They Said a CISO Does What?

They Said a CISO Does What?

The cybersecurity industry had challenges with bringing in new blood and facilitating the career growth.  Misinformation has unfortunately played a part in making various roles appear unattainable, when we should be doing the opposite.  We should be embracing flexibility, identifying opportunities, and most of all discussing realistic expectations and roles.

Who writes this stuff? 

I stumbled upon an article titled “Know more about colleges, jobs, and courses to become a CISO” where they outline the role and qualifications of a CISO.

According to this misguided article, apparently qualifications for a Chief Information Security Officer (CISO) requires:

 “Understanding of SMTP, DNS, HTTP, Network routing, VPN, and other technologies”

Nope, you have confused us with network engineers/architects.  We know what these protocols, languages, tools, and architectures are, but likely would not be qualified to design, configure, troubleshoot, or readily determine the specifics if someone is abusing them.  That is why we leverage highly specialized technical experts for configuration and comprehensive inspection.


“Understanding of Digital Millennium Copyright Act, trademark, intellectual property, Safe Harbor Provisions, GDPR, and other federal and international legal precedents…” 

You have mistaken us for our close partners, the lawyers and privacy experts.  Each of these areas requires a high degree of expertise.  Even a small error can become a big legal problem.  CISO’s know these areas but are not the experts.  Again, we partner with others.


“Ability to read and analyze multiple log formats”

I don’t know of a single CISO who spends their days analyzing logs.  That is a SOC level 1 or level 2 function.  Important, but the CISO’s time is not well spent on log analysis!


Also, as a kicker, the author has signed us CISO’s up to make “a framework for risk-free and scalable operations “.  Risk FREE.  Wow, good luck with that.  The proper function of a CISO is to manage risks to an acceptable level.  We cannot eliminate all risk.  Even if it were technically possible, which it is not, it would be infeasible due to extreme cost and added friction for users.


I call all this out because misinformation is harming our industry by setting inaccurate expectations.  We must clean up job descriptions and clarify the actual roles and responsibilities of positions. 



Thanks for watching and reading! I put out a new video about every week on various cybersecurity topics, risks, ideas, events and best practices. If you like these cybersecurity videos and are interested in more cybersecurity insights, rants, and strategic viewpoints, please click the Like button and Subscribe to the Cybersecurity Insights channel

Follow me on:

E-mail me when people leave their comments –

CISO and Cybersecurity Strategist

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)