What a CISO Actually Does vs What People Think They Do

September 21, 2023

The public image of a CISO is someone who understands every technical detail of an organisation's security architecture and commands a team of specialists who protect the organisation from external threats. The reality is that most of the job involves sitting in meetings, writing documents, and persuading people who do not work in security to make different decisions. The technical authority is real, but it is not where the time goes.

This matters because organisations that hire a CISO expecting a senior technical resource often end up with a dysfunctional arrangement. The CISO spends their time on governance and reporting, the technical team feels under-directed, and the board wonders why the person they are paying for security leadership does not seem to be doing much. Getting clarity on what the role actually involves is a prerequisite for structuring it correctly.

Risk Translation Is the Core Job

The most important function a CISO performs is translating between the technical security team and the business leadership. Security teams think in terms of vulnerabilities, attack surfaces, and control gaps. Boards and executives think in terms of business outcomes, financial exposure, and organisational reputation. Those two languages do not map directly onto each other, and without someone who is fluent in both, security programmes become disconnected from the decisions that actually shape the organisation's risk posture.

A CISO does this translation in every direction. They explain to the board why a specific risk warrants investment. They explain to the technical team why a particular initiative has been deprioritised. They explain to regulators what the organisation's security controls are designed to achieve. They explain to the sales team why a customer's security questionnaire requires a detailed response rather than a one-line answer. None of that is technical work. All of it requires deep security understanding combined with organisational and political awareness.

Stakeholder Management Takes More Time Than People Expect

A CISO who cannot manage relationships with the CFO, the CEO, the IT leadership, the legal team, and the operational business units will not be effective regardless of their technical capability. Security programmes depend on cooperation from teams that have other priorities. Controls require funding that competes with other investment decisions. Policies require compliance from staff who may not see the point. None of that happens through technical authority alone.

In practice, a significant portion of the CISO's week involves one-on-one conversations with stakeholders, preparing for executive meetings, reviewing documentation before it goes to the board, and working through disagreements about risk appetite with business unit leaders. A CISO who retreats into the technical layer because they find the stakeholder management uncomfortable leaves a gap that nobody else fills.

Programme and Governance Ownership

The CISO owns the security programme, which means they are accountable for defining what it contains, sequencing it correctly, tracking progress, managing the budget, and reporting on outcomes. That is a programme management function with security expertise on top. It requires the ability to manage a portfolio of initiatives across multiple teams, maintain a coherent risk register, and keep the programme aligned with business priorities as those priorities change.

Governance is the structural side of this. Policies, standards, exception processes, risk acceptance procedures, and compliance reporting all sit with the CISO. Getting these structures in place and keeping them current is time-consuming and unglamorous work, but without it the security programme has no backbone. Organisations that skip governance in favour of more visible technical controls often find themselves unable to demonstrate their security posture to auditors, customers, or regulators when they need to.

What a CISO Does Not Do

A CISO does not typically configure systems, manage patches, operate a security operations centre, or respond hands-on to incidents. Those activities sit with the technical security team or with a managed service provider. The CISO provides direction and escalation authority during incidents, but they are not the person in the command shell. Expecting a CISO to carry operational responsibilities alongside strategic and governance responsibilities is a structure that fails in both directions: the strategic work gets deprioritised when incidents happen, and the operational team lacks a clear technical lead.

This is one of the reasons the vCISO model works well for organisations that already have a functional IT or security operations capability. The vCISO provides the strategic leadership, governance, and risk management that the operational team lacks. The operational team provides the execution capability that the vCISO does not deliver. When those two things are in place and clearly separated, the model functions. When they blur together, neither side works effectively.

  • Strategy development and multi-year programme ownership
  • Risk register management and executive risk reporting
  • Board and stakeholder communication
  • Policy, standards, and governance framework ownership
  • Compliance programme management and regulatory engagement
  • Incident direction and escalation authority (not hands-on response)

To discuss what a CISO function looks like for your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Strategy
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?