How do I know when our VP of security is ready to become a CISO?

334 views1 Upvote4 Comments

Director in Construction, 1,001 - 5,000 employees
Totally and completely dependent on the organization.  In some large global organizations there might be a VP of security that is responsible for the entire organizaition with hundreds of staff and significant responsibility for the protection of information.  Other organizations might have a CISO with 3 people reporting to a CIO with very little capability to govern the protection of data.
A VP of Security potentially is more of an operational role responsible for the cyber security controls, monitoring, incident response etc and a CISO could be considered more of a management role with the goal of development of strategy, culture and risk profile.  Also in some organizations having a "C" title may indicate something legally, but that isn't formalized and is very dependent on the organization.
Unless the individual reports to the CEO and has a capability to report to the board independent of org structure calling someone a CISO is (in general) a title without meaning.
VP, CISO in Finance (non-banking), 501 - 1,000 employees
A CISO position requires demonstration of a high level of strategic vision, ability to work with senior management and the Board of Directors and a significant level of financial acumen.  In some organizations, the CISO position is also expected to represent the organization at  industry events and participate on professional panels.  All of these characteristics should be confirmed before promoting a VP level security position to a CISO position.  Attainment of a CCISO certification would also be beneficial.
Director of IT in Education, 5,001 - 10,000 employees
Interesting question, but confusing, is there already a CISO in the organization? or are you creating the CISO position or promoting the VP to the CISO position?

The CISO should be an officer level position responsible for creating and enforcing information security policies and ensuring information assets and IT Technologies are adequately protected.

Ideally, the CISO should have a separate budget from the CIO, and reports to the CEO, to maintain some independence from the CIO, sort of a check and balance system.
Director of Enablement, 501 - 1,000 employees
I see a VP of Security is likely taking a strategic view of security operations. InfoSec, AppSec, Architecture. Their focus is primarily around managing the daily running and direction of the implementation

However a CISO is focusing more on organisational strategy, covering GRC and managing certifications.

While you might have one person doing both roles (and there is indeed overlap), a VP of Security and CISO can be seen as distinctly different entities in some businesses

Content you might like

Understanding customer requirements21%

Communication with other stakeholders56%

Visibility of workflow13%

Agile development practices8%


2.1k views1 Comment

Yes, it helps establish credibility.34%

No, it's a barrier to entry.44%

It's nice to have, but doesn't need to be a requirement.20%

I'm not sure.0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.4k views131 Upvotes319 Comments