What does a CISO actually do?
"CISO" is a role that's still in motion. Twenty years ago there were maybe a few hundred of them globally, mostly in banking; today every Series-B SaaS company has one and the role has fragmented into a dozen specializations. This is what most working CISOs actually spend their time on, regardless of company size.
The four-quadrant CISO job
If you ask thirty CISOs what they do, you'll get thirty answers, but the time tracks roughly into four quadrants:
- Strategy and program design — risk register design, control framework selection (NIST CSF, ISO 27001), multi-year roadmaps, capability gap analysis. CISO Simulator models this through scenarios: each scenario is a different starting hand for program design.
- Executive communication and governance — quarterly board reports, audit committee meetings, regulator interactions, customer security questionnaires, M&A diligence. The CISO is the security translator for non-security executives. CISO Simulator tracks this as Board Confidence and Customer Trust.
- Team building and operations — hiring (Senior Analysts, Detection Engineers, IR Specialists, GRC Specialists, Deputy CISO), assigning ownership, managing morale, on-call rotation, vendor management. The team is the program; everything else is leverage.
- Incident response when it lands — every CISO will eventually run an incident. The skill the role demands isn't preventing every breach (that's not a winning strategy); it's making sure the program survives the breach.
What CISOs don't do (despite what job descriptions say)
Most CISOs do not personally run penetration tests, write detection rules, or operate the SIEM. They hire and assign people who do those things, then make sure those people have what they need. The CISO's product is the program — the legible, defensible structure of controls, evidence, and decisions that the board, regulators, and customers can rely on. The technical work happens one or two layers below the CISO; the role is structurally similar to a CTO or CFO in that respect.
How CISOs are evaluated
The board's verdict on a CISO is usually delivered annually, sometimes quarterly. The signals they watch are: composite security posture (a single program-level score), board confidence (how clearly the CISO communicates), customer trust (questionnaire turnaround, trust center attestations), budget discipline (running over plan kills careers fast), and incident outcomes (how well the program handled what landed). CISO Simulator maps directly to these — the win condition at Q20 is composite ≥ 70, board ≥ 50, cumulative overspend ≤ $350k.
Career paths into the role
Most CISOs come from one of three tracks: (1) Security operations and engineering — analyst → senior → manager → director → CISO, the most common path; (2) Risk and audit — internal audit or GRC consultant → risk lead → CISO, common in regulated sectors; (3) IT leadership — head of IT or platform engineering → CISO, common at companies promoting from inside. The CISSP, CCISO, and CISM certifications are useful for path entry but rarely decisive at the senior level.
What changes by company stage
A CISO at a 200-person Series-B startup is mostly building the first program from scratch — picking the framework, hiring the first analyst, getting SOC 2 across the line. A CISO at a 5,000-person scale-up is deeply in vendor management, M&A diligence, and board comms. A CISO at a regulated bank is inside the regulator-relationship layer for a quarter of their time. CISO Simulator's scenario list is built around these archetypes — picking a scenario is picking which version of the role you want to practice.
Try the role
Reading about the CISO job is one thing; running a 5-year program is another. Play CISO Simulator free to run the program for yourself. No install, no signup, plays in 30–45 minutes.
Mapping your own path to the role? See the 2026 CISO career roadmap for the typical 12–20 year timeline and the four highest-leverage decisions along the way.
Frequently asked questions
What does a CISO do day-to-day?
A CISO's day-to-day splits roughly four ways: 30-40% executive communication (board prep, exec one-on-ones, customer security calls, regulator interactions), 25-35% program management (budget, hiring, vendor decisions, audit prep), 15-25% incident or near-incident response (real incidents are rare; near-incidents are weekly), and 10-20% strategic technical review (architecture decisions that need a senior call). Almost no CISO writes detection rules, runs pentests, or operates a SIEM personally — that work happens one or two layers below.
Who does a CISO report to?
In 2026, the most common CISO reporting line is to the CEO (about 35% of public companies), followed by CIO (25%), CFO (20%), and General Counsel or Chief Risk Officer (15%). The remaining 5% report to other variations including the CTO or COO. Reporting to the CEO is generally seen as the most empowered structure; reporting to the CIO is the most operationally-friction-free; reporting to General Counsel or CRO signals a governance-heavy role typical in regulated industries.
What's the difference between a CISO and a Security Director?
A CISO is an executive who owns the entire security program and sits in the C-suite or board-adjacent management; a Security Director leads a function within the security organization (engineering, operations, GRC) and reports to the CISO or VP-level. The CISO has signing authority on security spend, presents quarterly to the board, and is the named accountable person on regulatory disclosures. A Security Director is typically not on the executive team and doesn't carry direct board accountability.