Understanding the chief information security officer: Qualifications and responsibilities for cybersecurity leadership

Abstract

As cyberattacks on businesses and critical infrastructure grow in sophistication and frequency, the Chief Information Security Officer (CISO) has become a pivotal role in organizations, tasked with leading cybersecurity programs and reducing risks to organizational assets. Given the importance of the position, this study seeks to expand on the sparse literature on the role of the CISO and provide insights on current position requirements and responsibilities to guide and inform higher education cybersecurity management programs as well as aspiring cybersecurity leaders. To better understand this critical role, this study uses a combination of natural language processing methods and manual information extraction to provide an in-depth dive into the responsibilities and requirements of the role through a comprehensive analysis of 250 CISO job postings listed across 27 nations. The results of the analysis showed that nearly 99 % of positions required prior professional experience, with 10 years being the most common experience requirement. Employers highly valued bachelor's or master's degrees in STEM or business fields, vendor-neutral certifications like the Certified Information Systems Security Manager (CISSP) or Certified Information Security Manager (CISM), strong communication skills, and knowledge of regulatory frameworks and cybersecurity standards. In contrast, technical expertise in cybersecurity platforms, programming skills, and security clearance were less frequently required, as were travel commitments. Current CISO responsibilities and requirements also emphasize the strategic and business-facing nature of the role, with an emphasis on strategic & management-level tasks, rather than tactical, technical tasks. Higher education programs seeking to train the next generation of cybersecurity leaders, as well as information technology, cybersecurity, or management professionals aspiring to obtain a CISO position should note the role requirements currently in demand by industry, as well as the strategic and management-focused tasks commonly assigned to the role and prepare accordingly.