Roles and responsibilities in information security management – the role of a CISO

CYBERS 24.10.2023

In this episode of the KüberCast podcast, we delve into the world of information security management and explore the role of the CISO, or Chief Information Security Officer, within a company. Hosted by Ronnie Jaanhold and Siim Pajusaar, our guest for this episode is Jüri Voronov, an experienced CISO. Here are some key takeaways from the podcast.

Can the IT manager and CISO role be combined?

Not ideally. Jüri Voronov explains that information security management differs significantly from traditional IT and risk management roles. IT managers primarily focus on the efficiency and continuity of their work, while information security managers must ensure that all organizational leaders act within their expertise and do not jeopardize information security processes and regulations.

The role of an information security manager is to identify risks, bring them to the attention of the executive team, and create a plan to mitigate these risks while supporting the company’s business strategy. The primary goal is to unite various stakeholders to protect the company’s information and ensure its security. When roles overlap (such as an IT manager also serving as a CISO), the results may not always be as reliable due to a lack of role separation.

Should all companies have an information security manager?

It depends on the kind of information a company wants to protect. Smaller companies may find it easier to outsource information security management, but this decision primarily requires awareness from the company’s leadership and an understanding of the value of the company’s data as a significant asset. The most challenging task for a CISO is to explain to the executive team the significant investments and changes required to enhance the security level. In practice, action is often not taken until an incident has already occurred.

Speaking of unpleasant scenarios for a CISO, one of the worst-case scenarios mentioned was a “ransomware attack resulting in the loss of backups and the inability to recover data.” Such potentially very costly situations can only be prevented through conscious and consistent action.

The many faces of the CISO role

The role of an information security manager is highly multifaceted and requires a deep understanding of both technical and strategic aspects. Jüri Voronov adds some additional facts about the CISO role:

  1. Strategic Management: The CISO is responsible for developing an information security strategy that aligns with the company’s overall business strategy. This involves assessing risks and setting priorities to ensure information security strength and compliance with regulations.
  2. Technical Level: While the CISO does not need to be solely a technical expert, it is essential for them to have a deep understanding of technologies and risks. This allows effective communication with technical teams and an understanding of complex security risks.
  3. Crisis Management: The CISO must be prepared to lead in emergencies and respond swiftly to security incidents. This includes creating plans for handling attacks and data breaches.
  4. Communication Skills: The CISO must be able to explain complex information security concepts to non-technical leaders and other stakeholders. Communication skills are crucial in persuading the executive team to make necessary investments.

Podcast in estonian: KüberCAST 22 | CISO positsioon ettevõttes

Share

Share

Latest blog posts

31.07.2025

Cyber turbulence: why airlines must take cybersecurity as seriously as air safety

The aviation industry is facing an escalating wave of cyber threats that go far beyond flight delays or data leaks. Airlines are now prime targets in modern cyber warfare—critical infrastructure vulnerable to sabotage, espionage, and geopolitical disruption. The July 2025 cyberattack on Aeroflot, which destroyed 7,000 servers and halted dozens of flights, is a stark warning of what’s to come. As digital systems control everything from aircraft operations to passenger data, this article explores why the skies are no longer safe from cyber conflict—and what the industry must do to defend itself.

Keep reading
23.07.2025

Building confidence, not just compliance: how Axinom validated their web application security

In high-trust industries, security is more than a checkbox—it’s a competitive advantage. Learn how Axinom validated the resilience of their DRM platform with NEVERHACK’s Offensive Security team, using deep manual testing to uncover what automation misses. A case study in turning compliance into confidence.

Keep reading
21.01.2025

Cybersecurity in 2025: Challenges and Strategies

Cybersecurity has become a crucial part of business strategy, determining organizations’ ability to protect their digital assets and continue operations during crises. The economic impact of cyberattacks is estimated to reach 1.5% of the global GDP, making 2025 a year of significant challenges and the need for continuous development in defense strategies. This is especially […]

Keep reading