An In-Depth Look at the Role of Chief Information Security Officer

by | Apr 5

11 min read

If your calling is that of chief information security officer (CISO), you will be responsible for taking charge of all the security endeavours of your organisation. The role is incredibly diverse, as it extends from overseeing the security of staff members, to that of company assets, and its all-important data. Your work will be cut out for you, most especially, when you’re called upon to manage potential risk assessments, or to supervise the investigation of a security breach.

Your five key duties in the high-energy position of CISO are listed below:

  • improve the security of your entity – i.e. across data and assets, the security of a building, staff safety regulations, and the techniques and policies that could reduce any form of risk (e.g. theft, exposure);
  • oversee daily operations – such as ensuring that employees keep their log-in information updated; developing and implementing safety standards for your staff contingent as a whole; and combatting any form of disruption or threat;
  • keep threats at bay – by evaluating risks and creating appropriate security protocols, collaborating with other C-suite executives to develop and implement the necessary security protocols, and upgrading and maintaining security systems to keep fraud and data loss at bay;
  • maintain data security – by creating secure logins for information and network access, developing information systems protection, and managing data, both internally and externally, during times of corporate transition; and
  • investigate past breaches – to ascertain who instigated the attack, why they did it, and how to fix what went wrong so that its unlikely to happen again.

Read more, here:

Reasons why the Role has “Arrived”

According to, “Security is evolving into a critical shared service within most organisations. The new security leader has responsibilities not merely to IT, but to improving [the] operational efficiency of the business, and implementing cost-effective risk management measures.

Those bottom-line improvements come most easily when companies treat security as a business process, assigning a single individual to the matter of coordinating the various risk-management processes of that organisation.

Corporate security is more than so many technologies. It involves physical, psychological and legal aspects, such as training, encouraging, enforcing and prosecuting. It involves strategic planning, skilled negotiating and practical problem solving. Only an individual with strong business savvy and security knowledge can oversee security planning, implement policies, and select measures appropriate to business requirements,” their expert, Steve Hunt, advises.


Did you know…?

Approximately 15 million data records were exposed worldwide through data breaches in the third quarter of last year. This is the word from Statistica, a platform that empowers people with data, who also revealed on their website that the figure had increased by 37 percent from 2022’s second quarter.

When analysing the past two years, i.e. 2020 to 2022, the highest number of exposed data records was detected in the fourth quarter of 2020, at nearly 125 million data sets – revealing the progress that the corporate world has made in their security endeavours in the time since.

Your Ideal Qualifications and Years of Experience

Begin with a Bachelor’s degree in Safety Management or Information Technology (with a systems or security focus). An engineering or business degree is also a good starting point. If you wish to study further, you could complete a Masters in Computer Science or Information Science, but a better bet would be to enter the workplace in an entry-level security position and work your way up to take on the chief information security officer role in due course.

In South Africa, for example, the best universities for an Information Technology degree can be found here: Or, if you would like to study IT or Computer Science at a college, you will need a National Senior Certificate, and at least a 50% aggregate for your Home Language and Mathematics. Find a list of reputable colleges, here:

Because a chief information security officer is an extremely advanced position, the experts at Indeed advise that you will need to amass extensive time in the physical and cyber security realm to be considered, and have worked as a security manager for three to five years – both leading a team and collaborating with other executives – to qualify.

See “Additional short courses and certifications”, under Fast Facts 2, below.

What you can Expert to Earn

In the US, the median salary per annum for a chief information security officer is US$131 455 [R2 339 092], with an estimated additional bonus of US$39 060 [R695 028] per annum. The most likely range in salaries, however, veers from an entry-level US$76 000 [R1 352 333] to a senior US$241 000 [R4 288 320].


In South Africa, however, the average chief information security officer package is a comparably low R1 555 640 per annum, with an average annual bonus of R145 452. The salary range is R 1 085 420 for an entry-level individual, while a CISO with eight or more years of experience could expect to earn R1 953 757.


Phishing Attack makes Headlines

Computer Weekly reported, in August 2022, of a potentially damaging cyber incident that was fought off valiantly by Cisco systems, the US-based multinational digital communications technology firm, after a threat actor sought to conduct a phishing attack on one of the company’s employees.

The attacker apparently gained access via a Cisco employee’s personal Google account, because their credentials were saved in the browser. After gaining access, the article continues, the attacker carried out various activities to achieve persistence, cover their tracks, and elevate their privileges within the Cisco network – thereby compromising a few of its servers and obtaining privileged access to domain controllers.

Fortunately, “the incident was contained to the corporate IT environment” and no impact was identified “to any products or services, sensitive customer data or employee information, intellectual property, or supply-chain operations”, a Cisco spokesperson revealed.

