A CISO's primary emergency responsibility would be to make sure a breach doesn't play out a la Home Depot and Target. This shouldn't be a role the CIO plays. In effect, should a breach occur, the CISO would be where the buck stops. Ideally, the CISO would be given both the authority and the budget to respond to breaches quickly and efficiently, without getting mired in bureaucratic reporting and red tape at least until the imminent danger passed and the breach was mitigated.
Consulting and approval or validation of existing IT investment plans. The CIO may have ambitious plans to do a bunch of things and proceed with a lot of projects, but the CIO may not have fully considered the security implications of those projects and policies. Worse, there may not be any step in the traditional workstream or project workflow in an organization that focuses on the security and integrity of a plan, nor may there be anyone in the organization with enough expertise to make an informed assessment of a plan and its security implications. Bring your own device (BYOD) policies come to mind, as does the use of consumer-oriented, "shadow" cloud storage products such as Dropbox and OneDrive for professional and corporate purposes.
Ideally, a CISO would have the responsibility to rigorously evaluate the plans, the intended services and their uses. He or she would have the ability and authority to either validate a proposal as being approved from a security standpoint, request revisions to mitigate some security posture shortcomings that any plan may have or, in some cases, even veto or blackball a proposal if a serious security issue is identified that can't be practically remedied.
A keen, discerning ability to communicate briefly but effectively with stakeholders. Security breaches are, by their very nature, technical. However, that complexity doesn't reduce the amount of questions that the CISO will get from the other members of a senior leadership team, the board of directors and any interested third parties.
A CISO must be able to understand the deep roots of a security issue whether it's a breach or an objection to a current investment plan and then communicate the severity of that issue and the recommendations for mitigating that issue to these stakeholders in a brief but understandable way. A CIO doesn't always have both of these skills and even if he or she did, it may put the CIO in an odd place of advocating against a proposal that he or she initiated, stifling innovation and creativity.
No one will really want to hear from the CISO, kind of like no one really wants to hear from internal auditors, but an effective CISO is an executive who has a deep technical understanding but also a keen ability to boil those technicalities down and effectively advocate for what needs to be done or the decisions that need to be made.
Sign up for CIO Asia eNewsletters.