The Role of the CISO

A description of the role of the CISO plus a sample job description for a fictional company, MedCoTech


Kevin Sesock

3/14/202410 min read

Executive Summary

The Chief Information Security Officer is primarily responsible for the CIA triad, representing Confidentiality, Integrity, and Availability of IT systems and business unit data. This responsibility primarily entails the Confidentiality of PHI/PII of customers and compliance with applicable laws and regulations (such as HIPAA), Integrity of data used to ensure accuracy and compliance, and availability of systems for operations, sales (to minimize any downtime that would impact revenue), and support (to allow our support and maintenance departments to provide high-quality rapid service to customers.

The CISO will establish a Security Architecture within the larger confines of the organization’s Enterprise Architecture, establish a risk management framework for cyber risk (to include disaster recovery and business continuity), develop policies and procedures that provide controls for system access, acceptable use, and change management, To accomplish this, the CISO’s team will be responsible for a few key systems, and consulted on several others, that form the core of organization’s Identity & Access Management, and monitor the enterprise for threats from viruses, network intrusions, and other digital threats.

Additionally, the CISO is primarily responsible for the organization’s Incident Response Plan, which means he is the executive primarily in charge of responding to security incidents, breaches, disasters, and other situations. The CISO’s office will be on the front lines of any incidents that cannot be prevented.

Finally, the CISO will ultimately be held accountable for cybersecurity and cyber risk management. Regular performance reviews and compensation, potentially as bonuses, should be tied to external audits, third-party penetration testing, and incident response records.

Cybersecurity Strategy and Primary Responsibilities

In a new, or rapidly growing organization, the CISO may be faced with establishing a cybersecurity strategy that aligns itself with the Mission, Vision, and Goals of the organization. This involves working closely with other C-Suite executives, and even the Board of Directors, owners, or Partners, in the organization to align the Security department’s goals with theirs, help other C-Suite executives balance security and business needs, and inculcate cybersecurity as a regular part of business[1]. If a new product is to be developed, service to be rendered, or business process is to be adjusted, the CISO is at least partly responsible for ensuring that other departments and business units remember to design these systems with security in mind from the initial stages, and not as an afterthought. This can only take place in an organization where Cybersecurity is treated as critical at all levels of the organization, but most importantly, starting at the top from the Board of Directors, on down.

The CISO’s approach to protecting the company will involve that of establishing a Security Architecture, followed by two primary initiatives. The Security Architecture will require the CISO to work within a larger framework within the Enterprise to evaluate business needs and IT projects and strategic goals within a security architecture, finding ways to protect the organization while allowing the enterprise to meet goals for new products, successful sales, and overall profitability. This will involve planning and documentation of current and future-state security architecture by working closely with the IT department’s Enterprise Architects, Network management staff, development teams, and others. This security architecture is an overall approach to security and focuses on a high-level, 30,000-foot view of how the CISO will operate in the larger Enterprise.

On a detailed basis, and regarding the first initiative, the CISO must approach cyber-security and other threats through a thorough, Enterprise Risk Management methodology, promoting continuous improvement in protection systems, cyber risk mitigation and reduction, and proper cybersecurity investment along a multi-year strategic plan[2, p. 360]. This will also include the creation of robust Incident Response, Disaster Recovery, and Business Continuity plans and the regular testing of these plans as a form of risk acceptance.

To accomplish this first goal, the CISO must engage in policy development and research, working closely with the company’s General Counsel, Chief Data Officer, Risk Manager/Chief Risk Officer, and Human Resources departments to develop a culture of cybersecurity and cyber risk management at all levels and amongst all staff, by using training, awareness, and other tools to promote policy compliance.

Primary responsibilities – The CIA Triad and Data Stewardship

One of the CISO’s core responsibilities is the protection of data and data systems of each department or business unit for Confidentiality (protection against unauthorized access), Integrity (protection from unauthorized modification), and Availability (protection from both accidental and purposeful downtime)[3, p. 3]. For example, the CISO’s team will be required to understand how a Billing department stores their data, what data they may have, and the severity and likelihood of breach, modification, and denial of service. Part of this process requires helping the Billing department itself to classify and document its data, define data stewardship, take individual responsibility for their data, and recommend who has access, and who can change what elements[4, p. 8]. With this knowledge provided by the Billing department, the CISO and his team can then develop a consistent and understandable framework for data classification and data stewardship, with clear goals in place to protect that data’s confidentiality, prevent unauthorized modification, and ensure that the data is available when necessary. This may also involve choosing a data classification scheme, access control scheme, and defining and documenting these processes. This can be replicated for the entire organization, providing an enterprise-wide view into the organization’s data assets and how they are protected, with clear responsibilities in each department, and an organizationally-complete picture of data security and criticality.

