Chief information security officer (CISO) job description.

What does a chief information security officer (CISO) do?

 

The chief information security officer (CISO) leads an organisation’s cyber strategy at the highest level, protecting systems, data, and reputation. As part of the executive team, the CISO manages risk, sets policy, and ensures the business remains compliant and resilient in the face of evolving threats.

 

Key responsibilities include owning enterprise security frameworks, overseeing risk management, leading incident response planning, and reporting to the board on cyber posture. They also manage global security teams, liaise with regulators, and collaborate across departments including legal, HR, IT, and finance.

 

In scale-ups, the CISO balances strategy with hands-on delivery. In global enterprises, they oversee multi-region operations, align cyber security with business transformation, and lead on emerging topics like third-party risk, AI safety, and regulatory exposure.

 

Key responsibilities of a chief information security officer (CISO).

 

The CISO owns enterprise-wide security strategy and risk posture. Their responsibilities include:

• Defining the security vision aligned with executive leadership and compliance mandates

• Leading security teams across operations, risk, engineering, and governance

• Managing cyber risk strategy and supporting board-level decision-making

• Overseeing compliance with ISO 27001, NIST, GDPR, and other frameworks

• Managing incident response and disaster recovery planning

• Reporting security performance and risks to the board or audit committees

• Leading security policy development and enforcement

• Evaluating emerging threats, tools, and defensive capabilities

• Managing budgets and relationships with external vendors or regulators

• Driving a security-first culture across the business

This role blends strategic leadership, governance, and enterprise risk accountability.

 

Skills and requirements for a chief information security officer (CISO).

 

CISOs define company-wide security policy and lead risk strategy. Employers typically look for:

• 12+ years of experience in cyber security, risk, or information assurance

• Board-level experience managing enterprise security posture

• Expertise in policy, governance, architecture, and compliance

• Proven leadership of security, GRC, and incident response teams

• Strong knowledge of cloud security, access control, and encryption

• Skilled in vendor negotiation, insurance, and regulatory compliance

• Experience implementing frameworks like ISO 27001, NIST, or CIS

• Excellent stakeholder communication and crisis management skills

• Confidence balancing business operations and risk mitigation

Most CISOs report directly to the CEO, leading organisational security.

 

Average salary for a chief information security officer (CISO).

 

In the UK, the average salary for a chief information security officer (CISO) typically ranges from £90,000 to £130,000, reflecting responsibility for organisational cyber strategy and risk governance.

• Mid-level CISOs in growing firms tend to earn between £90,000 and £110,000

• Senior CISOs in enterprise or regulated environments can earn between £111,000 and £130,000

• Compensation often includes performance bonuses, long-term incentives, or equity

Salaries peak in financial services, government, and large-scale technology businesses.

 

Career progression for a chief information security officer (CISO).

 

A chief information security officer (CISO) sets the vision, policy, and governance for information security across an organisation. As a C-suite executive, the CISO ensures protection of systems, data, and intellectual property. Career progression into this role typically includes:

 

Security analyst / Engineer

 

Executes technical protection measures and helps manage early-stage threat response.

 

Cyber security manager / Architect

 

Oversees strategy, tooling, and cross-departmental risk management.

 

Head of cyber security / Director of information security

 

Leads incident response, audit preparation, and enterprise-wide security implementation.

 

CISO

 

Sits on the executive team. Manages cyber risk, liaises with the board, and owns global security policy and investment.