What does a Director of Information Security actually do?

KNOWN ALIASES / DISGUISES:

MARKET AVERAGE

$249,433

* Reported range between $174,189 and $418,989, often influenced by location and specific GRC responsibilities.

"This sum is allocated to those who excel at presenting the illusion of security, ensuring C-suite deniability while actual technical work is outsourced or ignored."

[DIAGNOSIS]When the inevitable major breach occurs, they are the designated sacrificial lamb, positioned just below the CISO, or will be made redundant when the organization attempts to streamline its 'cyber governance overhead'.

"Lead and scale our enterprise GRC program, building out a cohesive framework for risk management, compliance, and certifications."

OTIOSE TRANSLATION

Construct a multi-layered bureaucracy of policies and audits designed to demonstrate theoretical compliance, while actual security vulnerabilities fester beneath the surface.

"Key responsibilities include conducting vulnerability assessments, monitoring for potential system breaches."

OTIOSE TRANSLATION

Delegate the grunt work of scanning and alert triage to overworked junior staff, then repackage their findings into fear-inducing executive summaries for maximum impact.

"Develop and maintain information security policies, standards, guidelines and oversee the dissemination of security policies and foster a security-first culture through regular training."

OTIOSE TRANSLATION

Generate an endless stream of impractical security mandates and 'mandatory' training modules that actively impede productivity, then blame 'human error' when breaches inevitably occur.

[10:00 - 11:00]

Dashboard Interpretation & Delegation

Review aggregated metrics from various security tools, identify 'red' items, and forward 'action items' to junior staff or engineering teams without understanding the underlying technical context.

[13:00 - 14:00]

Risk Posture Theatrics

Present a heavily curated PowerPoint to executive leadership, using traffic light dashboards and buzzwords to obscure the actual state of security and manage expectations.

[15:00 - 16:00]

Policy Proliferation & Approval

Draft new internal security policies, 'review' existing ones, or approve security tickets, often adding more bureaucratic layers and delays to legitimate developer workflows.

"We spent 3 months getting ISO 27001 certified, celebrated it internally. Next week, we had a major data leak because a dev pushed credentials to GitHub. My Director of InfoSec was like 'Well, the policy *was* there, and training was provided!' What's the point of all that paperwork if it doesn't actually stop anything?"

— r/sysadmin

"My InfoSec Director's calendar is 90% 'Risk Alignment Strategy Session' or 'Compliance Posture Review with Execs'. Never seen them actually touch a keyboard for anything beyond Outlook to send another policy update."

— teamblind.com

"We flagged a critical vulnerability in production for months. Our Director of InfoSec just kept adding it to the 'accepted risk' register, citing 'business impact' and 'resource constraints.' Now we're dealing with ransomware, and suddenly it's everyone's fault for 'not patching fast enough' or 'failing to follow procedure'."

— r/cybersecurity