The CISO’s role is to protect the business from cyber threats, but often times companies and CISOs alike aren’t fully aware of the type of CISO that’s needed for the job. The type of CISO needed depends on a variety of factors; from where the company is in its own lifecycle, to the type of data that it protects, to the industry in which it is situated.
In some cases, an appointment to the CISO role is accidental. A COO pulls the IT strategist aside and says how impressed that he/she was with the individual’s performance across the past year. “Would you be interested in running cyber security?” he or she says. “We think you’re the right person for the job as we scale the company.”
As the CISO’s role develops and begins to support organizational priorities, thinking around the type of CISO that a business needs gradually crystalizes.
6 types of CISOs
According to one global analyst firm, there are 6 different types of CISOs that a given organization may cycle through. The type of CISO that an organization needs might change as a business evolves. Here’s a break down:
1. The transformational CISO. This CISO walks in as an energized leader with a 3-5 year plan. He or she enjoys setting micro-goals, being efficient, serving as a strategic driver of business transformation, pushing past challenges, and achieving strong business outcomes.
2. The post-breach power-player. CISOs of this type thrive in turbulence. After a breach, they’re excited about rebuilding a company’s security. These CISOs have the chops and confidence as not to mind becoming the “punching bag” for security concerns, spaghetti-at-the-wall initiatives and new security vendor presentations.
3. The compliance guru. The compliance guru CISO typically works in a highly regulated industry and is fluent in regulatory compliance lingo and legalities.
4. The tactical/operational CISO. Traits of tactical CISOs include focusing on opportunities within current programs, setting a vision based on existing technical drivers and current requirements, describing security as assurances, and working to understand a domain via red and blue teams.
5. Steady state or maintenance CISOs. This type of CISO isn’t necessarily leading massive transformations right now, and that’s perfectly acceptable. Security maturity may have been attained, and at present, it needs to be managed, optimized and promoted as a strategic business enabler. This CISO needs to perfect architecture, but not procure products.
6. The customer-facing CISO. This individual enjoys serving as a spokesperson for cyber security. In some cases, tech firms retain these types of CISOs due to their charisma, connection with and appeal to customers.
According to analysts, the transformational CISO is unlikely to thrive in a ‘steady state’ company. Similarly, post-breach CISOs are eager to contend with the aftermath of devastating data breaches and may be dismissed or want to leave after three years of clean-up.
Organizations may need to transition into or out of divergent CISO roles based on operational needs. For example, after a post-breach CISO departs, a company may need a tactical/operational CISO or a ‘steady state’ CISO to keep security humming along.
The BISO role
In addition to CISOs, within the ever-expanding security ecosystem, an increasing number of organizations are now hiring for BISOs. The BISO’s mission is to coordinate security initiatives across the enterprise, freeing a CISO from some administrative or tactical responsibilities, allowing the CISO to closely focus on building security systems.
A large percentage of organizations are short on cyber security staff. Do you need more people to over see strategic, operational, technical and budgetary aspects of data management and protection?
Do you know what kinds of cyber security leaders you’ll need next?