3 Types of CISO

Chess pieces

One of the frequently asked question to has always been

i. What is the role of a CISO?

ii. What do you think a CISO should be doing?

These questions get asked either casually or even when you go for the interview of the CISO role. So folks, listen up, you get to use this when you get interviewed.

Firstly, there is no right answer. Yes, its one of those “it depends” response. I’ll explain why. Most organisations hire a CISO for myriad of reasons. While the title is the same, there are serious differences as to what the organisation requires. For a start, I get clues as to why an organisation hires a CISO looking at the last 6 months of the organisation. Most organisations start shopping for CISO because they’ve just experienced a breach or a security incident and now is convinced they need someone to lead the troops to fortify the fort. Some organisations just had their CISO move on, so they’re looking for a replacement.

CAVEAT: CISO and Head of InfoSec is almost synonymous in most organisations. Few organisation makes clear distinction of this. For this article I use the term CISO. 

So let’s get the meat of the matter. In my world view, I see 3 distinct CISO types. There maybe more, everyone has their own view of things. For this, we agree to disagree. I will use 3 quantitative metric as a guide with loosely defined percentages.

Firstly…

The first, being a CISO who is the technical expert of NCIS (I use this term extensively, its Network, Cyber & Information Security). In a team which lacks deep technical understanding of technology and needs someone to guide them through the nuances of NCIS, how systems work and why it fails and how to prevent breaches. You’re most likely having a team who may be a group of IT engineers whose been reassigned to do Security. Or you have a team that lacks the technical knowledge due to lack of budget (both from hiring and up-skill perspective (don’t shun, this has been the case for many organisations)). As such, the CISO spends most of the time with his one down and the team shaping what’s required in order to keep the shop running. From a CMMI (Capability Maturity Model Integration) perspective, you’ll see the set up performing between Level1 to Level 2.5 on the scale. Senior Management would only be interested to know improvement of security system and process stability and key success factor for the CISO lies on ensuring that NCIS team functions and supports business effectively.

Secondly…

The second, is when a CISO inherits a fairly (keyword: fairly) mature team, which technical expertise and is rather self sufficient. In this role, the CISO looks at direction of the team, identifies how the team can move forward, expand the capabilities and start looking at risk in total. CISO actively involves in senior management discussions, spearheads steering committee for organisational NCIS and starts looking at medium to long term organisational strategy for implementation and posture improvement. CISO now goes beyond short term view, into medium term blueprints and start looking for opportunities of improvement rather than staying afloat. Staff has a development plan for up-skilling and starts having a clear view of career progression within the team. CISO works closely with CRO on technology risk and manages technical debt effectively together with CIO/CTO. Security infrastructure is stable, with security team looking into fulfilment of projects and proper capacity planning to support business. At this rate, the team now operates between Level 2.5 to Level 3.5 of the CMMI.

Thirdly…

The third, CISO looks beyond technology and focuses on business. Board room play with long term strategic business view becomes a priority. Security becomes a business differentiator and you take centre stage together with senior management in press releases, product launches, flaunting how the organisation has made security functionality improvements and creates a differentiator from business proposition perspective. The initiatives, while ensuring organisation stays secure, looks at strategic thrust to support the organisation using channels such as sustainability, ESG and even business value to drive customer adoption and acquisition. With a strong operations team taking care of day-to-day business, CISO one downs looking at continuous improvement and CISO plays the role of business architect to imbibe security into culture and product proposition. Team operates at a nominal range of 3.5 to 5 on the CMMI scale and organisation is well poised for strategic growth.

How do you use this for an interview?

If you give this answer in an interview, most interviewers will say they want all. Reality is, what they perceive is the management’s view, is most often isn’t the case. When entering a new organisation, CISO candidates should stock check using their own assessment on where the organisation is, and adjust their styles accordingly. Questions like “What is the CISO’s priority?” during the interview is most often shirt sighted, and gives an initial indication of the wish list. Knowing the state of the organisation gives the CISO a view of next steps. A good way moving forward is to conduct a gap analysis, using tools like CMMI to map process maturity and ISO 27001 for implementation (this taking into consideration international organisations, while US tends to be NIST centric) helps to get a game plan going.

Remember that you are going in as the expert in security (or deemed as the expert). While the organisation may have an indication what they need, its best for you as the CISO to provide your assessment and set the priorities for senior management and Board. It is also useful to set up Senior Management level steering committee, which will help you to get the resources across the Board to get things moving, and as the CISO you are most likely to report to Board on NCIS. Think about where the organisation is, the expectations, and position the role based on what the organisation needs rather than what you aspire to be 🙂

Parting words…

These 3 classifications are based on what I see and experience at different industries. While they are helpful in determining broad characteristics of role expectation, as the candidate going in, you should do your own assessment. While the grass is supposedly greener on the other side, you will encounter brown or bald patches. You can even use this classification to set broad goals for you and your organisation to strive towards.