top of page

4 things that CISO does

  • Jun 30
  • 4 min read

It is easy to picture CISO as someone with their eyes glued to screens and code. The reality is different — much of the time goes to consulting and ensuring clarity, not to technical work. It is similar to the job of a house architect: they design the house, talk to its residents, and explain decisions, but they do not lay the walls themselves.


1. Preparing employees for threats - drills, phishing tests


The weakest link in security is usually not the technology, but people. That is why the CISO runs drills for employees and, as needed, carries out phishing tests. Such preparation makes it possible to recognise a threat before it becomes an incident — it pays off more to spend time preparing employees for possible threats than to deal with the consequences of an incident.


Phishing - a form of fraud in which malicious actors use fake (but realistic-looking) websites or emails to extract login credentials (codes, passwords) for banks, information systems, or tools.


Example: by impersonating the director of a food production company and sending a letter about an "updated system you need to log into again," and thereby obtaining login credentials to the refrigeration control program, malicious actors could switch it off and destroy the company's products.


Saugumo operacijų centro operacijų vadovas Martinas Eimutis ir kibernetinio saugumo vadovas Algirdas Kubilius susitikimo metu su matomais NKSC, CompTIA ir CRISC sertifikatais fone
Operations manager Martinas Eimutis and cyber security specialist Algirdas Kubilius during a meeting.

2. Maintaining security policies and procedures


Prepared cyber security documents — a risk assessment, a risk management plan, a business continuity plan — cannot be written once and put away in a drawer. Why? Because the organisation is constantly changing: new employees join, new systems are introduced, new tools come into use, and the possible cyber security threats change along with them.


The CISO constantly checks whether the organisation's activities and threats are changing and, when they do, updates the documents. For example, if a new system is introduced to store customer data but two-step login (e.g., password plus a phone code) is not enabled, malicious actors could quickly access the data. This is avoided by a risk analysis (noticing the new system) and by managing that risk (enabling two-factor authentication), both carried out by the CISO.


3. External CISO, cooperation with the NKSC, and incident preparedness


The security manager maintains contact with the National Cyber Security Centre (NKSC): they follow the recommendations received and, on receiving a notice from the NKSC about a detected vulnerability in the organisation, coordinate so that the gap is closed in time.


When an incident occurs, the security manager reports it to the NKSC within 24 hours, provides a detailed report within 72 hours, and the final report within a month of registration. Such deadlines mean that preparation — contacts, roles, and an action plan for the event of an incident — must be ready in advance, not on the day of the incident. Without this preparation, missed deadlines turn into fines, and confusion turns into longer downtime.


A cyber security incident - an event in which the availability, integrity, or confidentiality of an organisation's systems or data is breached, or an attempt is made to breach it. This may be a break-in to systems, a data leak, or disrupted system operation.


This is also a great example of why an IT administrator cannot be the security manager - it would be more convenient for them to prepare for a possible incident minimally, so as not to burden their usual work, but the cost of that would be, at best, confusion during the incident and, at worst, an uncontrolled incident and losses for the organisation.


4. Consulting and communicating with the organisation


A cyber security manager, like a house architect, spends a lot of time talking with the house's residents (employees). Some need to be told why the door locks automatically; others, why you must not leave the key under the mat. With the builders (IT administrators) they speak one language; with the house owner (the head of the organisation), quite another.


Questions can arise for an employee in any department — accountants, facilities managers, and procurement specialists alike — because nearly every profession uses computers or other digital tools for its work.


Cyber security covers the whole organisation, every one of its employees and their daily activity, not just the IT unit.

It is worth noting that the CISO, like an architect, is directly accountable to the head of the organisation (the house owner), not to the IT department (the builders). Under the Cyber Security Law they are even prohibited from engaging in the technical maintenance of systems — their position is strategic, not technical.


Saugumo operacijų centro kibernetinio saugumo vadovas Algirdas Kubilius susitikimo metu su matomais NKSC, CompTIA ir CRISC sertifikatais fone
We answer the organisation's employees' questions — because security comes from clarity and understanding, not from fear

A process, not a project


This work goes on continuously, so the CISO's job is not a task with an end date. That is precisely why many organisations find it convenient to have an external security manager who is constantly available but does not overuse resources.


If your organisation needs a CISO but creating a separate full-time role does not pay off, external CISO services provide all the necessary expertise and help you meet the requirements of NIS2.



 
 

Take the first step

Cybersecurity compliance doesn't happen in a day - contact us and start working towards it

bottom of page