The Taxonomy of CISO Roles

The CISO position has become a coveted role in the ever-evolving business landscape, turning into somewhat of a “hot potato” within organizations seeking to fortify their cybersecurity defenses. To shed light on the complexities surrounding the CISO role, I have dissected various categories of CISO positions, providing insights for candidates, employers, employees, and recruiters to navigate the multifaceted nature of what a CISO embodies in different contexts and how this pivotal position can evolve over time.

Micro-CISO / Any key CISO (1/3)

1. Designation — security analyst, engineer or specialist for cyber or information security — the only security guy out there.
2. Team & budget — none of it.
3. Reporting line — Head of IT Infrastructure, sometimes within Internal control or Risk management (for FSI).
4. Skills — medium hard skills (2/3), basic soft skills (1/3).
5. Years of experience — 2–5.
6. Authority — primarily within IT.
7. Renumeration — 12–15k AED/monthly (UAE), globally in line with middle Windows support engineer.
8. Career development options — cybersecurity technical roles (easy), Mini-CISO (hard, advanced softs skills have to be there), cybersecurity governance roles (medium difficulty).

Mini-CISO (2/3)

1. Designation — Information security manager, business information security officer.
2. Team & budget — there is either team or budget.
3. Reporting line — CIO, CSO, CRO, sometimes within business division.
4. Skills — medium hard skills (2/3), advanced soft skills (3/3) and basic business skills (1/3).
5. Track record — Employer would prefer some familiarity with the person before offering like a referral.
6. Years of experience — 5–15 years.
7. Authority — primarily within his division and related support functions (Security, Legal, HR).
8. Renumeration — 20–40k AED/monthly (UAE), globally in line with head of IT server or network operations, can have some bonus.
9. Career development options — CISO, security solution architect (sell side), growing and enjoying scope as organization grows, project/portfolio management roles within IT like Product Manager.

CISO (3/3)

1. Designation — Head of Information / Cyber Security (team or division).
2. Team & budget — there are both.
3. Reporting line — CIO, CSO, CRO or Legal (for B2B businesses).
4. Skills — basic hard skills (1/3), advanced soft skills (3/3), medium business skills (2/3).
5. Track record — Employer would prefer some familiarity with the person before offering like a referral/introduction. Employment history has to be clear.
6. Years of experience — 7–20.
7. Authority — usually entire HQ, regions / subsidiaries are quite independent. Sometimes covers additional functions — Physical Security, Travel Security, BCP, Fraud Management (FSI), Revenue Assurance/Lawful Interception (Telco) etc.
8. Renumeration — 30–50k AED/monthly (UAE), globally in line with renumeration of head of IT infrastructure operations, usually also a bonus and sometimes incentives are tied to internal company capitalization or stock price.
9. Career development options — CIO, CTO, Macro-CISO, Field CISO, Security Consultant (Sell side), growing and enjoying scope as organization grows, program/portfolio management roles within IT.

Macro-CISO (4/3)

1. Designation — Group Information / Cybersecurity Director (stands at CIO level or one level below), CISO.
2. Team & budget — at very least 5 people and 1m of USD, can reach 1000 people and hundreds of dollars budget for large global organizations like top banks.
3. Reporting line — Legal, CSO, Head of Internal Control, Head of Enterprise Risk Management, CTO or COO, rarely CEO or President.
4. Skills — medium hard skills (2/3), advanced soft skills (3/3), advanced business skills (3/3, including leadership).
5. Track record — Security research, press references and strong reputation are essential.
6. Years of experience — 10–25.
7. Authority — group-wide. Covers at least one additional function — Physical Security, Travel Security, Executive Security, BCP, Fraud Management (FSI), Revenue Assurance/Lawful Interception (Telco) etc.
8. Renumeration — 50–70k AED/monthly (UAE), globally in line with renumeration of head of ERP delivery, also a bonus and quote often incentives are tied to internal company capitalization or stock price.
9. Career development options — often almost any executive in tech organizations, risk, compliance or technology roles in other kinds of organizations.

Mega-CISO (5+/3)

1. Designation — Executive/Managing Director Cybersecurity, CSO, SVP/EVP Cybersecurity (stands at CIO level or above).
2. Team & budget — at least 15 people.
3. Reporting line — CEO, President, sometimes COO, CTO or strong Deputy CEO in a bank.
4. Skills — medium hard skills (3/3), advanced soft skills (3/3), advanced business skills (3/3, including leadership) and emotional intelligence at least medium (2/3).
5. Track record — Unique requirement for each case.
6. Years of experience — 15+
7. Authority — group-wide. Covers at least three additional function — Physical Security, Travel Security, Executive Security, BCP, Fraud Management (FSI), Revenue Assurance/Lawful Interception (Telco), Group Compliance etc.
8. Renumeration — 70k AED/monthly+ (UAE), but usually unique number as position in unique for specific organization. As a rule there’s long-term incentive tied to internal company capitalization or a stock price.
9. Career development options — changing industries, getting new function within the very same organization under scope.

In conclusion, the diverse landscape of CISO positions provides vast array of opportunities and intellectual challenges to candidates, employers, employees, and recruiters. Grasping the essence of what a CISO signifies in various scenarios paves the way for enhanced security resilience, happier employee-employer relationship and effective cybersecurity organizational design. This is also a vital part of Roles & Responsibilities subcategory of NIST Cybersecurity Framework 2.0.