
• Availability

In short, Mitchell said that means keeping data secure, making sure data is valid and ensuring that systems and data are accessible.

“(CISOs) define the path and outline of security and are held responsible for the risks,” he said.

Mitchell said that as a CISO, you would also hold your staff responsible for risks and project management. He noted that you could have Information Security Officers (ISOs), privacy teams, security operation teams and others reporting to you in this position.

What is It Like to Be a CISO?

The role of a CISO is more communication-centered than you might realize, according to Mitchell.

“Their role is to take the information from the technical staff and translate it to the stakeholders above them,” he said. “They also must then translate and balance the requests, requirements, budgets and needs of leadership in securing the environment.”

In fact, he said most of your day as a CISO would be spent collaborating and communicating rather than getting deeply involved with technical projects.

“Most of their day-to-day work is meetings with board members, along with leadership outside of your organization,” he said. “They will also work with site security officers (also known as information security officers), human resources, purchasing, supply chain and others all while working with their different IT teams.”

How Much is a CISO Salary?

Chief executives — including CISOs — are among the highest paid professionals in the U.S., with a median annual salary of $206,420 in 2024, according to the U.S. Bureau of Labor Statistics (BLS).*

However, it’s important to note that salaries can vary hugely depending on a company’s size, among other factors.

What Roles Are Similar to CISO?

There are also other C-suite positions that aspiring security leaders might pursue, according to Rodney Royster, a cybersecurity instructor at SNHU who has worked in the tech field for more than four decades and has held a number of cyber leadership roles.

Organizations often use different titles and structures, according to Royster, but he noted these as a few executive positions you might also consider:

• Chief Information Officer (CIO)
• Chief Security Officer (CSO)
• Chief Technical Officer (CTO)

"There's a lot of paths for growth," Royster said.

Is It Hard to Become a CISO?

You’ll likely need to climb the ranks of lower- and mid-level management before securing any top executive role, according to BLS. That isn’t necessarily an easy path, and not everyone makes it all the way up to the C-suite. But if you’ve got your eye on this spot at the top of the ladder for cyber and infosec professionals, Mitchell said you’ll need to build knowledge and skills in these areas:

• Communication
• Documentation
• Project management
• Standard Operating Procedures (SOP)

There are often educational requirements for this role, too. Top executive roles typically require a related bachelor’s or master’s degree, BLS reports.

How to Advance to a Leadership Role in Information Security

These 3 elements of your resume are all crucial factors when it comes to landing a leadership position in information security, according to Royster:

Certifications

Pursuing advanced certifications is one way to boost your resume when you’re looking to move up.

Although SNHU doesn't currently offer industry certifications, Mitchell recommended becoming a Certified Information Systems Security Professional (CISSP) through certification providers like ISC2.

“The one certification I find helpful for this role is CISSP,” he said. “I find a lot of students want this certification first but do not understand it is a managerial certification.”

You could also pursue certifications to help you specialize in areas like cloud security, forensic analysis, penetration testing and more through Global Information Assurance Certification (GIAC) or other providers.

Education

Though you might find entry-level roles in information security without one, you’ll likely need at least a bachelor’s to move up, according to Royster.

"When it comes time to get to the higher levels, it's going to require you to have a degree," he said.

And even after earning your bachelor's, you can’t stop learning if your goal is to become a leader, according to Gina Cramer ’20, a leader in information security at BNY, a global financial services company. Cramer earned her bachelor's in cybersecurity from SNHU and served as an analyst at BNY before advancing to her current position.

“I'm with application security, specifically dynamic analysis scanning,” she said. “So my team scans the bank's applications looking for known vulnerabilities.”

Since the security landscape is constantly changing and evolving, Cramer said you’ll need to continually develop your knowledge and skills in different areas of security if you want to move up in the field.

“Don't stop learning, because you'll get passed over,” she said.

If you already have a bachelor’s degree, a master’s in cybersecurity can be a great choice to advance your understanding of both the technical and human aspects of cybersecurity. You could also opt for a Master of Science (MS) in Information Technology with a concentration in Information Security.

Experience

The more experience you can get, the more likely you are to advance. And that doesn’t just refer to the length of time you spend in the field, according to Cramer, but what you do with that time.

She noted that the more initiative you take in your role, the better your chances are when you apply for a leadership position. She suggested shadowing other positions in your company as one way to grow.

“Find mentors if you can, too,” said Cramer. “If you're in a company and there's something you want to eventually work towards, talk to the people who do that and find somebody who would be willing to mentor you.”

Whether or not you ultimately become a CISO, there are plenty of opportunities for continued growth.

*Cited job growth projections may not reflect local and/or short-term economic or job conditions and do not guarantee actual job growth. Actual salaries and/or earning potential may be the result of a combination of factors including, but not limited to: years of experience, industry of employment, geographic location, and worker skill.

Mars Girolimon '21 '23G is a staff writer at Southern New Hampshire University where they earned their bachelor's and master's, both in English and creative writing. In addition to their work in higher education, Girolimon's short fiction is published in the North American Review, So It Goes by The Kurt Vonnegut Museum & Library, X-R-A-Y and more. Connect with them on LinkedIn.