What Is a CISO: Functions, Responsibilities and Models

A CISO is the executive responsible for an organisation's cybersecurity: strategy, governance and leadership before the board. The acronym stands for Chief Information Security Officer. They define the programme, lead the team, report to the executive committee and the board, and act as the visible face of digital risk to regulators, clients and insurers. It's an executive role, not a technical one, although the path almost always starts in a technical career.

This guide explains what a CISO actually does, the eight responsibilities that appear in any serious job description, where they fit in the corporate hierarchy, the typical profile and certifications required, the three engagement models (full-time internal CISO, vCISO or fractional CISO, outsourced CISO), why NIS2 and DORA are accelerating hires in Spain, and how a company decides which model fits.

What a CISO is

A CISO is the executive responsible for the information security posture of an organisation. The three keywords of the role:

• Strategy. Defines the security programme aligned with business objectives and the board's risk appetite. Doesn't configure firewalls; ensures that security investment is well directed.
• Governance. Maintains policies, processes, indicators and reporting. Ensures the organisation meets regulatory and contractual obligations.
• Leadership. Runs the security team (or coordinates it when outsourced), builds relationships with IT, legal, HR, operations, communication and leadership, and represents the company to third parties.

What a CISO is not: an inflated-title system administrator, a pure security engineer, or the person who puts out the fire when ransomware lands. Those roles exist and are critical, but they sit under the CISO's responsibility, they are not the CISO.

The eight core responsibilities

Any professional job description covers these areas.

Strategy and security programme

Documents the three-year security vision, aligned with the business strategic plan. Defines measurable objectives, quarterly priorities, required budget and expected outcomes. What the company looks at during board reporting.

Risk management

Maintains a cybersecurity risk register with probability, impact, owner, mitigations and timelines. Runs specific analysis per initiative (new product launch, vendor onboarding, cloud migration) and documents them for the risk committee.

Regulatory compliance

Ensures compliance with applicable obligations: NIS2 for affected companies, DORA in financial sector, ISO 27001 if certifying, ENS for Spanish public sector providers, PCI DSS if processing payments, GDPR for personal data, relevant sectoral frameworks (HIPAA in health, GDPR-K for minors). Coordinates audits and maintains the evidence register.

Security operations

Supervises or directly runs the SOC, identity management, access control, endpoint security, network and infrastructure. Defines KPIs and reports them. In mid-sized companies, operations get outsourced to an MDR provider and the CISO oversees the contract.

Incident management

Leads the response to serious incidents. Activates the plan, coordinates internal and external teams (forensics, legal, communication, insurer), communicates to the executive committee and the board, and handles notification to regulators within legal timelines (24/72h under NIS2, 24h under DORA, 72h under GDPR).

Security testing

Schedules the annual calendar of pentesting, Red Team, web application audits, phishing simulations and, in regulated sectors, formal exercises like TIBER-EU. Selects providers, validates deliverables and ensures findings get closed.

Vendor management

NIS2 and DORA raise responsibility over critical providers. The CISO maintains the inventory of third parties with access to data or systems, runs initial due diligence and periodic reviews, ensures adequate contractual clauses (audit rights, notification, data location, exit rights) and demands evidence of the controls the provider declares.

Awareness and culture

Runs the training and drills programme. Measures coverage, comprehension and outcomes (percentage of staff falling for phishing simulations, response time to real alerts). Works with HR and internal communications to integrate security into culture, not just into compliance.

Where it fits in the hierarchy

The CISO reporting line is shifting fast. Three common models in Spain.

Under the CIO or IT director. The historically most frequent. Works well in companies with mature IT, but creates conflict of interest when the CIO has to arbitrate between delivery speed and security, because the CISO reports to them. NIS2 disincentivises this model for affected organisations.

Under the COO or operations director. Intermediate model. The CISO gains independence from IT but stays far from the risk committee.

Under the CEO or board (regulator-recommended model). The CISO reports directly to the CEO and has a communication line to the board and audit committee. The model NIS2 and DORA are pushing for affected companies, especially large and mid-sized. Guarantees independence and executive weight of the role.

Under Risk or CRO Office. In financial entities and insurers, the CISO usually sits inside the risk management function, in line with DORA. Allows treating cyber risk at the same level as the rest of corporate risks.

