What does a CISO actually do?

Play CISO Game free Free demo · no signup · plays in 30–45 min
Start playing →

"CISO" is a role that's still in motion. Twenty years ago there were maybe a few hundred of them globally, mostly in banking; today every Series-B SaaS company has one and the role has fragmented into a dozen specializations. This is what most working CISOs actually spend their time on, regardless of company size.

The four-quadrant CISO job

If you ask thirty CISOs what they do, you'll get thirty answers, but the time tracks roughly into four quadrants:

  1. Strategy and program design — risk register design, control framework selection (NIST CSF, ISO 27001), multi-year roadmaps, capability gap analysis. CISO Game models this through scenarios: each scenario is a different starting hand for program design.
  2. Executive communication and governance — quarterly board reports, audit committee meetings, regulator interactions, customer security questionnaires, M&A diligence. The CISO is the security translator for non-security executives. CISO Game tracks this as Board Confidence and Customer Trust.
  3. Team building and operations — hiring (Senior Analysts, Detection Engineers, IR Specialists, GRC Specialists, Deputy CISO), assigning ownership, managing morale, on-call rotation, vendor management. The team is the program; everything else is leverage.
  4. Incident response when it lands — every CISO will eventually run an incident. The skill the role demands isn't preventing every breach (that's not a winning strategy); it's making sure the program survives the breach.

What CISOs don't do (despite what job descriptions say)

Most CISOs do not personally run penetration tests, write detection rules, or operate the SIEM. They hire and assign people who do those things, then make sure those people have what they need. The CISO's product is the program — the legible, defensible structure of controls, evidence, and decisions that the board, regulators, and customers can rely on. The technical work happens one or two layers below the CISO; the role is structurally similar to a CTO or CFO in that respect.

How CISOs are evaluated

The board's verdict on a CISO is usually delivered annually, sometimes quarterly. The signals they watch are: composite security posture (a single program-level score), board confidence (how clearly the CISO communicates), customer trust (questionnaire turnaround, trust center attestations), budget discipline (running over plan kills careers fast), and incident outcomes (how well the program handled what landed). CISO Game maps directly to these — the win condition at Q20 is composite ≥ 60, board ≥ 30, cumulative overspend ≤ $500k.

Career paths into the role

Most CISOs come from one of three tracks: (1) Security operations and engineering — analyst → senior → manager → director → CISO, the most common path; (2) Risk and audit — internal audit or GRC consultant → risk lead → CISO, common in regulated sectors; (3) IT leadership — head of IT or platform engineering → CISO, common at companies promoting from inside. The CISSP, CCISO, and CISM certifications are useful for path entry but rarely decisive at the senior level.

What changes by company stage

A CISO at a 200-person Series-B startup is mostly building the first program from scratch — picking the framework, hiring the first analyst, getting SOC 2 across the line. A CISO at a 5,000-person scale-up is deeply in vendor management, M&A diligence, and board comms. A CISO at a regulated bank is inside the regulator-relationship layer for a quarter of their time. CISO Game's scenario list is built around these archetypes — picking a scenario is picking which version of the role you want to practice.

Try the role

Reading about the CISO job is one thing; running a 5-year program is another. Play CISO Game free to run the program for yourself. No install, no signup, plays in 30–45 minutes.

Play CISO Game free →