TL;DR: Understanding your company’s risk profile and security goal is key to finding the right CISO. CISOs come in all types and flavors and have different areas of specialization. There’s a good chance that the CISO who is good for you now as a young company will not be the right CISO later unless they also adapt.
We just covered the motivations around hiring a CISO. The next important step is understanding what kind of CISO is in the role or the kind that you may be looking for. There is no one size fits all in terms of the type of CISO that an organization should have. Rather it is entirely based on the needs of the business and the areas that need to be covered.
The key is the “conscious decision making” around what type of CISO you have or need for your organization. I consider conscious decision making to be akin to risk management and evaluating risks against your risk tolerances. Certain types of CISOs address your needs while leaving some risks open, but your tolerance for risk may allow for that risk to remain unaddressed, which is completely acceptable. More often than not, I encounter situations where the organization’s leaders do not have the context or data to make those risk-based decisions about their CISO type.
As was mentioned during the security organization overview, every organization does not need to cover every area, but be aware of which ones you are addressing and which you are not. The same goes for the CISO and determining which areas that CISO is trained to cover and areas of growth for the CISO over time.
The best possible situation, is where the business understands the breadth and depth of a security program, resources it appropriately, leverages security to a business advantage, and knows how to hold the CISO accountable. The leadership team can stay aware of emerging trends by leveraging the CISO, outside advisors, and other subject matter experts to hold their CISO accountable for staying ahead of the curve.
All of that being said, there are different types of CISOs out there and it’s important to understand who you have in the seat and how they will evolve with you. Note that a CISO of a given type might be great for one type of company but lacking for another.
The non-CISO
The non-CISO is someone who has usually been asked/”volun-told” to become CISO because an outside force (e.g. regulator, investor, etc) has decided that your organization must have someone called a CISO. This person may have another role within the company and they are carrying “CISO” or “Security” as an additional responsibility.
The non-CISO is least likely to succeed at leading a security program in the most types of companies because they lack the scar tissue and perspective.
The Dual Role CISO
The Dual Role CISO is someone who is the CISO as well as having another core function in the business which is usually a technical one. Examples of this are the CIO who is also the CISO, or a head of Infrastructure and Security. This role can get tricky and easily turn into the next CISO type, the “Delegated CISO”. Functionally speaking you are expecting someone to be responsible for two very disparate functions within the organization and end up with either completely delegated functions or one function paid more attention to than another.
Overall this is a difficult one to get right but could be appropriate for certain companies or for certain individuals. I would caveat this as one that should be revisited periodically by the leadership team especially if there is turnover in the position.
The Delegated CISO
The Delegated CISO is someone who has security as a function under them but has completely delegated away the job to someone under them. This is someone who has had no previous security experience and whose constant refrain is “I will get back to you on that” or “Let me check with [insert actual CISO here]”. This is demoralizing to the person actually leading the security program and usually also results in poor representation of the security program to leadership.
The Single-Domain CISO
The Single-Domain CISO is someone who is well versed in a single vertical but does not cover any of the other verticals we discussed previously. This could come in the form of a CISO who is solely focused on building a Security Operations Center, one who is focused only on application security, or one that only wants to build a governance program.
The AppSec CISO is typically someone who has been on the penetration testing side of the house, whether consulting or working in house. They sometimes also come from a background focused on building software or securing a given application. This CISO will be focused on application security and the technical aspects of security, and often has a Technical Controls hammer where every nail looks like a technical problem. This becomes a narrow view of security and does not lend itself to turning into a business enabler. While your application may be protected and you may have high walls around it, you are left exposed in all of the other domains.
The Single-Domain CISO is likely the hardest to spot since the business will assume all is well because the CISO is doing so much to secure the that one domain. One flag is that the security vision plan only entails initiatives in that one vertical. Another flag is if they only speak about either technical, administrative, or detective controls but never about layering them together into a risk management strategy. It usually takes another security professional or leader to identify this CISO.
An important note here is that the single-domain CISO may be completely appropriate for a company at a given time in its life. If the company is starting off in a heavily regulated space then having a governance CISO may be appropriate, but as the company and its products evolve the CISO will need to adapt to cover all of the other areas to be successful. It is also important to note that great CISOs evolve with their company’s needs. A single-domain CISO today may become a cross-functional CISO tomorrow. The key is to identifying if the CISO you have does not adapt to changing business needs.
The Ignored CISO
This CISO is given limited face time with leadership (and is certainly not a member of leadership), and has little to no board time. This may be the result of the board not being security conscious (more focused on top or bottom line, explosive growth, failure, etc) and therefore unwilling to spend their limited time on security briefings. The frustration can also be borne out of a leadership team that perceives security as a purely technical function rather than the interdisciplinary business driver that it is.
Regardless of the motivation, this CISO will toil in a narrow focus. It takes a certain personality type for this CISO to evolve and break out of the pigeon hole to become a CISO with broader impact.
The Cross-Functional CISO
The Cross-Functional or Broad CISO is leading a cohesive program, they have a strong supporting cast of characters that drive deep into all of the security domains, and they can tell the story about their program. Furthermore, this CISO is usually evangelizing outside of the company to share their learnings and grow the community.
The cross-functional CISO also drives deep into the business to understand risk appetite and provide guidance on how to move quickly without stepping on landmines. Security becomes part of the business when it is seen as a contributor to the business and not as a hindrance.
The Public Relations CISO
The Public Relations CISO is like any leader at the company who helps to build brand for the company. Examples of this in other parts of the organization is for example a CIO who spends most of his or her time on panels or on the road doing presentations. There is nothing wrong with this type of CISO as long as they have a strong cast of supporting characters doing the work back on the farm. Sometimes businesses need this CISO if they have had a breach or if security is also a business development function.
In conclusion, there are a variety of types of CISOs just like there are a variety of business with widely varying needs. The key in all of this is to understand the company’s needs and ensure that the CISO aligns with those needs. Finally, as a business evolves, so does its needs.
Conclusion
In the end, there is no single right CISO archetype. The key is for the organization to be conscious of the type of CISO they have or are looking for, and ensure that the CISO archetype is meeting the needs of the business. This is key for the success of the organization and for the success of the CISO.
I find that the most common reason for a CISO leaving an organization is because the business is interested in having one type of CISO while the person in the role wants it to be a different type. This may be because the business evolved or because the CISO had broader aspirations that the business does not also strive for. If we all all transparent and perceptive up front then everyone has a better probability of success.