What type of CISO do you need?

An ebook of this post is available here.

Context matters for leadership. There are moments when the strengths of a leader match the circumstances (Churchill) and moments when they don’t (Chamberlain). But oftentimes the ‘spec’ for a leader doesn’t do a great job taking that context into consideration. Typically most companies press the easy button with CISO requisitions (just as they do for lower level roles) and look for somebody that 1) has done it before, 2) in the same industry. 

We can do better. 

Would you expect an MMA fighter to compete in the Preakness?

Or a pro golfer to do a triple lutz?

No. So you shouldn’t expect to find a one size fits all CISO.

Cybersecurity is both broad and deep. Just as technical unicorns don’t really exist that can do everything in the job descriptions that have 80 requirements, CISOs that know everything about security AND have all of the leadership and business skills that could possibly be needed also don’t really exist.

The type of CISO you need will depend on your company size, culture, technology, security maturity, risk posture, and business objectives.

The role and responsibilities of a CISO

CISOs sit at an intersection.

They are responsible for optimizing the cybersecurity posture of a company, in a way that supports the growth priorities and desired risk position of the business.

The CISO's role and responsibilities vary depending on the size, industry, and maturity of the organization, as well as the specific challenges and objectives it faces. However, some of the common duties of a CISO include:

• Developing and maintaining a security vision, strategy, roadmap, and budget that aligns with the organization's goals, priorities, and risk appetite
• Establishing and enforcing security policies, standards, procedures, and best practices that comply with relevant laws, regulations, and industry standards
• Managing security risks, threats, and incidents, and ensuring timely and effective response and recovery
• Building and managing a security team that has the right skills, competencies, and culture to deliver on the security objectives
• Monitoring and measuring the performance and effectiveness of the security program, and reporting on security metrics and KPIs to the senior management and the board
• Staying abreast of the latest security trends, technologies, and best practices, and evaluating and implementing new security solutions and innovations
• Building and maintaining strong relationships across the business, and influencing the security culture and mindset across the organization

Success requires a combination of technical, business, and leadership skills, as well as a deep understanding of the business’s context and challenges. However, not all CISOs have the same profile, and different types of CISOs may be more or less suited for different situations.

If you are in the market for a CISO, as yourself these questions

Instead of the easy button profile (I’d like a person who’s done this before for 10 years in a company in our industry in a location that is where our headquarters is), we need to consider context.

• Company and culture
• Technology and data environment
• Security maturity and regulatory requirements
• Risk posture and target maturity

Companies should ask these questions before deciding what type of CISO they need:

• What will success look like in 2 years?
• What are the top 2-3 things that need to change?
• What is the current maturity level of your program?
• What is the target maturity level for your program?
• What hasn’t worked in the past?
• What is your risk appetite? Your risk posture?
• What type of person thrives in your culture?
• What’s your budget for this role, and is that aligned with the above objectives?

If you don’t have the answers to these questions, you need to find someone that can help you get there and figure it out.

CISO archetypes

There are several frameworks for types of CISOs out there. We have our own, based on our own observations and experience. What’s important to understand is that these are just characterizations. Every individual has some combination of these traits and experiences. But we’ve found this framework helpful both in exercises of self discovery and identifying the proper type of CISO for the need.

The Builder

The Builder is a CISO who excels at creating and implementing a security program from scratch, or transforming an existing one that is ineffective or outdated. The Builder is a visionary and a strategist, who can define a clear and compelling security vision, and translate it into a realistic and actionable roadmap. The Builder is also a hands-on leader, who can roll up their sleeves and get things done, as well as recruit, train, and mentor a high-performing security team. The Builder is often brought in when an organization is undergoing a major change, such as a digital transformation, a merger or acquisition, or post breach, and needs a strong security foundation to support its growth and innovation.

