An effective CISO manages three separate but interrelated teams. In many organizations this management is indirect, but a few actually have substantial staffs reporting to the CISO. One team manages access requests, usually through a provisioning tool. this team may be part of the help test. The second team builds and deploys the policy, procedures, security architecture and training materials. This team may reside in an architecture or policy organization. The third team handles cyber security incidents and may go under the name of a CERT or CIRT. These technical specialists usually report through the technical support organization and only come together as a team to train and to handle incidents. In larger organizations with frequent attacks there may be a full time person or team, in most organizations some or all of the CERT may report through other departments in the IT organization.
In addition to managing these three activities, the CISO informs the executive leadership and Board of the firm's risk management portfolio - the set of risks the firm owns and the set of measures in place to mitigate these risks.
For more information, please see my book on corporate information security program design, coming out later this year.
Bill Malik, CISA