When Is A CISO Not A CISO?
Hint: When you forget the “C” and the “O”
There are lots of people who carry the title of Chief Information Security Officer (CISO). There are so many people with the title that industry pundits are starting to classify CISOs into different buckets, to try to explain why people with the same title do different things. There is no doubt that there are many CISOs who, depending on their organization, do many different kind of roles. But giving everyone the same title while the scope of their role is so varied only serves to make the CISO role more confusing — for the people around them and for the CISO’s themselves.
Sometimes, when so many roles have been stuffed into a single title, it is easier to point out when someone is NOT a CISO, then determining when someone IS a CISO. With this in mind, here is my list of 9 things that make someone NOT a CISO:
- The CISO is buried at least 2 layers down from the C-suite of the organization.
- The CISO has no direct access to the Board or organizational governance team.
- The CISO is responsible for setting policy, but given no authority to enforce those policies.
- The security team is so small that the CISO’s job description also includes completion of front line security engineering/analyst work.