The Builder's strengths often include:

• Being able to assess the current state of security and identify the gaps and opportunities for improvement
• Being able to articulate a compelling security vision and strategy that aligns with the organization's goals and priorities
• Hiring and team building
• Being able to communicate and collaborate effectively with senior management, the board, and other stakeholders to secure buy-in and support for the security program

The Builder's weaknesses can include:

• Being too ambitious or optimistic, and setting unrealistic expectations or timelines for the security program
• Being good at starting things but not following them through to completion
• Being too attached to their own vision or ideas, and resisting feedback or criticism from others
• Being too impatient or demanding, and pushing their team or the organization too hard or too fast

The Builder is best suited for organizations that:

• Are in the early stages of their security journey, or need a major overhaul of their security program
• Have had a major incident (or near miss)
• Need to take the program down to the studs and re-build
• Need to restore credibility with investors or customers
• Understand that security will be core to your business or risk profile, and want to build it correctly from the start
• Have a flexible and agile culture, and are open to innovation and experimentation

The Navigator

The Navigator excels in complex, often political internal environments. These are typically found in big companies with a broad sprawl of stakeholders and functions. The Navigator is a resilient and resourceful leader, keenly capable of building relationships and reading the tea leaves, and typically has the most impact through influence rather than direct authority.

The Navigator's strengths often include:

• Understanding the dynamics of complex organizational and technical environments
• Ability to build strong relationships
• Strong negotiation skills and ability to form alliances and coalitions
• Understanding people- their motivations and triggers
• The ability to translate security concepts into the language of the business

The Navigator's weaknesses can include:

• Spending too much time out in the organization and not enough with the team, losing credibility with the staff
• A lack of attention to detail
• Being too dependent or constrained by the resources and capabilities, and missing out on the potential security improvements or innovations

The Navigator is best suited for organizations that:

• Are large, complex organizations with broad sets of security stakeholders
• Can afford an operationally oriented deputy CISO
• Want security to be increasingly interwoven with the company

The Technician

The Technician excels at designing and implementing the granular aspects of the security program. The Technician has a deep and broad knowledge of the security technologies, tools, and best practices, and can apply them to the specific security needs and challenges of the organization. This type of CISO is a hands-on and detail-oriented leader, who can oversee and manage the technical elements of the program, and ensure the quality and compliance of the security solutions and services. This type of leader is appropriate when an organization is heavily reliant on technology (for example a software company), has a highly complex technical environment, or is of the size where the leader needs to be a player-coach.

The Technician's strengths often include:

• Ability to tackle a broad number of engineering and operational challenges and get to a solution efficiently
• Ability to evaluate and select the security technologies, tools, and vendors that best suit the organization's security requirements and budget
• Capacity to be hands on and ‘do’ in addition to leading others that ‘do’
• Ability to engage effectively with the team at a detailed level
• Being able to stay abreast of the latest security trends, technologies, and best practices, and keep the organization's security solutions and services up to date

The Technician's weaknesses can include:

• An inability to effectively influence the rest of the organization to adopt secure practices
• Struggling to justify investment requests
• A tendency to overengineer solutions or build in too much complexity
• Being too hands-on or detail-oriented, and micromanaging the technical security operations or staff
• Being too dismissive of the opinions or feedback of others who are less technical or knowledgeable

The Technician is best suited for organizations that:

• Are technology companies, where security must be deeply embedded into the product and culture (and that is a given/ starting point)
• Can’t afford a large team, and need a hands on practitioner to run the program
• Have a significant budget and resources for security, and can afford to invest in the best security technologies, tools, and vendors
• Have a clear and defined security vision and strategy, and are aligned on the security goals and priorities
• Have engineering-led cultures

The Statesman

The Statesman has a dual role: both building and running the security program for the company, and also being an evangelist for the company externally. These are balanced internal/ external roles which lean heavily on a combination of security knowledge and selling/ client relationship skills. They are commonly found in CISO or field CISO roles for security technology and services companies.

