How do I know when our VP of security is ready to become a CISO?
VP, CISO in Finance (non-banking), 501 - 1,000 employees
A CISO position requires demonstration of a high level of strategic vision, ability to work with senior management and the Board of Directors and a significant level of financial acumen. In some organizations, the CISO position is also expected to represent the organization at industry events and participate on professional panels. All of these characteristics should be confirmed before promoting a VP level security position to a CISO position. Attainment of a CCISO certification would also be beneficial.Director of IT in Education, 5,001 - 10,000 employees
Interesting question, but confusing, is there already a CISO in the organization? or are you creating the CISO position or promoting the VP to the CISO position?The CISO should be an officer level position responsible for creating and enforcing information security policies and ensuring information assets and IT Technologies are adequately protected.
Ideally, the CISO should have a separate budget from the CIO, and reports to the CEO, to maintain some independence from the CIO, sort of a check and balance system.
Director of Enablement, 501 - 1,000 employees
I see a VP of Security is likely taking a strategic view of security operations. InfoSec, AppSec, Architecture. Their focus is primarily around managing the daily running and direction of the implementation However a CISO is focusing more on organisational strategy, covering GRC and managing certifications.
While you might have one person doing both roles (and there is indeed overlap), a VP of Security and CISO can be seen as distinctly different entities in some businesses
Content you might like
What does Infrastructure and Operations (I&O) currently struggle with the most at your organization?
Understanding customer requirements21%
Communication with other stakeholders56%
Visibility of workflow13%
Agile development practices8%
487 PARTICIPANTS
Yes, it helps establish credibility.34%
No, it's a barrier to entry.44%
It's nice to have, but doesn't need to be a requirement.20%
I'm not sure.0%
497 PARTICIPANTS
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read more
A VP of Security potentially is more of an operational role responsible for the cyber security controls, monitoring, incident response etc and a CISO could be considered more of a management role with the goal of development of strategy, culture and risk profile. Also in some organizations having a "C" title may indicate something legally, but that isn't formalized and is very dependent on the organization.
Unless the individual reports to the CEO and has a capability to report to the board independent of org structure calling someone a CISO is (in general) a title without meaning.