What does a CISO do and why it’s crucial they are on the board
  1. What does a CISO do today?
  2. Who does the CSIO report to? 
  3. Australian security experts kicking goals
  4. Why it’s crucial to have a CISO on the board
  5. The CISO role of the future
The Chief Information Systems Officer (CISO) role has come a long way since its genesis in the mid 1990s, when pioneer Steve Katz became the world’s first CISO for the newly formed Citicorp/Citigroup following a critical data security breach. Then, CISOs spent their tenures lobbying for greater budgets to commit to security, only for the executive leadership team – in the event of the inevitable cyber attack – to end up asking ‘What happened?’ and ‘Why/how did we not prevent it?’. Thirty years later, as the global digital landscape accelerates at full speed into the future, more and more candidates are asking ‘What does a CISO do today?’. We took a closer look at the CISO role with the two Robert Half execs, Patrick McKinney and Craig Bernhardt, and why it’s crucial they’re on the board of any organisation that reaches a level of complexity, risk exposure, or regulatory obligation that necessitates dedicated executive leadership.
Since the mid-90s, protecting companies against cyber-attacks has raced up the agenda. Security specialists have grown in stature from high-end technical consultants to critical executive leaders working across every facet of a business. In 2024, the role of a CISO is a pivotal one in any organisation dealing with large amount of data, or that is highly regulated or at risk of cyber-attack. “The responsibilities of – and challenges facing – today’s CISOs are far reaching,” says Robert Half’s Managing Director of Executive Search, Patrick McKinney. A specialist in C-suite and senior leadership engagements across a broad spectrum of market sectors, Patrick’s client base includes Private Equity (PE) firms and ASX-listed businesses across a range of industries, and a variety of emerging technology firms.   “What does a CISO do today? In addition to leading the strategy for the business, board reporting, and executive leadership, the CISO will lead risk assessment and mitigation, policy development, compliance, and reporting. They will lead a team to design and maintain their organisation’s security architecture, and evaluate and implement emerging technology.  “It is well understood that the reasons behind data breaches are often as much of a consequence the unintended missteps of employees, as they are the nefarious work of bad actors. Beyond their technical expertise, CISOs today are well placed to foster a culture of continuous awareness, vigilance and ongoing training, as well as one which encourages employees to speak up if they believe sensitive information could have been compromised. All too often, the seriousness of data breaches and attacks is exacerbated as employees fear the ramifications of alerting others to a mistake.    “With the average cost of a data breach in Australia in 2024 currently $3.35 million per breach, an increase of a staggering 9.8% year on year, today’s CISO must also be ever-ready to lead the response to incidents when they do occur.”
Though reporting structures will vary depending on a company’s size, industry, or hierarchy, the CISO typically reports to the CEO or another C-suite executive. When reporting directly to the CEO, the CISO has direct access to the highest levels of decision-making within the business. Differing reporting lines tend to be reflective of the business’ strategic alignment of cybersecurity with operational, financial, or IT functions. A common question, in addition to ‘What does a CISO do?’ is ‘What are the differences between a CISO and a Cyber security Director?’. Patrick McKinney explains: “This depends almost entirely on the size and structure of the organisation as well as the industry sector. In a larger environment, a CISO will set the structure of the business’s IT security framework to align with the overall strategic objectives of the company. They will often operate as a peer to the CIO and report directly to the CEO. The Director of Cyber Security in this instance, will be the one responsible for the day-to-day management of the cyber security program and direct oversight of security operation in a more hands-on capacity.  “Title nomenclature can also be sector-specific and in smaller or less complex environments, the role of Cyber Security Director will have responsibility for the implementation and delivery of an organisation-wide strategy as well as the creation and management of effective security controls.  “In both instances, this pivotal function acts as an advocate and champion for cyber security across an organisation. Through fostering a positive culture around security, the effective CISO will drive appropriate behaviour, build increased awareness and interest around the topic across a business. The best CISOs move information security out of the realm of IT and into the consciousness of everyone throughout the business. In today’s world, it is one of the most important leadership appointments an organisation can make."
In contrast to broader Australian women in tech leadership statistics, some of Australia’s most notable cyber security experts are women. 3 of the 4 keynote speakers at  the 13th CISO Leaders Australia Summit, held in Sydney in May, 2024 – Katherine Jeffrey, Celeste Lowe, and Nivedita Newar – are three examples. Rachael Falk was Telstra’s first GM of Cyber Influence. With a background in commercial law and cyber security, Rachel practised as a lawyer at top-tier firms in Australia and the UK before joining Telstra. She’s now the CEO of the Cyber Security Cooperative Research Centre and is considered one of Australia’s pre-eminent industry experts and commentators. Abigail Bradshaw CSC began her career for the Royal Australian Navy, which lead to senior government roles in risk and security before being named Head of the Australian Signals Directorate’s Australian Cyber Security Centre. Meanwhile “renowned problem solver and strategist”, Dr Maria Milosavljevic transitioned from the Australian Government, where she’d been both the inaugural NSW Government CISO, during which she established a new whole-of-government function responsible for cyber security, and the inaugural Chief Data Integration Officer at the Department of Defence, before taking on the role of CISO with ANZ in 2023.
