The ubiquitous digitisation of information and the pervasive connectivity of work systems have made securing information essential to ensure business continuity, sustainability, and compliance with regulatory frameworks. The International Standards Organisation (ISO) 27001:2022 [1] recommends organisations to implement an information security management system, based on a business risk approach, including policies, procedures, guidelines, activities and associated resources, to maintain and improve the security of information assets. The Chief Information Officer (CIO), also referred to as the Chief Information Security Officer (CISO), is responsible for every aspect of information security management and is expected to advise on how to leverage technology to address an organisation's security needs. The role of CISOs is pivotal to ensure an effective security strategy supporting business model operations; therefore, it requires certain personal and professional qualifications to meet the demands of the position successfully.

The recent incidents involving CISOs from Huber and SolarWinds have raised questions about the liability of CISOs. The U.S. Securities and Exchange Commission has charged SolarWinds Corporation and its former CISO with fraud and internal control failures related to the company's cybersecurity practices leading up to the 2020 cyberattack [ 2 ]. Although the charges against them were subsequently dismissed, this case still shows the challenges in identifying who should be considered liable when under a cyber-attack. In May 2023, a former Uber CISO was fined and sentenced to three years’ probation after being the first cybersecurity executive to be convicted of covering up elements of a data breach perpetrated by external attackers [ 3 ]. These incidents also raise questions about the applicability of the parity principle of authority and responsibility, as CISOs seem to lack the required autonomy and decision-making authority to run and maintain an effective information security management system. CISOs are seen as being answerable to the C-Suite, rather than being part of it, with Da Silva et al. [ 4 ] arguing that CISOs “are often scapegoated when things go wrong”.

This paper aims to identify the qualifications required to fulfil the job of a CISO. It presents a content analysis of 50 job postings from different organisations between 2022 and 2025 in the UK. The study of job listings offers a comprehensive overview of the key skills employers expect. The longitudinal approach to data collection has the potential to identify patterns in terms of required qualifications and skills.

This paper is organised as follows. The next section provides some background on the role of CISO. Section three details the study and data collection. The last section discusses the results and provides some concluding remarks

It is widely acknowledged that the CISO is a key player responsible for developing and implementing a security strategy that supports the delivery of business value. This involves an effective assessment of significant risks and the development of a security policy that mitigates or prevents them from impacting the continuity of the business. Further, the CISO must ensure that security measures comply with privacy and regulatory frameworks.

The importance of the CISO role is continuously growing. The research by Karanja [ 5 ] investigating the role of CISOs before and after an IT security breach shows that hiring a CISO was a key element in a reactive plan. Maynard et al. [ 6 ] argue that there are five requisite dimensions to the strategic role of the CISO: (a) dimension of thought reflecting the ability to be creative and innovative to keep up with the evolving and uncertain threat landscape; (b) dimension of contextualisation which involves the ability to achieve an appropriate alignment between security strategy and the business model requirements; (c) dimension of execution which involves the ability to use efficiently available resources to implement an actionable security plan; (d) dimension of response reflecting the ability of a CISO to be proactive and responsive to significant changes in the business environment; and (e) dimension of advocacy which involves the ability to effectively communication the relevance of security controls to different groups of stakeholders.

Complementary skills, alternatively known as soft skills, are considered highly important within the UK cyber sector, with 28% of respondents rating them as essential in the Cyber Security Skills in the UK Labour Market 2024 [ 7 ]. However, 34% of businesses report that they have a complementary skills gap within their organisation. Whilst such soft skills are often seen as being necessary within the role of a CISO, they may not always be listed in job adverts [ 8 ]. Within a Dutch context, whilst soft skills are valued by CISOs, they may not always be explicitly stated in job adverts. This, in turn, may create a potential mismatch between what organisations are advertising for in the role of a CISO and what CISOs' experience of the job actually is. By being more explicit in job adverts regarding the need for soft skills then better recruitment decisions may be made, including ensuring that applicants know what their responsibilities will be in the role of CISO [ 8 ].

Information security research has also focused on the need for effective communication of the relevance of security controls to employees involved in implementing those controls in their everyday work practices ([ 9 ]; [ 4 ]; [ 10 ]; [ 11 ]). The CISO role may further be seen as a mediator, facilitating communication between technical employees and higher levels of management ([ 10 ]; [ 12 ]). Hooper and McKissack [ 13 ] question the technically-oriented job descriptions of CISOs and suggest that CISOs should play a key role in matching security to business requirements. This entails both a broad understanding of business processes supporting the delivery of value and strong communication skills needed to work effectively with different groups of stakeholders, including managers, business process owners and end-users [ 4 ]. Ashenden and Sasse [ 14 ] showed that CISOs often experience difficulties in communicating the why and how behind security measures and that there is a need to use more effective channels or methods of communication to “sell” the relevance of such measures. The authors also emphasise the challenge CISOs face in gaining credibility due to a lack of authority and ambiguity about their responsibilities.