“We have used [our extensive IT monitoring and remediation capabilities] to implement additional protections, block any unauthorised access attempts, and mitigate the security threat]. We are also putting additional emphasis on employee cyber security hygiene and best practices, to avoid similar instances in the future,” the spokesperson added.

While the consensus among industry experts, such as Immuniweb founder and CEO Illia Kolochenko, was that the firm had been lucky – she emphasised the importance of security vendors and CISOs alike preparing “for a continually growing volume and sophistication of cyber attacks” in the future.
Read more here:

Cyber Security Concerns 2023

For CISOs not entirely sure how to keep the sleepless nights at bay in this challenging field, a Forbes article highlights four trends to keep in mind as the year progresses. They are:

  • the added threat of security breaches due to remote workers: this requires setting the tone on the responsibilities of working from home, so that all employees feel empowered in relation to, and accountable for, their own data security;
  • understanding that AI and machine learning present a double-edged sword: while they can filter spam, reject phishing attempts, and prevent a data leak, they can also be used by cyber criminals to gather data, launch an attack, or distribute ransomware. AI must therefore always be employed alongside human comprehension to make it safer and more strategic;
  • employing zero-trust architecture, even if staff members must jump through more hoops to log on: it enables greater visibility and control over both users and the overall IT environment. Get your team on board with the decision, by emphasising what you are trying to protect, and from whom; and
  • retain the good staff you have recruited: it may sound like a no-brainer, but in an industry where there are more positions going, with excellent salary packages, than any other, the best of the bunch won’t tolerate a toxic environment, unfair overtime, or work that lacks meaning. Your job is therefore to hire for the long-term, by turning every interview into a conversation that seeks out culture fit, personality, and the applicable skills and experience in a potential candidate.


Fast Fact 1: Reading up a storm

Here are four books for a chief information security officer to delve into, to keep the brain cells firing after hours:

  • Clouiter, R. (2015). Becoming A Global Chief Security Executive Officer. A How To Guide for Next Generation Security Leaders (UK: Butterworth Heinemann) – provides tangible, proven, and practical approaches to optimise a security leader’s ability to lead both today’s, and tomorrow’s, multidisciplined security, risk, and privacy function.
  • McClure, S., Scambray, J. and Kurtz, G. (2012). Hacking Exposed 7 – Network Security Secrets And Solutions. (US: McGraw Hill) – bolster your system’s security and defeat the tools and tactics of cyber-criminals, with the expert advice and defence strategies provided by these three authors.
  • Ferraro, P. (2016). Cyber Security. Everything An Executive Needs To Know. (US: Philip J. Ferraro LLC) – helps you understand each of the significant areas of cyber security, while learning exactly what steps you, as a leader, can take to properly prepare your organisation to face today’s constantly evolving threat landscape.
  • Perlroth, N. (2021) This Is How They Tell Me the World Ends. The Cyber Weapons Arms Race. (UK: Bloomsbury Publishing) – exposes the motivations and misgivings of the people helping governments hack into our devices. Lays bare the stark realities of disinformation, hacking, and software vulnerability that are the Achilles’ heel of modern democracy.

Fast fact 2: Additional short courses and certifications

Most individuals in the CISO role will invest in additional certifications and/or licences every now and then, when they feel the need to refresh their knowledge or upskill in certain areas.

Examples may include the University of Cape Town’s Data Protection and Privacy online short course, which is geared towards driving the design and implementation of data policy in your organisation (sign up here:; and the three best certification for CISOs and aspiring CISOs, recommended by TechTarget (click here:, which are the:

  • Certified Information Systems Security Professional (CISSP);
  • Certified Chief Information Security Officer (CCISO); and
  • Certified Information Security Manager (CISM).

Fast fact 3: International conferences

A useful list of upcoming security conferences appears on CSO US, making it easy for busy individuals to select the events that will have most impact for them, or are closest by to reduce travel time. As the CSO editor enthuses, “There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by an industry expert.”

Check out the full list of conferences and events, here:

For those lucky enough to receive an invite to attend the next Global Cyber Innovation Summit (GCIS), it will take place from 10-11 April 2024 at the Sagamore Pendry Hotel, Baltimore, Maryland, US. Bob Ackerman, chairman of the GCIS forum, describes the event as: “Unlike any other in the cybersecurity realm, convening thought leaders from Fortune 100 CISOs, cybersecurity CEOs, policy makers, cyber investors and the intelligence community in a trusted, non-commercial setting. GCIS raises the level of dialogue and facilitates collaboration on how we, as a community, can attempt to meet the challenges of the rapidly evolving threat landscape and move the future of cyber innovation forward in actionable ways.” 

Find out more, here:

• Exchange rates are correct at the time of publication.

Further Reading


Hot Jobs at
Executive Placements


Submit a Comment

Your email address will not be published. Required fields are marked *