Data security is more important than ever before. While there are many professionals in the field of information security, the executive responsible for coordinating all efforts to protect an organization’s data is the chief information security officer or CISO. Sometimes called VP of security or chief security officer, a CISO is a leader in the fight against emerging threats to information security.
Whether you currently work in cybersecurity or are considering a career change, becoming a CISO is what’s waiting for you at the top of the cybersecurity hierarchy.
Becoming a chief information security officer isn’t easy, but if you love doing what it takes to keep information assets, intellectual property, and other digital holdings safe, then there’s no reason not to set your sights on this role.
Curious what it takes to become a CISO? In this article we’ll cover:
This CISO role is a relatively new one, but it’s vital in today’s information-driven world. The responsibilities of a chief information security officer vary by industry, the size of an organization, and how it is regulated.
In general, however, these executives analyze security threats and weaknesses and develop and maintain robust information security strategies and policies. To do this, they inventory an organization’s information assets thoroughly and look at what existing and potential threats they face.
From there, they decide how best to protect those assets from accidental and intentional misuse. They also look at an enterprise’s assets through the lens of laws and regulations concerning data privacy.
Ideally, an organization’s information security strategies protect it from running afoul of these laws, but when breaches happen, a CISO must know how to deal with the legal consequences, not just the financial ones.
Citigroup CISO Stephen Katz breaks down the duties of the chief information security officer into the following categories:
Becoming a chief information security officer means taking on much responsibility—especially in an age where a data breach can cost a company millions, if not billions, of dollars.
In its 2022 Cybersecurity Workforce Study, (ISC) estimates the size of the the global cyber security workforce at 4.7 million. It also indicates that the current workforce is 3.4 million workers short. That’s over 3 million positions waiting to be filled by qualified cyber security experts (nearly half a million of them in North America alone). (
According to the Bureau of Labor Statistics, top-paying employers in cyber security analytics include those in:
- Information services: $149,500
- Securities, commodity contracts, and other financial instruments: $142,000
- Research and development in the physical, engineering, and life sciences: $129,000
- Scientific research and development services: $128,500
- Software publishers: $126,000
- Publishing: $125,700
The average salaries of professionals with a Master's degree are between $91,000 and $109,000, respectively. About half of all professionals in this field hold a graduate degree. ( )
|University and Program Name||Learn More|
As a critical position in cybersecurity technology, CISOs can expect competitive compensation. CISOs earn an average salary of $100,000 per year—but sector, experience, and location impact earnings. Chances are you’ll make more working in New York City than in Youngstown, OH, and working in the business sphere pays more than working in the public sector or law enforcement.
ZipRecruiter lists the average salary for chief information security officers at $153,541. Salary.com lists the average base salary for CISOs at $222,930.
In any case, the short answer to the question ‘How much does a chief information security officer make?’ is: a lot.
CISO is the pinnacle of the information security job ladder, and getting there, unsurprisingly, takes quite a bit of time. There are exceptions, of course; you could become CISO of your friend’s bedroom startup fresh out of school, for example. However, for startups with serious funding and of course for established companies, you’re going to need years of experience and training. Job descriptions will usually ask for relevant technical degrees—typically a master’s degree or higher, seven or more years of experience in information security, a management background, hard IT skills like programming, and amazing communication skills.
The first step is completing a four-year bachelor’s degree in computer science, cybersecurity, or a related field.
Some of the best cybersecurity degree programs can be found at:
It’s common for a chief information security officer to hold an MBA, but more and more aspiring CISOs are completing master’s degree programs with an information security focus. You can also split the difference by looking at Master of Business Administration programs that offer concentrations in information security. These on-campus and online degree programs may also be called Cybersecurity MBAs or Information Security MBAs, but whatever they’re called, they give students the knowledge and tools to build careers that meld business administration and computer science.
Some of these degree programs can be found at:
During your university years, you’ll study management, economics, finance, and other business concepts along with cyber defense, IT forensics, data management, and many more information security concepts.
Becoming a chief information security officer means spending years in the field of data security. Many CISOs begin their careers in cybersecurity as security administrators, network administrators, system administrators, or programmers in some other field.
From there, they may become security analysts, security engineers, security auditors, or cybersecurity specialists. Before joining the executive team, most will serve as security architects, security consultants, security directors, heads of IT, or information security managers.
As you climb the ladder in cybersecurity, look for roles with titles that indicate leadership: manager, director, or VP.
According to Digital Guardian’s research, the majority (59 percent) of CISOs came up through IT and IT security while only 40 percent hold a degree in business.
IT researcher Larry Ponemon told SecureWorld that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”
Becoming a CISO is about more than education or experience, however. Chief information security officers are expected to have a lot of technical skills, especially cybersecurity-focused ones.
For instance, a CISO is to be expected to understand:
CISOs don’t need to be licensed, but there are a lot of CISO certifications, and the good news is that you can start adding them to your resume years before you leap this executive position. Deciding which security certifications to pursue is difficult because there are many relevant programs.
You could become a:
There are many more applicable security certifications, and you should pursue those that interest you. Don’t neglect this essential element of becoming a chief information security officer because the candidates you’ll be competing against have numerous certifications.
Absolutely! More and more companies are hiring their first CISO, and the demand for CISOs is growing as the cybersecurity world, and the threats to digital assets evolve. While this position was, at one point, less critical than CIO or CSO, the role of CISO is quickly gaining clout in large organizations. Newsworthy (and hugely expensive) data breaches have helped awaken organizations to the dangers of lax information security, propelling this role into the c-suite.
All this means that if you’re willing to put in the work to become a chief information security officer, and you have the skills, determination, and willingness to work long hours, you’ll probably have no trouble finding a high-paying job.
Questions or feedback? Email firstname.lastname@example.org