EXECUTIVE SUMMARY:
A two-year study by Synopsys aimed to learn more about CISOs’ roles and how they compare with one another. After interviewing CISOs at major companies like ADP, JP Morgan Chase, Facebook, Starbucks, and others, Synopsys concluded that there are four types–or tribes–of CISOs. Which one you are is determined by how your role is defined and how your organization addresses cybersecurity.
The four categories identified don’t just relate to the individual, but to that person’s organization, as well. Kelly Sheridan from Dark Reading reports, “There is no ‘universal blueprint’ for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors).”
TRIBE 1: SECURITY AS AN ENABLER
In this tribe, cybersecurity is part of the company’s DNA and everyone is on the same page. Sheridan writes, “In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody’s job.”
TRIBE 2: SECURITY AS TECHNOLOGY
This tribe uses advanced security. But the CISO, while senior, does not hold the same level of leadership as in Tribe 1. “In a software firm or another tech-focused company, tier 2 CISOs don’t need to aspire to move up because the business is already focused on tech and they don’t need the executive pull,” explains Sheridan.
TRIBE 3: SECURITY AS COMPLIANCE
When organizations set compliance as the goal, the Tribe 3 CISO is typically frustrated by the low bar that’s set. That’s because the CISO knows that effective cybersecurity is not achieved by mere compliance, and yet is unable to push the company to invest properly.
TRIBE 4: SECURITY AS A COST CENTER
Likely the largest of the four different tribes, this category is characterized by organizations that are still trying to get a grip on what cybersecurity is and how to prioritize it. As a result, CISOs from this tribe are more like Directors of IT who must fight for budget and who find themselves overloaded.
According to Sheridan, knowing which tribe you fall into is key to changing your organization.
Read the full story at Dark Reading.
