What does a Chief Information Security Officer do?

Within a corporation, the individual responsible for securing the digital information infrastructure of the business is typically known as the chief information security officer (CISO). It generally falls to this professional to create and enforce a security posture for the business. This can include everything from procedures for handling sensitive information to the methods by which the digital infrastructure is protected. As part of the c-suite of corporate officers, the chief information security officer typically functions at a high level, and may be responsible for a number of information security personnel.

The primary responsibility of a chief information security officer is typically to safeguard the integrity of the information technology (IT) infrastructure, and any proprietary information possessed by the business. This can begin with physical and software solutions, like firewalls, but often extends to personnel as well. The CISO will typically set forth procedures that must be followed when dealing with privileged or proprietary information, to prevent it from falling into the hands of the competition. He may also be responsible for creating a stance on how to respond if there is a breakdown in procedure.

In addition to information security, a CISO may be involved in things like privacy and the prevention of fraud. Since these areas are often associated with IT, the CISO will sometimes be required to create procedures for preventing fraud and dealing with it if it occurs.

Within the typical corporate structure, a chief information security officer usually reports to a highly-placed member of the c-suite. This may be the chief executive officer (CEO), chief operating officer (COO), or another officer, depending on the particular company. In some cases, the CISO reports instead to the head of the legal department, since many information security functions may have direct legal repercussions.

Some corporations or smaller businesses may remove the responsibilities of the CISO position from the c-suite. Instead of having a corporate officer in charge of these security issues, there may be a director or a vice president of information security. Their responsibilities will often be similar to those of a CISO, simply with a different title and position within the workplace.

In some situations, the CISO is responsible for both the physical and information security of a business, in which case he will sometimes be referred to as the chief security officer (CSO). The combination of these roles generally creates a host of new responsibilities as the CSO must deal with physical security of the business operations, theft, corporate espionage, and other related matters. One reason for combining the roles may be the increasing presence of technology in matters of physical security, in which monitoring devices and other components are often tied to the IT infrastructure.