Regardless of formal reporting, the CISO needs direct board access at least quarterly for critical risk reporting.

Profile and common certifications

The typical CISO comes from a technical background (computer or telecoms engineering) with 10-20 years of trajectory passing through operational roles (system administration, networks), then security (auditor, consultant, architect) and finally governance. Many pass through large consultancies or through in-house teams in banking, telco, energy and retail.

Relevant certifications in Spain and the EU:

• CISSP (ISC2). The most globally recognised for management profiles.
• CISM (ISACA). Specifically oriented to information security management.
• CISA (ISACA). Systems audit; useful for CISOs with compliance focus.
• CRISC (ISACA). Risk and control.
• ISO 27001 Lead Auditor / Lead Implementer. Common when the company is going for certification.
• CCSP (ISC2). When there's serious cloud focus.

Technical certifications (OSCP, CEH, GPEN) are irrelevant for the CISO role itself, although they can come from prior background.

Soft skills that matter: communication with non-technical audiences, ability to translate technical risk to business language, negotiation with IT and legal, calm in crisis management, ability to build a business case for the CFO.

Engagement models

Not every company needs a full-time internal CISO. Three models depending on size, sector and obligations.

Full-time internal CISO

Traditional model. Appropriate for mid-large companies (typically 500+ employees or critical NIS2/DORA sectors), environments with intensive compliance, organisations with high risk profile or public exposure.

Advantages: full dedication, deep business knowledge, ability to build culture. Disadvantages: high cost (senior CISO total package in Spain sits in executive range and keeps growing under NIS2 pressure), time to find the right match, risk if the person leaves.

vCISO (virtual CISO or fractional CISO)

Senior professional who covers the role part-time (1-3 days per week, service contract or consulting) at one or several companies simultaneously. Appropriate for mid-sized companies that need a CISO role but don't justify full-time, scale-up startups, companies in pre-ISO 27001 or pre-NIS2 certification.

Advantages: fractional cost, experience that comes with the professional, flexibility. Disadvantages: limited dedication, possible conflict with other clients, difficulty for tasks requiring continuous presence.

The fastest-growing engagement model in Spain 2024-2026.

Outsourced CISO to a boutique

The company contracts the "CISO service" from a specialised firm that assigns a senior professional with team backup. Appropriate for small companies that need an external firm for compliance or insurance but can't manage the complexity of an own role.

Advantages: continuity (the firm guarantees presence even if the person rotates), team backup, predictable cost. Disadvantages: less integration with internal culture, risk if the firm isn't serious.

Why NIS2 and DORA are accelerating hires

Three factors combine in 2025-2026 in Spain.

NIS2 indirectly requires explicit cybersecurity governance. Article 21 demands technical and organisational measures; article 20 makes the management body responsible. Without a CISO or equivalent, the company can't demonstrate adequate governance in an inspection.

DORA explicitly demands ICT risk governance in financial entities and contemplates formal board responsibilities. A formal CISO role is practically mandatory.

Insurers and corporate clients ask for it. Cyber insurance policies and B2B RFPs include a direct question: "Do you have a formal CISO reporting to the board?". Without an affirmative answer, premium goes up or the opportunity is lost.

The practical outcome is shortage of senior CISOs in the Spanish market. Mid-sized companies trying to hire take 6-9 months to fill the position and most are opting for vCISO or outsourced models while finding the internal profile. In the vCISO projects we've run in 2025-2026 we see a consistent pattern: companies landing NIS2 prefer to combine vCISO for the first 12 months with planned internal hire at the close of the first compliance cycle.

How a company decides which model fits

Decision by size and obligations, not by whim:

• Fewer than 100 employees without specific obligations: probably CISO doesn't apply. A Security Officer within IT or one-off outsourcing would suffice.
• 100-500 employees, without critical sectoral: vCISO 1-2 days/week usually covers what's needed.
• 100-500 employees with significant NIS2 / DORA / regulated sector: vCISO 2-3 days/week or full-time depending on maturity.
• 500-2,000 employees: full-time internal almost always, with one-off external support.
• More than 2,000 employees or critical sector: full-time with a team under their responsibility (4-15 people depending on industry).

The model gets reviewed every 18-24 months. Companies that started with vCISO usually migrate to internal when they reach certain thresholds of size, complexity or public exposure.

