CISO (Chief Information Security Officer)

What Is a CISO?

The Chief Information Security Officer (CISO) is the C-suite executive who owns the organisation’s information security programme. The role emerged in the 1990s as organisations began to recognise that security decisions required both deep technical knowledge and business strategic thinking — a combination that could not be left to IT directors alone or delegated to external vendors.

Today, the CISO role has expanded considerably beyond its technical origins. A modern CISO is responsible for governance, risk management, regulatory compliance, third-party security relationships, incident response leadership, security culture, and board-level communication — not just firewall configuration and vulnerability scanning.

Core Responsibilities

A well-defined CISO function covers:

Strategic and Governance

• Developing and maintaining the organisation’s Information Security Management System (ISMS) and policies
• Setting the organisation’s risk appetite for cyber risk
• Reporting to the board and executive committee on security posture, key risks, and programme effectiveness
• Aligning security investments with business strategy and regulatory requirements
• Overseeing compliance with regulations such as GDPR, NIS2, DORA, and ISO 27001

Operational Security

• Managing vulnerability management, patch management, and penetration testing programmes
• Overseeing security operations (SOC), whether in-house or outsourced
• Maintaining and testing incident response and business continuity plans
• Managing the security aspects of third-party and supply chain relationships

People and Culture

• Leading or overseeing security awareness training for all staff
• Building and managing the security team (if one exists)
• Working with HR on security aspects of hiring, onboarding, and offboarding
• Championing a security-conscious culture across the organisation

The CISO and NIS2

The NIS2 Directive (applicable from October 2024) has significantly elevated the importance of the CISO role for in-scope entities. NIS2 explicitly requires:

• Management bodies (boards and senior management) to approve cybersecurity risk management measures
• Management personnel to undergo cybersecurity training
• Personal liability of management for infringements in cases of gross negligence

This means that NIS2 entities — which include medium-sized companies in energy, transport, health, digital infrastructure, financial services, and other sectors — need a clearly identified individual (whether called CISO or not) who can own the cybersecurity programme and report to the board. The CISO role, or its functional equivalent, becomes effectively mandatory for these organisations.

Virtual CISO (vCISO): The Model for Mid-Market Companies

A full-time CISO is expensive — market rates in Spain range from €80,000–€200,000+ annually for senior candidates — and may not be justified for companies below a certain size or with limited security complexity. The virtual CISO (vCISO) model addresses this by providing access to CISO-level expertise on a fractional, part-time, or project basis.

A vCISO typically:

• Attends board and executive meetings as required (monthly or quarterly)
• Defines and maintains the ISMS and security policies
• Manages external security suppliers (penetration testers, SOC providers, insurance brokers)
• Leads incident response when needed
• Owns the regulatory compliance roadmap (GDPR, NIS2, ISO 27001)
• Is available on short notice for urgent security matters

The vCISO model is particularly appropriate for:

• Companies newly in scope of NIS2 that need to rapidly establish governance
• SMEs aiming for ISO 27001 certification without a full-time security headcount
• Companies in regulated sectors (financial services, health) managing DORA or sector-specific security obligations
• Post-acquisition integration work where security programmes need alignment

Difference Between CISO and DPO

These roles are often confused but are legally and functionally distinct. The DPO (Data Protection Officer) is a GDPR-specific role focused on personal data protection and regulatory compliance with data protection law. The CISO is a business leadership role focused on the security of all information assets, not just personal data, and encompasses technical security operations, risk management, and incident response. The two roles should work closely together — particularly on data breach response and privacy-by-design implementation — but they are not interchangeable and should not be collapsed into a single person unless the organisation is small and the workload genuinely permits it.

How BMC Can Help

We provide virtual CISO services to organisations that need board-level cybersecurity leadership without the cost or commitment of a full-time executive hire. Our vCISO offering covers ISMS establishment, regulatory compliance management, incident response leadership, and security programme governance — structured to meet NIS2, GDPR, and ISO 27001 requirements.