CISO (Chief Information Security Officer)
The executive accountable for an organization's information security strategy, risk posture, and regulatory exposure — known as RSSI in France.
The Chief Information Security Officer (CISO) is the executive accountable for the information-security strategy of an organization: defining the risk posture, owning the security program, and reporting to the executive committee or board on residual risk. In France and most of the French-speaking world the same role is called RSSI (Responsable de la Sécurité des Systèmes d’Information); the title varies but the accountability is the same.
The modern CISO sits at the intersection of three pressures:
- Regulatory. NIS2, DORA, SOC 2, ISO 27001, HIPAA — depending on geography and sector — all expect documented evidence of awareness and behavior change, not just policy on paper.
- Operational. The attack surface keeps widening: SaaS sprawl, OAuth grants, generative AI, third-party suppliers. The team rarely scales at the same rate.
- Board-facing. Increasingly, boards want a credible answer to “how do we know our people are safer this quarter than last?” — a question that does not have a good answer when the only KPI is phishing click-rate (see Goodhart’s Law).
Defining characteristics of the role today:
- Short tenure. Ponemon Institute’s Cost of a Data Breach and CSA’s CISO surveys both report median CISO tenure under three years — among the shortest in the C-suite. Breach exposure and burnout are the dominant causes.
- Wide span. Cybersecurity, application security, GRC, sometimes privacy and physical security — depending on the organization, the CISO can own anywhere from a four-person team to a multi-hundred-person organization.
- Compensation tied to scope. CSA and Heidrick & Struggles surveys consistently show total compensation tracking with regulatory exposure (NIS2-in-scope organizations pay more) and with reporting line (CISOs reporting to the CEO or board command higher packages than those reporting to the CIO).
- Increasingly personal liability. Post-SolarWinds SEC action and the explicit personal-accountability language in NIS2 Article 20 have changed the legal calculus around the role.
The CISO’s hardest job in 2026 is not buying more tools; it is producing demonstrable behavioral evidence — that people genuinely act more safely than they did a year ago — in a format an auditor, a board, and a regulator will accept.
Related terms
- DPO (Data Protection Officer)The GDPR-mandated role responsible for monitoring an organization's compliance with EU data-protection law and acting as the contact point for the supervisory authority.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- Goodhart's Law"When a measure becomes a target, it ceases to be a good measure" — the trap behind phishing click-rate as a security KPI.
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.