Compliance framework fit

• NIS2 (articles 20-21). Management body responsibility over risk management measures. The CISO translates that responsibility into a concrete programme and reporting.
• DORA (articles 5, 6, 9). ICT governance, function responsibilities. The CISO role is explicitly cited as good practice.
• ISO 27001:2022 (clause 5). Leadership, policy, roles. Certification demands formal security role, normally performed by the CISO.
• ENS RD 311/2022. Security responsibility. In public administrations and providers it maps to COSO or equivalent.
• PCI DSS v4.0 (req. 12.4). Security management programme. Although it doesn't demand the "CISO" title, it does demand a role with documented authority and responsibility.
• GDPR. The CISO doesn't replace the DPO; they are different but complementary roles. Affected companies usually have both.

Frequently asked questions

What's the difference between CISO and DPO?

The DPO (Data Protection Officer) focuses on GDPR compliance: personal data processing, data subject rights, processing audits. The CISO focuses on information security broadly (not only personal). Functions overlap in incident management involving personal data and in impact assessments, but the roles don't replace each other. The Spanish data protection authority recommends they be different people to avoid conflict of interest, especially in large organisations.

When do I need a CISO?

When one of these conditions is met: the company falls under NIS2 or DORA; ISO 27001 or ENS certification is underway; B2B clients require it contractually; the insurer demands it for cyber coverage; incidents have escalated without clear ownership; leadership doesn't know which security investment is justified. If none of that applies, you can probably wait another 12-18 months.

How much does a CISO cost in Spain?

The package varies a lot with sector, size and experience. In 2026, public ranges per remuneration reports (Hays, Page, ICSA) place senior CISO in mid-sized companies in executive bands that grow year-on-year due to NIS2 pressure. A vCISO is contracted by days/month; an outsourced CISO service closes as an annual contract with SLA. Asking for references and comparing budgets is standard practice. More in penetration testing pricing in Spain for related budget context.

Can I combine a technical role with CISO?

In small companies sometimes. In mid-sized, it's not sustainable: the strategic role and the operational role pull in opposite directions. The usual move is to split early: the CISO manages and reports, the technical team executes.

What relationship does CISO have with CTO or CIO?

CTO is usually responsible for product technology (what the company sells). CIO for internal technology (what the company uses). The CISO oversees security of both. Typical conflicts: CTO wants to ship fast, CIO wants to reduce TCO, CISO wants to mitigate risk. Healthy governance demands the three roles sit at the same executive level and the CEO arbitrates.

Do small companies need a CISO?

Not always. A company of 30 people doesn't need a formal CISO but does need a Security Officer within the IT team with documented responsibilities and, if there's NIS2 obligation, periodic external reinforcement. The board's legal responsibility applies regardless of title: someone has to be accountable.

Is it a good idea to promote to CISO from within?

Depends. If the internal candidate has management profile and not only technical, yes. If they're only technical, it usually doesn't work: the role demands negotiating with leadership, and the company loses a good engineer gaining a bad CISO. The common move is to combine internal promotion with external experience: the CISO comes from outside and their technical leads grow inside.

Related resources

• NIS2 in Spain: a compliance guide for 2026: the framework most pushing CISO role formalisation in Spain.
• DORA compliance guide for financial entities 2026: demands explicit ICT governance in financial entities.
• Cybersecurity companies in Spain: how to choose: guide for CISOs selecting a provider.
• What is a SOC: the operational function that reports to the CISO.
• Penetration testing vs Red Team: tests the CISO schedules periodically to validate defensive capabilities.
• What is ethical hacking: the discipline behind the offensive tests the CISO commissions.
• What is Blue Team: the defensive function the CISO leads.

CISO and strategic consulting at Secra

At Secra we work on the CISO side in three typical situations: when the company doesn't yet have a formal role and needs to cover it in vCISO mode while deciding the internal profile; when the CISO exists and needs external validation of their programme, vendor evaluation or support on specific projects (NIS2, DORA, certifications); and when there's an incident and additional technical capacity is needed alongside the internal team. Scope is always agreed with the existing CISO, not in their place. If your organisation is sizing the role or needs tactical security reinforcement, get in touch through contact or check our GRC consulting services.