ukncsa.orgNational Cyber Security Association

UKNCSA Articles

The Role of the Chief Information Security Officer

The Role of the Chief Information Security Officer With the continuous rise in cyber attacks combined with increasing compliance requirements, many businesses are seriously considering appointing a Chief Information Security Officer (CISO) to develop and implement a robust cyber security programme.

The role is still relatively new in the UK and it combines a host of responsibilities including the management of policies and procedures to defend the organisation from both internal and external threats.

Technical Experience

The CISO needs to understand and have experience of a broad range of technical and managerial functions. Although the CISO is unlikely to be configuring the firewall themselves, or writing code, he or she should have a good understanding of how all the network devices work together and a knowledge of what poor programming standards can cost the company and should be able to sit down with technicians and programmers and talk through difficulties.

Business Aptitude

Business experience with third party contracts, intellectual property rights, and an understanding of compliance standards such as PCI DSS, GDPR, ISO 23600 and 27001 are also vital for an effective CISO. Further more, practical experience of setting up and maintaining an effective security operations centre (SOC) team and having hands-on experience with SIEM and other network and security tools that facilitate incident response would be a requirement.

Risk Management

A successful CISO will see the application of policies and controls in the light of managing the cyber risk which includes supply chain risk management, business continuity and disaster recovery risk management. The CISO will also be capable of creating and maintaining policies and procedures which reduce the risk in line with business objectives.


The CISO needs this range of experience and knowledge because he or she needs to be able to effectively communicate with the other senior executives and board members. Building an effective cyber security programme requires company-wide collaboration and the CISO needs to be able to engender that support from all management levels and throughout the organisation. CISOs provide a bridge between executives and IT engineers. They add huge value to the business by providing stability and trust in the IT systems.

Value of a CISO

Recruiting a CISO necessitates an investment of both time and money and it should have full company-wide support to ensure the role a success. Often the CISO can lead a transformation of company culture such that all staff are cyber aware and those at the "front-end", the programmers, developers and IT support roles all have the "security-by-default" attitude.

Enduring security comes about when culture is created where information and systems are protected not just by technology but by changing how people interact with them. Of course, technology and automation should be used to reduce security events, but ultimately, it's about changing behaviour, and that's what a good CISO can do.

Just as important, when there is a breach, the CISO will have ensured that incident response and business continuity work together to smooth out what would otherwise be a very expensive event. Interestingly, research conducted by the Ponemon Institute found that those companies with a CISO saw a reduction in the cost of a data breach by $7 (£5) for each record. Many breaches are hundreds of thousands or millions of records.

Another benefit is Brand Differentiation. When appointing a CISO it is worthwhile announcing it because it shows your clients and your suppliers that you take cyber security seriously. Appointing a CISO is a business differentiator that gives your business on edge.

Cyber criminals themselves recognise the value of the CISO as they are now focusing their criminal activities on small and mid-sized businesses (SMBs). They realise that SMBs are less likely to employ a CISO and be able to develop a robust information security programs in way that larger organisations have put in place.

The Challenge

Unsurprisingly, these kind of high calibre CISOs are in very short supply and recruiting them is a real challenge both in the UK and across the globe. As a result, those with the expertise and experience are in high demand and command some of the highest salaries. In addition, the average tenure of a CISO is only 18 to 24 months which not only causes programme continuity difficulties but requires that the whole recruitment process with all its attendant costs repeats with an alarming frequency. What are the solutions to this?

The Solutions and Alternatives
We'll discuss several solutions and alternatives in PART TWO.

Author: David R. Bird.
MSc Cyber Security, CISSP.
Contact: Please use the form below.

In order to get the Weekly Cyber Bulletin and news of the
new articles in your email ... Sign up for free membership.



First Name: 
Last Name:
Email Address:

A confirmation email will be sent to this address

Company Name:

Membership Type:

Your Requirements:

How many flags do you see in the image above? 

Obviously, we need to communicate with you about your membership; to advise you of changes and improvements to the services. Tick to approve.
YES, send me the UKNCSA Weekly Bulletin.

UKNCSA™ is the National Cyber Security Association™ for the UK.
UKNCSA is administered by UKNCSA Ltd (a non-profit organisation).
Company Reg.11995004
Reg Office. 101 Avondale Road, London N153SR.
Sharing helps our association.