Here are 5 reasons why it’s considered crucial to have a CISO on the board:  Craig Bernhardt, Senior Managing Director of Executive Search at Robert Half and a seasoned leader with two decades of global experience in executive search: “With a CISO representing security matters on a company’s board, they can directly communicate what is happening in the business to its ultimate decision makers. Security matters can be highly technical and complex, often getting ‘lost in translation’ without an expert advocating for them on a permanent basis, so having a CISO on the board ensures dedicated attention and resources are allocated to protect the business.” The CISO also understands how fast the security landscape is changing and, of all board members, will be those most in tune with the evolving nature of the industry and the complexity of cyber threats. Internally, their impact is just as great; a CISO can share the latest insights with C-suite colleagues, enabling them to understand and appreciate risk in the context of the bigger picture. Strategically, while a CISO is constantly monitoring systems, they are also developing policies, training plans, and updates. In the boardroom, they can help everyone take a proactive approach to security, because their vision will influence others. With a CISO on the board, a company is much more likely to improve its security posture before an attack takes place.   “Organisations with a substantial number of employees – typically 1,000 or more – and complex IT infrastructures require dedicated leadership for cybersecurity,” Craig continues. “Likewise, companies operating in multiple countries face diverse regulatory requirements and a broader threat landscape, necessitating the strategic oversight a CISO brings to the table.” Fast-growing companies that are scaling their operations, customer base, and/or technology infrastructure should also consider appointing a CISO to manage expanding cybersecurity risks. Or if a business is undergoing significant digital transformation, such as adopting cloud services or IoT, it’s critical to have a CISO on the board to ensure security is integrated into all new technologies and processes.
No rest for the CISO! The role is constantly evolving in response to emerging trends and technologies impacting cybersecurity, and aspiring CISOs should be committed to understanding how technology continues to impact cybersecurity. For example:  AI and machine learning are being increasingly used in cybersecurity for threat detection, anomaly detection, and automated response capabilities. Zero-trust security assumes that threats are both inside and outside the network and so processes and strategies are needed regardless of whether people are inside or outside the network perimeter.  With organisations increasingly adopting cloud services and migrating workloads to cloud environments (public, private, or hybrid), ensuring robust cloud security has become paramount. The proliferation of IoT (Internet of Things) devices in workplaces and homes introduces new risks – especially with so many people working in hybrid roles or from home full-time – due to their often inadequate security measures and potential for exploitation in large-scale attacks. Ransomware and cyber extortion attacks continue to evolve, with perpetrators increasingly using sophisticated tactics to encrypt critical data and demand ransom payments for decryption keys. A modern CISO is someone with deep technical expertise who can represent risk and security at a board level but who is adept at communicating with executives at every level. They are skilled leaders, influencing the strategic decisions of their C-suite colleagues and those using technology every day. Their role impacts everyone in a business; their specialist knowledge ultimately helps to protect against the potentially devasting personal (and commercial) impacts of a cyber-attack. A successful CISO will combine business acumen and technical skills. No longer the lone voice in the corner pressuring boards for greater budgets to protect a business and its greatest asset – its people, CISOs are a trusted adviser in the boardroom, influencing strategic decisions that integrate cybersecurity as a foundational component of business operations.
What are the roles and responsibilities of a CISO? The CISO is responsible for overseeing an organisation's cybersecurity strategy and implementation. Their role includes leading risk assessment and management, developing and enforcing security policies and procedures, ensuring compliance with regulatory requirements, and overseeing incident response and disaster recovery efforts. CISOs collaborate closely with executive leadership and IT teams to integrate security measures into business operations, educate employees on best practices, and stay ahead of evolving cyber threats through continuous monitoring and adaptation of security technologies and practices.    What skills and qualifications are needed to be a CISO? To become a CISO, individuals typically need a blend of technical expertise, leadership skills, and business acumen. They’ll be effective communicators, strategic planners, and collaborators. Required qualifications often include a degree in computer science, IT, or a related field (eg law), coupled with certifications such as CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager), both widely recognised in Australia. Key skills include deep understanding of cybersecurity principles, risk management, and compliance frameworks.    What is the difference between a CISO and a CIO? The CISO and CIO play distinct yet complementary roles within a leadership team. While the CISO focuses primarily on cybersecurity, the CIO is responsible for the overall technology strategy and infrastructure, aligning IT systems with business goals, driving innovation, and managing IT operations and projects.    How does a CISO report to the board of directors? A CISO reports to the board of directors by providing regular updates on the organisation’s cybersecurity posture, risks, and compliance status. They will develop and present reports outlining emerging threats, incidents, and the effectiveness of current security measures. They’ll also educates the board on cybersecurity best practice and trends, translating technical details into strategic insights that align with business objectives. 
Why recruiting in December can give you a competitive edge What makes a good business leader in 2024? How do CFOs leverage technology for business growth
Browse jobs Contract talent Permanent talent Executive Search Consulting solutions Finance and accounting Financial services Technology Business support Discover insights Job directory Salary Guide e-Learning Timesheets Subscribe to newsletter Information centre About Robert Half Leadership Careers with us Locations Investor centre Press Our brands Fraud alert Modern slavery act Corporate info Cookies Privacy statement Terms of use Robert Half Inc. Australia - English Belgium - English Belgium - Nederlands Belgium - Français Brazil - Português Canada - English Canada - Français Chile - Español China - English China - 中文 France - Français Germany - Deutsch Hong Kong, China - English Ireland - English Japan - English Japan - 日本語 Luxembourg - English Luxembourg - Français Netherlands - English Netherlands - Nederlands New Zealand - English Singapore - English Switzerland - Deutsch Switzerland - English Switzerland - Français United Arab Emirates - English United Kingdom - English United States - English