Cyber Risk Management

After analyzing the organization’s data and placing this in the perspective of CIA, the CISO’s role shifts into that of risk management. In addition to hackers, viruses, phishing, and physical security, this role includes planning for other, non-threat actor risks, such as system failure, natural disaster, fire, and power outage, under the guise of Disaster Recovery and Business Continuity Planning. Disaster Recovery is the process by which the IT department will respond to a disaster, restoring systems in a planned and practiced manner.

Business Continuity Planning, on the other hand, is how the rest of the enterprise will “keep the lights on” while the IT department performs these duties. It is also the role of the CISO to engage in regular tests of the Disaster Recovery plan by performing table-top exercises, structured walkthroughs, hot-site cutovers, and other exercises that test staff, processes, and documentation.

Policies and Procedures

Part of the process of risk management is establishing repeatable policies and procedures. These documents will help staff across the organization consistently meet security goals by establishing. This can and should start with the organization’s overall Cybersecurity policies, including any end-user or employee applicable Workstation Acceptable Use Policies, Privacy Policies, and the like, but can and should extend into the following categories depending on the level of complexity of the systems:


Much like each department will be the business owner for systems that are primarily designed to operate as systems of record, the CISO and a Security department will be the “business owner” for a few key systems. Regardless of the fact that the CISO operates within the IT department, theirs is the responsibility for designing business processes, establishing key roles and responsibilities, and taking “ownership” of a few key systems that have security management at their core.

Identity & Access Management

Arguably, one of the most prominent IT systems under the guise of the CISO would be any systems associated with Identity & Access Management. The CISO is usually involved, if not responsible, for defining key systems, policies, and procedures that impact the creation of user identities, their permissions, and system access. Often, this starts with defining consistent user roles across multiple departmental or business unit boundaries, defining how users are provisioned and de-provisioned (often automatically via a connected HR system), and managing exceptions and non-connected systems. The CISO’s goal in an organization of appreciable size (our example of the Medical Technology firm would count), would be to standardize and automate this process by purchasing and directing the implementation of the correct IAM tools.

Security Incident & Event Monitoring

A second, critical system under the CISO’s purview would any form of Security & Incident Event Monitoring (SIEM) system. SIEM’s, being a more holistic and evolved form of Intrusion, Detection, and Prevention (IDP) platform, often aggregate multiple sources of data from across the Enterprise, providing intelligence, alerts, and automated response to virus infections, malware outbreaks, firewalls and other network monitoring tools, and key system logs. These systems will often form the basis of a Security Operations Center (SOC), though an internally manned and managed SOC may be too expensive for this organization. Instead, SIEM’s can be monitored by outsourced, third-party SOC’s that can provide round-the-clock response and notifications for an organization that may be primarily on an 8-5 Monday through Friday schedule.

Other Systems

The CISO may have partial responsibility for other systems. Though an IT Operations department will usually manage building facility, and especially data center facility systems such as HVAC/CRAC units, access control and security systems, and fire suppression, these may have a security component and the CISO’s team will need to be consulted, at a minimum. The CISO’s team must also have input in change management for such systems as firewalls, servers (including patching), etc. If the organization develops its own code or firmware for its medical technology products, or provides web applications or other software, then the security team must train and encourage developers to code with security in mind at the earliest design phases, work with QA teams to test for security flaws, and provide or manage external security penetration testing against these systems and certify them for security, all in a responsible risk management framework.

Incident Response Plan

In the event that the CISO’s careful planning and risk management activities are still insufficient to prevent an incident, the CISO and his office is the primary responder for security incidents, disaster recovery, breaches, and other impacts[5, p. 1208]. This is why regular testing, training, and exercising of the incident response plan, disaster recovery plans, and other emergency plans is so critical: that in all risk management efforts, some risk must be accepted, and in this acceptance is the implicit understanding that a threat will be realized and must be dealt with. It is only through careful planning ahead of time that these impacts can be lessened and damage to the company minimized[6, p. 24].

