The responsibilities of CISOs vary by industry, size of company and how the organization is regulated. Different companies structure cybersecurity in different ways, but there are many common themes.
At big companies, CISOs often oversee a team of security professionals that work for the company. Smaller firms may outsource the job to a company that provides managed services. Many do a combination of the two.
We compiled this list based on research of public, private and academic resources, job postings, and interviews with cybersecurity officers and the executives who hire them.
Security operations: This function involves real-time analysis of threats, including watching the tools that monitor a company’s firewalls, entry points, databases and other internal environments. When something goes wrong, these folks are supposed to discover and triage the problem.
Cyberrisk and cyber intelligence: Corporate boards often ask CISOs to get out ahead of new types of attacks that could be harmful, business deals that could introduce risk of a breach or new products that might weaken security.
In 2017 Verizon lopped $350 million off the buying price of Yahoo, following revelations a prior data breach had affected more people than Yahoo originally stated. That's an example of Verizon quantifying how much a cybersecurity risk costs (although the company reportedly wanted a bigger discount of up to $925 million).
When a senior official with the Office of the Director of National Intelligence told a panel in Aspen that Iranian operatives have cyber weapons poised on U.S. infrastructure, he's relying on a complex collection of cyber intelligence.
Data loss and fraud prevention: People emailing out sensitive information, or insiders stealing intellectual property when they quit, are two examples of what these professionals handle. They use tools that monitor the flow of information in an organization, to spot when large amounts of data are leaving the company.
When Elon Musk said an engineer at Tesla was flagged for sending source code outside the firm, that type of problem is usually handled by this team.
Security architecture: This person builds the security backbone of a company, sometimes from the ground up, in part by deciding where, how and why firewalls are used. These pros may also make decisions like how to separate or segment certain networks. They may also rely on penetration testers or ethical hackers to test the defenses they create for the company.
If you wondered how the WannaCry or NotPetya ransomware moved so rapidly between different parts of some affected companies, that's because many companies had "flat" networks with no way to quarantine the attack between business units. A security architect could help build a more resilient network.
Identity and access management: These employees deal with credentials. When you get your username and password at a new company, it likely went through the hands of somebody in this field. These professionals maintain who has access to which tools, who gets which email addresses and how rapidly those credentials are taken away when somebody gets fired.
That last point is key and if mishandled can lead to a lot of data loss. In one famous case involving an engineering firm in Tennessee, an ex-employee was able to access valuable information for several years after leaving for a competitor because his credentials were never retired.
Program management: Once a company has measured its risks, gathered intelligence and mapped where its data is going, it may find some gaps. To fill those gaps, companies create projects and programs. Cybersecurity program managers don’t always have a deep technical background, but they know how to build and manage new initiatives meant to keep the company safer.
One example of a common program: patching systems on a regular basis. When program management is poorly handled, you can have missed patches -- like the one that led to the massive data breach at Equifax and cost CEO Richard Smith his job.