InfoGuard Cyber Security and Cyber Defence Blog

The 1001 tasks of a Chief Information Security Officer (CISO)

Geschrieben von Michelle Gehri | 29 Aug 2017

Everybody agrees that today information security belongs to the central themes in every enterprise. The dynamics of business, and the ever-changing requirements that they produce, are no longer anything new; however, they are always a challenge for many enterprises, including in the domain of cyber security. In addition, there are the ever-growing insecurities due to current events, such as for instance the frequent, aggressive malware attacks such as WannaCry or Petya. If a company wants to be serious about cybersecurity, it must appoint a Chief Information Security Officer (CISO). In a previous blog post we have already explained why you too need a CISO, what does a good CISO do, and what are the challenges he must pose for himself. Now let us go more in the detail of which are the duties he must accomplish.

Keep track of the duties of your CISO with our task list

We are all well aware that each company has individual requirements, and there is no standard syllabus – and definitely not in cyber security. So, our proposition concerns the domains in which the duties of the CISO must be divided, and what do they contain. You can easily keep your own specific tasks and duties under control and up-to-date in our PDF, which you can download for free. In this way, you keep an overview of which issues are close to a deadline in which domain.

Download the CISO tasklist from here


In collaboration with our own CISO and security experts, we have tried to describe and summarise all tasks. The result is an 11-point plan, which shows you - in simplified form - which tasks belong to which area:

Security Strategy / Architecture

Beginning with the definition phase you can already determine whether you will win or lose the security war. Personal data protection, quality and security must be set straight right from the beginning. A successful security strategy and architecture does not consist only of infrastructure, hardware and software, but also of risk and compliance management, IT and security governance, information security and data protection management, emergency preparedness and of course proactive prevention through education and awareness. The challenges for the CISO in this area lie mainly in the ever-increasing regulatory requirements, due to the growing cyber-risks. Nowadays, cybercriminals have other means to reach their targets, besides breaching infrastructures; the CISO must prevent all risks.

Selling InfoSec (Internal)

Information security must never be considered as “something else”. It belongs absolutely to the tasks of top management, and should bring its influence in the whole enterprise culture. Too often, however, cyber security is given too little attention. Your task as a CISO is to reinforce awareness within the whole enterprise, and raise the required attention of management.

Risk Management

A living risk management system is the foundation of any security effort, so it is an essential part of the management of the enterprise. To achieve an effective, proactive protection, risks must be identified, analysed in view of their business impact, evaluated and used to select appropriate countermeasures: either for the whole enterprise, or limited to individual aspects or systems, for instance physical security or employees. This issue must be at the top of your priorities!

(IT-)Governance

Even the most sophisticated security strategy takes nowhere, if it is not aligned to the core management processes in the enterprise. As a CISO you must know the business and regulatory requirements, and you must be able to fulfil them all, together with your team.

Business Enablement

Business enablement is targeted at the complete integration of structures, processes and tools into the enterprise. Security must be able to keep up with the ever faster change rate of processes, which is almost the rule nowadays. As a CISO your duty is to keep processes constantly up-to-date, and aligned to the needs of the enterprise.

Project Delivery Lifecycle

Almost every enterprise implements a typical project lifecycle. Your duty as a CISO is to ensure that (IT)-security projects are correctly initiated, planned, performed and closed up. Ask yourself what projects are currently under way in your company, enter them in your personal task and deadline list, and keep everything under control.

Identity Management

To keep your crown jewels safe, a functional identity management system is an absolute must. Everybody must identify themselves into the IT infrastructure as a user, and have their rights and restrictions of access to system resources defined – yourself included. As a CISO you must make sure that for instance, in case of a high staff turn-over, the accounts of leaving staff are deleted, or that under no circumstances sensitive data fall in the wrong hands, whether by WLAN access for guests, or by internal change of department. In the latter case, you must also make sure that employees do not automatically retain privileges connected with the previous position.

Security Operation

Without any doubt, security operation and technical IT security are among the most important key tasks of a CISO. In practice, this means a number of different things: for instance, setting up and running a corporate Security Operation Centre, or outsourcing it to a specialised third party (CDC as a Service). Often enterprises are short not only on specialists, for the correct execution of such tasks, but also on budget; in any case, the assignments of security operation remain the same. Here is where Security Monitoring, Threat Detection, Incident & Vulnerability Management and Cyber Threat Intelligence have their foundation, for the reinforcement of cyber resilience.

Compliance Audits

A comprehensive check by a third-party specialist is advisable, not only to gain an overview on possible shortcomings, and fix them; but also because it is a seal of quality towards third parties. Clients tend to orient themselves ever more towards certifications, for instance against the ISO 27001. Performing such conformity checks at regular intervals should be one of the interests of every CISO. Only in this way your enterprise can keep itself always up-to-date on security technology, and thus competitive.

Legal & Human Resources

Your duties as a CISO will bring you in touch with legal and staff-related issues; it may be in the recruiting process, which has turned into a considerable problem due to the lack of specialised personnel, or in IT contracts, personal data protection etc.

Budget - Make or Buy

Last but not least, security costs; and cyber security is no exception. Budget planning is unavoidable and often it must be done over a longer time span, which is difficult in such a dynamic environment as cyber security. Choose the way that is right for you: either make or buy. And do not forget to include in your budget planning also the staff requirements of the future and the continual training of employees, because they are the most important capital in your enterprise!


Now notice how long your task and duties list has grown! But this is a good thing, because as a CISO, together with your team, you are in charge of protecting your company’s data – that is, the jewels of the crown – and thus you contribute greatly to the company’s success. Give priorities to your duties, and go ahead one step at a time.

We wish you full success in performing your CISO duties!