What does a CISO at an SME do during their working day?

A CISO – Chief Information Security Officer – at an SME is responsible for security operations, securing the business, its technology, and its initiatives, and leading the business’s information security strategy. A CISO must liaise with different areas of the business including IT, HR, and C-level executives to ensure that their objectives are achieved.

Image showing the tasks a ciso has to manage day to day

There is no such thing as a typical day in the life of a CISO, but some activities are more common than others. The following breakdown gives you an idea of what to expect from a CISO, though each day will look very different.

09:00 – Review the latest threat intelligence & security indicators

A CISO must regularly review the information available to them regarding possible threats to the business. Their information will come from a range of sources, so the CISO needs to be adept at sorting through what is and isn’t relevant to their role.

In particular, a CISO needs to look for anything that is actionable, i.e. that requires a response from them and the wider business. As much as the CISO will prepare the business to face cyber threats proactively, there will always be a reactive element to their role to ensure that they can always deal with rapidly changing circumstances.

10:00 – Review risk assessment with project team for the new IT project

Securing new initiatives and projects is an important responsibility for CISOs. They must make assessing security risks a part of every core process, as risk management is central to their role.

In this particular example, a new IT project might present a number of risks for the CISO to be aware of. The risks may include additional personal data that falls under GDPR, and the security regime requirements for new technology being brought into the business, such as regular patching. Once they have become aware of the risks, the CISO will be able to help the project team mitigate them effectively.

12:00-12:30 – Monthly board briefing

Maintaining stakeholder relationships is another important aspect of a CISO’s day to day job. In this example, the CISO will use their briefing to keep the board appraised of current business risks (not just security risks) and mitigations.

CISOs need to be in regular contact with other C-level executives and senior figures in the business who have a level of responsibility for risk management and security. They will commonly need to coordinate with figures like the CSO, CRO, data protection officer, general counsel, and others.

13:00 – Supplier meeting

Following a spot of lunch, another of the CISO’s responsibilities comes to the fore. The scope of a CISO role extends to the supply chain. How are the business’s suppliers looking after the business’s data?

A CISO’s responsibilities concerning the supply chain include pre-contract due diligence, working on new supplier contracts and renewals, and going through supplier audit and assessment processes.

14:00 – Planning activities for an upcoming security audit

Preparing for security audits is an important part of the CISO’s role. Their planning activities for an upcoming audit could start with reviewing the status of non-compliances from previous audits, ensuring that the evidence trail is in place to show that the resulting actions have been completed.

Another practical requirement of planning for the audit is ensuring that the CISO’s colleagues are scheduled to meet with the auditor when they arrive. The auditor will inevitably have questions for staff in the wider business.

14:10 – Urgent call from IT

Every CISO must be prepared to deal with something unplanned cropping up during the day. In this example, the IT team has spotted some suspicious activity, and the incident response teams need the CISO’s input into the triage process.

Part of a CISO’s role is to advise on the setup of incident response processes in the first place, but they must always be ready to step in if other teams need input for specific situations.

14:25 – Back to planning

With one call out of the way, the CISO can get back to their audit planning…

14:55 – Call from a fellow CISO

As the CISO is the only one of their position in their business, collaboration with their peers in other businesses is crucial to their continued success. It is vital for a CISO to be able to share their experiences of what is working well and what isn’t; to be able to seek advice and learn from one another’s activities.

15:15 – Back to planning

It’s time to make one more push on that audit planning before the final meeting of the day!

16:00 – Progress review with HR

A CISO’s job is made easier when others in the business are able to act in accordance with security best practices and processes. Overseeing training programmes for their colleagues is an important part of their role, and they can work with their HR department to roll out new training programmes that keep everybody in the business up to speed.

Along with keeping employees aware of the current risks and the right way to respond, a CISO may also run phishing simulations to see how employees respond to threats, as well as running investigations and forensics when something goes wrong.

17:00 Onwards – Reading, Learning & Social Media

While spending their spare time on work-related learning is certainly not a requirement, many CISOs have a passion for cyber security and willingly engage in related content outside of their working hours. Many of them want to keep on top of the latest market development and contribute to professional bodies, helping them to stay on top of the very latest topics and changes in their industry.


Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.


Be the first to know about developments in secure information exchange