The Statesman's strengths often include:

• Deep experience as a security practitioner, allowing them the ability to tell ‘war stories’ and provide a high degree of credibility when engaging with other CISOs
• Strong storytelling capabilities, often accompanied by an interesting backstory such as national security/ DOD/ law enforcement
• Being able to communicate and present effectively and confidently to various audiences, such as senior management, the board, regulators, media, customers, and peers
• Strong relationship building and networking skills

The Statesman's weaknesses can include:

• Operating at too high of a level to be effective at daily operations
• Struggling to translate skills with the initial sale all the way through to delivery or team management
• Struggling to move past a talk track/ set of experiences that have been formative and yielded success in the past
• Being too self-promoting, and turning off peer stakeholders

The Statesman is best suited for organizations that:

• Are a security startup looking for a CISO that will play a major role in client conversations/ selling
• A consulting firm that provides security work and could benefit from a practicing evangelist
• Are government contractors

The Auditor

The Auditor is a detail oriented CISO that excels in environments where there is a strong orientation toward compliance. These types of CISOs are ‘steady hands’ and a good fit when an organization is facing a high level of compliance scrutiny, liability, or risk, and needs a rigorous and reliable security leader to ensure alignment.

The Auditor's strengths often include:

• Being thorough, detail oriented, and reliable
• Comfort with building process and establishing detailed documentation of policies and procedures
• Comfort with complex systems (both underlying system architectures and security programs)

The Auditor's weaknesses can include:

• Overreliance on achieving compliance frameworks while missing emphasis on meaningful security gaps
• Having an overly black and white view that limits ability to build relationships and trust across the organization
• Missing opportunities to bring novel and innovative approaches into the organization

The Auditor is best suited for organizations that:

• Are heavily regulated
• Already have fairly strong security programs, and don’t need a significant transformation
• Can achieve ‘good enough’ security (meeting the business’s risk appetite) by implementing the required compliance frameworks
• Have a formal and structured culture

The Operator

The Operator excels at running and optimizing the security program. These people are good at taking something that is already in solid shape and making it even better. The Operator is often brought in when an organization has a stable and mature security program, and needs an experienced steward to optimize and adapt the security program. These are well-rounded and strong leaders where fit is less about unique skills and more about the type of work that they enjoy doing.

The Operator's strengths often include:

• A strong overall balance of technical, leadership, and business skills
• A continuous improvement mindset
• A tendency to be loyal and happy with being in a stable role for the long term

The Operator's weaknesses can include:

• Strategic planning, design, and large scale change management
• Articulating a compelling vision

The Operator is best suited for organizations that:

• Have a stable and mature security program, and need a consistent and efficient security leader to run and optimize the security program
• Have a generally high degree of alignment around the value of and expectations for the security program
• Have clearly articulated risk appetites
• Have a pragmatic and results-oriented culture

The Fractional CISO

The Fractional CISO provides security leadership and guidance to a client on a part-time, temporary, or project-based basis. The Fractional CISO is a generalist and a consultant, who can adapt and adjust to the different security needs and challenges of the company, and provide the appropriate security solutions and services. This type of CISO may also fit many of the above archetypes, but generally enjoys the challenge and variety of serving multiple clients. This is a good avenue for companies that don’t need a full-time or permanent CISO, based on their size or risk appetite.

A Fractional CISO's strengths often include:

• Breadth- they are able to ‘be dangerous’ across the full spectrum of cybersecurity domains
• Ability to quickly assess the robustness of a security program and design a path to get to the desired level of maturity
• A client service orientation- responsiveness, strong communication skills, and empathy

The Fractional CISO is best suited for organizations that:

• Do not have a full-time or permanent CISO, or need a specific security expertise or assistance, and need a flexible and affordable security leader to fill the security gap or address the security issue
• Are in the early stages of their security journey, but don’t need or can’t afford a full time CISO

If your company is in the market for a CISO, give Crux a call

‍