It is not always clear who CISOs should be reporting to, whether to the CEO or to the CIO, depending upon the nature of a vacancy, i.e. a newly created role versus a replacement [ 15 ]. CISOs may need to report to the board, with some research arguing that CISOs should be part of the board itself due to the security of information assets being a critical business function [ 11 ]. Shayo and Lin [16] further argue that there is no one-size-fits-all reporting structure for CISOs, and that any reporting structure will reflect the organisational, cultural, and socio-technical make-up of an organisation. This may, in turn, compound the challenges in assessing CISOs' responsibilities, liabilities, and who they are answerable to when there is no consistent job role description for CISOs.

The findings of the 2022 Global Cybersecurity Outlook 2022 Insight Report [17], which involved 120 cybersecurity leaders from 20 countries, confirm the challenges faced by CISOs and identify three main gaps between security-focused and business executives (Chief Executive Officers). Firstly, CISOs believe that cyber is not prioritised enough in business decisions. As a consequence, the second gap deals with the lack of involvement of CISOs in business decisions, which could result in security issues. The third gap concerns recruiting and retaining cybersecurity talent. While CISOs find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team, business executives appear less acutely aware of the gaps.

In one study exploring pathways to the role of a CISO, Kappers and Harrell [18] examined degree requirements, certifications, hard skills and soft skills, alongside broader security risk management abilities, and business management. Their work attempted to identify the key skills required for the role of a CISO as identified by practitioners and academics. Although the sample size is limited, this study highlights the importance of developing the skills required for a CISO from an undergraduate degree level. This further reflects broader changes within the UK higher education ecosystem, as attempts are made to professionalise cybersecurity career pathways and reduce the cyber skills gap. Specifically, cybersecurity degree pathways are being mapped against the Cyber Security Body of Knowledge, including those that reflect the skills required for a CISO role.

The data collection was carried out through the teaching of the module “Information Security Management” delivered to final-year undergraduate students. The first assignment in this module is to find three job openings for the position of Chief Information Security Officer (CISO), each from a different organisation. Students should critically discuss and compare the required essential and desirable skills between the organisations’ adverts. Students must also critically discuss, using academic literature, the key challenges a CISO faces in managing information security. The module has been running for four years, and the authors of this paper, who are also the assessors of the assignment, collected the data using the links provided for the job adverts. The keywords that guided the analysis of the data include: experience, education, certification, soft skills, and IT-related skills.

Over the years, job descriptions have been shaped by technological and legislative factors. For instance, big data influenced job descriptions in 2022. By 2025, nearly all job vacancies will require some knowledge of Artificial Intelligence. In recent years, there has been a growing focus on complying with the General Data Protection Regulation 2016, and within the UK context, the Data Protection Act 2018.

The table below presents the outcomes of the content analysis of 50 job adverts between 2022 and 2025 in the UK.

Cybersecurity roles, in particular cybersecurity leadership roles, are in high demand. The 2024 study by the Department of Culture, Media and Sport on Cyber Security skills in the UK labour market estimates that around half (44%) of businesses have skills gaps in basic technical areas. Further, nearly half (48%) of cyber leads within businesses lack confidence in their ability to undertake a cybersecurity risk assessment and in developing cybersecurity policies. The participants in this study suggest that the combination of soft and technical skills is rather a rare skill set. The 2024 Global Cybersecurity Outlook report states that organisations lack the right number of people with critical technical and soft skills, preventing them from achieving their strategic cyberresilience objectives. To upskill the workforce, as many as 91% of organisations are willing to pay for cybersecurity training and certification for their employees. Certifications or short educational courses are one way to fill skills gaps.

The findings of this study are consistent with the recent research by Ramezan [19] that involved 250 job adverts listed across 27 nations. In particular, employers value prior professional experience, strong communication skills, and knowledge of regulatory frameworks and cybersecurity standards. The study also reveals that employers value bachelor’s or master’s degrees in business fields, which could equip CISOs with relevant business knowledge that has the potential to support a better alignment between security and business strategy. Ramezan [19] recommends the inclusion of management, data privacy, or business strategy modules within cybersecurity program curricula to reflect the shift of the CISO role to a more management and strategic focus.

The outcomes of this study are useful to improve the content of this module and inform future cybersecurity training programs. A valuable next step would be to incorporate qualitative research methods, such as interviews or focus groups with CISOs and hiring managers responsible for creating CISO job descriptions. This could provide deeper insights into how the listed requirements align with real-world practices and highlight which criteria are considered most critical during the hiring process.

The author(s) have not employed any Generative AI tools. [1] ISO 2022 https://www.iso.org/standard/27001