Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Governance & Compliance Glossary

CISO (Chief Information Security Officer)

The executive responsible for an organization's overall information security. The CISO is responsible for security strategy, risk management, compliance, and incident response—and serves as the direct link between technical IT security and senior management.

CISO—the Chief Information Security Officer—is more than just a technical expert. He or she is a risk manager, communicator, and strategic advisor all rolled into one. At a time when cyberattacks have become a top priority and NIS2 introduces personal liability for executives, the question “Do we need a CISO?” has long since been answered for many companies.

What a CISO Does—and What They Don’t

Core Responsibilities of a CISO

1. Security Strategy:

  • Develop a long-term security strategy (3–5-year horizon)
  • Establish and measure the security program
  • Plan the budget and present it to the board of directors/management
  • “What does security cost us vs. what does an attack cost us?”

2. Risk Management:

  • Identify, assess, and address security risks
  • Report risks to management / supervisory board
  • Define risk appetite: "What risks do we accept?"
  • Evaluate business decisions through a security lens

3. Compliance & Governance:

  • NIS2, GDPR, ISO 27001, BSI IT-Grundschutz
  • Draft and enforce policies and standards
  • Support audits (internal and external)
  • Vendor/service provider security assessment

4. Incident Response:

  • Develop and practice an IR plan
  • In an emergency: Crisis communication with management and authorities
  • Lead the "war room" during major incidents
  • Post-incident: Lessons learned, root cause

5. Security Awareness:

  • Cultural change: Embed security as part of the corporate culture
  • Training programs for employees and executives
  • "Security Champion" programs

What a CISO is NOT

  • Not the only person responsible for security
  • Not just a technical firewall/server administrator
  • Not automatically the IT Director (often combined, but different roles!)
  • Not responsible for product security (that’s the CTO/Dev)

CISO vs. IT Director vs. CTO

RoleFocusSecurity Responsibility
CTOTechnology stack, product development, innovationIn product architecture (Secure by Design)
IT HeadOperation of IT infrastructure (servers, network, end devices)Operational (patches, backup, firewall operation)
CISOSecurity PROGRAM, risk management, governanceCross-functional: CTO, IT Director, all business departments

Typical Sources of Conflict

  • IT Director wants to patch quickly → CISO wants a process
  • CTO wants a new cloud platform → CISO wants a risk assessment first
  • Sales wants customer data quickly → CISO: GDPR check required

> Good solution: CISO reports directly to the CEO / Supervisory Board—not to the CIO/IT Director (conflict of interest!)

Types of CISOs—which one fits which company?

1. Internal CISO (full-time, employed)

  • For companies with approx. 500–1,000 employees or KRITIS companies
  • Advantages: deeply embedded in the company, knows all processes
  • Disadvantages: expensive (€120,000–200,000 annual salary), hard to find
  • Good for: banks, hospitals, industrial companies, government agencies

2. Part-time CISO (Fractional CISO)

  • External expert, 1–3 days/week
  • Advantages: more affordable, immediately available, broad experience
  • Disadvantages: less available during crises
  • Costs: €10,000–25,000/month
  • Good for: SMEs, scale-ups, companies requiring ISO 27001 certification

3. Virtual CISO (vCISO)

  • Service model: Consulting hours on demand
  • Advantages: highly flexible, cost-effective
  • Disadvantages: no deep integration into the company
  • Costs: €5,000–15,000/month
  • Good for: Startups, SMEs with up to 100 employees

4. CISO-as-a-Service

  • Structured program offered by security consulting firms
  • Includes: ISMS implementation, policies, awareness training, reports
  • Comprehensive security program without a full-time CISO
  • Good for: NIS2-affected companies without internal capacity

CISO and NIS2 - Personal Liability

> NIS2 Directive (Art. 20) - Responsibility of Management Bodies: > "The management bodies [...] are responsible for compliance with the obligations under this Directive."

What this means in practice

  • Managing directors/board members can be held personally liable
  • Not the CISO—the management
  • Fines: up to €10 million or 2% of global turnover

Role of the CISO in NIS2

  • CISO advises management on security risks (advisory role)
  • CISO provides evidence: risk analyses, measures, audits
  • CISO coordinates reports to the BSI
  • Management decides, CISO advises and documents

Protection for managing directors

  • Read and document CISO reports regularly
  • Actively approve security measures (board minutes)
  • Allocate a budget for security
  • If CISO recommendation is "rejected" → document this in writing!

Managerial Liability for Ignoring CISO Recommendations

  • If CISO issues a warning and the CEO ignores it → CEO is liable
  • If CISO fails to issue a warning (error) → CISO is liable internally

CISO Qualifications and Certifications

Technical Background

  • Background: IT security, computer science, network technology
  • Practical experience: often 10–15 years prior to CISO role

Important Certifications

CISSP (Certified Information Systems Security Professional):

  • ISC² - Gold standard for CISOs
  • 8 domains: Security & Risk Management, Asset Security, Security Architecture, Network Security, IAM, Assessment, Security Operations, Software Development Security
  • Prerequisite: 5 years of professional experience
  • Exam: 125–175 questions, CAT format

CISM (Certified Information Security Manager):

  • ISACA - Management-focused
  • Focus: Governance, Risk Management, Incident Management
  • Good for: Manager’s perspective, less technical than CISSP

CRISC (Certified in Risk and Information Systems Control):

  • ISACA - Risk management focus
  • Good for: GRC specialists, risk officers

ISO 27001 Lead Auditor / Lead Implementer:

  • Practical ISMS expertise
  • Good for: CISOs with ISO 27001 responsibilities

Others: CCSP (Cloud), GIAC GSLC (Leadership), CISA (Audit)

CISO Reporting: What the Board Wants to See

Don’t Show

  • “We had 3,472 SIEM alerts”
  • Technical CVE lists
  • Detailed firewall statistics

Instead, show

1. Risk Traffic Light:

  • Overall risk: MEDIUM (was HIGH last month)
  • Improvement due to: MFA rollout completed

2. Top 3 Risks:

  1. Ransomware via email: HIGH → Action: Email gateway
  2. Unpatched vulnerabilities: MEDIUM → Patch process in progress
  3. No 24/7 monitoring: MEDIUM → MDR quote received

3. Incidents:

  • Last month: 0 severe, 2 moderate (both resolved)

4. Compliance Status:

  • NIS2: 40% implemented (Q4 target: 80%)
  • ISO 27001: Stage 2 audit scheduled for June

5. Budget Status:

  • Spent: €45,000 of €120,000 (37%)
  • Next major investment: MDR service (€40,000/year)

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation