How the CISO Became the Most Important Job in Cyber Security

When a cyber security disaster strikes, who is the first manager the security team will call? In most cases, the answer is the Chief Information Security Officer (CISO).

Because job titles and responsibilities vary widely across organisations, roles such as Chief Security Officer (CSO), Chief Information Officer (CIO), Chief Technology Officer (CTO), Director of Information Security, or Head of Cybersecurity often carry similar responsibilities and may effectively operate as the organisation’s CISO.

While many might wonder about the meaning of the CISO role, it has become integral to organisational security. High-profile cases underscore the critical nature of the CISO’s responsibilities.

In 2023, the University of Manchester’s CISO Heather Lowrie spoke about how the organisation recovered after a sophisticated cyber attack in which access to sensitive data was gained via a phishing email. A response team was quickly formed, and external support came from government agencies such as the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

Far from being a recent fashion, the rise of the modern CISO role goes back decades to the birth of modern cyber crime and a time when the Internet was mostly something people read about in magazines rather than used themselves.

Read more: The of the 10 biggest cyber attacks by year

The year was 1994, and the history-changing event was a computer attack on U.S. financial services company, Citicorp, in June of that year. This incident – now widely viewed as a prime example of a modern cyber attack of any scale against a business – had several elements which eerily predicted the world we live in 30 years later.

During the incident, a hacker stole $10.7 million ($22 million in today’s money) by accessing the dial-up used for wire transfers by several Citicorp clients. At the time, this was shocking and extraordinary. It later transpired that the attacker was a Russian called Vladimir Levin.

But what matters for this article is what happened next. Realising with foresight that the incident indicated a new type of business problem, Citicorp decided to shore up its defences by appointing a man called Steve Katz to lead a new security function. His job title: Chief Information Security Officer, or CISO. This pivotal moment highlights what a CISO means for organisational security and innovation.

Citicorp’s decision to formalise the CISO role reflected a proactive approach to emerging cyber security threats. While the effectiveness of such roles has varied, the function has become indispensable across most large organisations.

Many CISOs have been appointed since 1994, indeed, no organisation of any size would be without the role, but the workload has only multiplied. Equally, without the CISO function, it’s hard not to imagine that cyber security would have deteriorated even more than it has.

The role of the CISO was seen as being about network security and access control. In time, it became obvious that digital access and the Internet had also hugely expanded what was possible. Digital systems were becoming so inter-connected that security represented a new type of business risk, understood today through the modern idea of cyber security.

Discover more: Stay up to date with cyber security trends.

The early CISOs – that’s probably all experienced CISOs working today – were networking and IT engineers who got into security because only they had the necessary expertise. They were predominantly technical people whose skills and knowledge were seen as a means to the end of looking after computers and network plumbing.

Over time, however, this mainly technical role has evolved into something altogether more diverse and complex. The idea that CISOs were engineering people who reported upward to Boards was a product of an era when cyber security was seen as an IT function. IT itself was seen as predominantly a service for other functions. This has now changed dramatically; IT and cyber security are now strategic investments that protect value within a traditional risk management approach.

In effect, the CISO is a business role that often reports to the Board. In the event of a cyber attack today, the CISO won’t be asked for a technical description but to relate what has happened in terms of its effect on the business. This is what being a CISO means in today’s cyber security landscape.

Read more about how to talk to boards about cyber security investment.

The CISO’s role is pivotal, and yet no single educational qualification is required to become one. This raises the issue of how CISOs prove they’re up to the job, especially if they didn’t start their career 30 years ago and can point to specific experience in the field.

One answer to that question is to become certified, but working out which certification is not always easy. For example:

• ISC2’s Certified Information Systems Security Professional (CISSP) is the gold standard of the CISO profession, which coincidentally dates back to 1994. Candidates may need to have at least five years of full-time work experience. Holding a relevant qualification, such as a computing-related degree, is not mandatory, but could help to reduce the experience requirement by a year. In addition to the exam fee, candidates must be renewed every three years by earning 120 continuing professional education (CPE) credits.
• One of the main alternatives for management‑focused security leadership is ISACA’s Certified Information Security Manager (CISM). It’s less technically demanding but still considered an important qualification – they could be seen as complementary.
• The EC Council’s more recent Certified Chief Information Security Officer (C/CISO) is designed to cover cyber security skills from a management skills (finance, third-party management, procurement, etc.) perspective not included as part of the CISSP.
• In the UK, cyber security professionals can now achieve chartered status through the UK Cyber Security Council – granting them the same level of professional recognition as chartered accountants and engineers – which replaced the previous Cyber Certified Professional (CCP) scheme.

An important aspect of certification is the commitment to refreshing skills. As with many professional certifications, skills and knowledge must be constantly updated as new knowledge appears.

Find out more about strengthening cyber security for your organisation with Cyber Essentials.

Plus, discover ISO/IEC 27001, the standard for Information Security Management Systems. Learn how implementing the standard can support protection of stakeholder information and demonstrate alignment with legal obligations.

The short answer is that while smaller organisations might not have a formal CISO position, they still require someone with the strategic capability to manage cyber risks and coordinate effective responses. Ultimately, the CISO’s role is about understanding what is really going on and communicating that across the organisation.

In almost every organisation, that means being someone who can relate technology and how it is used to wider concerns about business risk. It’s taken a generation to understand that this role is central to the future of organisations that are becoming increasingly defined by their digital rather than physical presence.

Learn more about cyber security with our ISO 27001 and cyber security training courses.