Accountability and Compensation

The CISO’s accountability is primarily to the Chief Information Officer, through which the CISO may provide reports and analysis to the CEO, Board of Directors, and other key stakeholders in the organization on emerging threats, risk management activities, and about past or resolved incidents. The CISO is responsible for helping the CIO balance the growing technology needs with those of risk management, and for helping to raise awareness in all corners of the enterprise for security. Part of the CISO’s compensation, such as bonuses, can be tied to regular (annual, at a minimum) successful audits and penetration tests of the enterprise, the results of which should be reported to all top executives, as well as members of the Board of Directors[7]w.

JOB TITLE: Chief Information Security Officer

STATUS: Full-Time; Non-Exempt



DEPARTMENT: Information Technology

REPORTS TO: Chief Information Officer




The Chief Information Security Officer (CISO) is responsible for MedCoTech’s cybersecurity posture and risk management activities, by establishing policies, procedures, and a culture of cybersecurity within the entire organization. The CISO will lead the Cybersecurity business unit within the IT Department, providing strategic cyber risk management services to other IT business units, and other non-IT departments throughout the enterprise, advising department heads and teams on how to protect the enterprises’ data assets and profitability.


1) Manage team of security analysts, cybersecurity training staff, digital forensics staff, penetration testers, and other team members necessary to complete the mission of the business unit.

2) Work with Enterprise Architects, Network and Telecommunications teams, software development teams, and other IT staff to develop and maintain a System Security Architecture model, including documentation illustrating how the organization is protected.

3) Review and certify compliance of applicable security frameworks, regulations, and laws, including HIPAA, PCI-DSS, COBIT, and any other applicable requirements. Report compliance results to the CIO, CEO, and ultimately the Board of Directors.

4) Establish a risk management framework and communicate a medium-term plan for managing cyber risk sufficient for executive management and the Board of Directors to make informed decisions regarding budget priorities within the overall Enterprise IT Governance.

5) Manage the organization’s Disaster Recovery and Business Continuity Plans.

6) Establish and maintain a data ownership program for all functional areas.

7) Serve as a key point of contact for all other IT business units when it comes to cybersecurity and cyber-risk decision making; participate in change management and planning meetings for server patching, firewall configuration changes, and annual or semi-annual DR and off-site emergency tests.

8) Establish and enforce policies and procedures for IT and end-user processes, including employee onboarding and offboarding, access control policies, change management processes, and others.

9) Establish IT asset and inventory management practices and work with IT staff to ensure that all IT assets are accounted for.

10) Work with outside firms to conduct audits, penetration tests, and assessments for security compliance.

11) Maintain and monitor vendor management standards for security compliance, working with procurement and IT staff to hold external IT vendors accountable and protect the enterprise’s assets from third-party risk.

12) Monitor and respond to security incidents and breaches through an established incident response plan.


· High school graduate or (GED).

· Bachelor’s Degree in MIS, Computer Science, Business or related field required.

· Master’s Degree in MIS, Computer Science, Business, or related field preferred, but not required.

· Minimum 5 years in a cybersecurity related field

· Minimum 2 years in mid-level management role or above; people supervisory experience required.

· Minimum 10 years general experience.

· Appropriate certifications, such as CISSP or CISM preferred.

· Or an equivalent combination of education and experience.



Works Cited

[1] M. Cho, “Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer,” p. 14, 2003.

[2] P. Eugen and D. Petruţ, “Exploring the New Era of Cybersecurity Governance,” Ovidius Univ. Ann. Econ. Sci. Ser., vol. XVIII, no. 1, pp. 358–363, Jan. 2018.

[3] M. G. Solomon and M. Chapple, Information Security Illuminated. Jones & Bartlett Publishers, 2009.

[4] D. Plotkin, Data Stewardship: An Actionable Guide to Effective Data Management and Data Governance. San Francisco, UNITED STATES: Elsevier Science & Technology, 2013.

[5] H. Zafar, M. S. Ko, and K.-M. Osei-Bryson, “The value of the CIO in the top management team on performance in the case of information security breaches,” Inf. Syst. Front., vol. 18, no. 6, pp. 1205–1215, Dec. 2016, doi: 10.1007/s10796-015-9562-5.

[6] G. Lane and L. Koppel, Eds., “Information Protection Playbook,” in Information Security, Elsevier, 2013, pp. 23–25.

[7] C. M. Alina and S. E. Cerasela, “Internal Audit Role in Cybersecurity,” no. 2, p. 4.