4 archetype CISOs
To get a better understanding of the infancy issue of the CISO role, let us elaborate on four archetype CISOs based on our experience and research. We focus our observations on span of control, mandate, organizational position, and main challenges of the archetype. We do this to empathize on the current challenges we see on why certain CISOs are more successful than others and it has also relates to which CISO you deserve and getting the right CISO to get the job done.
(Corporate) Information Security Officer (CISO)
Advisor to the corporation, most of the time the board or CIO. Has no staff and no budget. Enforces strategy via functional steering and has limited control or power in the business. Build "security-in" afterwards. Mostly found in governments or non tech-born companies that have limited technology dependencies, like traditional industries.
Chief IT security officer (CISO)
Is positioned in the IT and sometimes in the CIO Office. Small staff and no budget. Budgets are mainly the annual CIO-related IT budgets that are calculated via old-school budgeting methods of percentage of IT, mainly HR cost. Very little interaction with the business and working in the IT silo on implementing IT security controls. Limited focus on Security returns (e.g. ROSI modelling) and limited opportunities to sell to board or business executives who hold the “real budgets”. Mostly found in decentralized enterprises where IT (security) is separated in a central delivery organization. This CISO is in hierarchy conflict with his boss who is ultimately the boss and can overrule. This CISO is more in a squeeze when his ally, the DPO, is also in a “staff” position at the central organization.
Chief Information Security Orchestrator (CISO)
Orchestrates security control via multiple third parties, such as IT service suppliers, cloud providers, pen testers and SOC suppliers. Organizations that are part of an eco-system of suppliers, aka hybrid environments. They oversee the full field of responsibilities and expected outcomes. Aligns with business executives as partners and makes business agreements on first line business ownership, craftsmanship and KPIs. Has a Target Operating Model in place to exercise first-line responsibility of directing policies and standards and 1.5-line oversight and quality assurance on control effectiveness. Has own staff, budget, and board support. Is independently positioned from IT and is an enabler towards new business initiatives and has a seat at the business and board table. You see this CISO typically in organizations that understand security is part of doing business. Understand that talent is scarce and you are better off buying it from the market via RFPs and tenders with clear SLAs rather than building your own team of “less sharp knives in drawer” or nagging ducks that are not able to swing like an eagle. This CISO applies clear economic drivers to justify investments and understands they are “part of the business”.
Chief Information Security Officer (CISO)
The new generation CISOs in tech companies (Uber, Google, ZOOM, Booking.com) that “is the business”. Has a direct reporting line to the management board or/and supervisory board. Is in constant dialogue with key stakeholders like 2nd line risk management, internal and external auditors and regulators.
Their board understands that the word “chief” actually entails mandate, budget and personnel to fix the job and the chief can actually take full accountability. This CISO has direct lines to the IT security department and has “hire, admire and fire power”. They own their profession and organize their security via clear Target Operating Models with internal and external SLAs to measure and monitor the entire security performance of the entire extended enterprise (cloud, IoT, OT). IT and business are fused and at every new business initiative the CISO (or team-member) is at the table. The deputy CISO organizes the internal security organization as a "COO" and makes sure the administration is up to par and talent in teams is nurtured, educated and constantly challenged. The enterprise security architect in the team ensures that the complete environment is designed and implemented with the latest comprehensive technologies and methods. We sometimes refer to the level 4 CISO.
We see the last two CISOs emerge more and more and become the de facto for well-prepared companies. In more and more cases this is a woman with no IT background but with strong alignment and leadership skills. But we also understand that every organization has a legacy, organizational structures and attitudes that cannot be changed overnight.
Guidance on getting the CISO you deserve is still in limited availability, especially on the last two CISO archetypes we mention. The European Competence Framework (eCF) defines the role of the CISO as strategic and mainly focuses on the hard capabilities but never on softer organizational aspects as we discuss in this blog.
The digital security profession has a long history and in the current era it is becoming even more important, with more people in organizations working on digital security. However, we often see those people having a more operational and tactical history and approach, without actual hands-on governance and leadership experience.