Let me share a story with you...

Picture this, an “executive” level meeting is called at a medium sized organization.  The invitation included the CEO, CFO, CISO, COO, VP of IT, a Sr. Engineer from the technical team & the (external) principal consultant. The topic at hand: Review of the latest audit results.

Fast forward a little bit, the meeting is underway, and the consultant is working through what they consider to be the high points for the organization.  A question is posed by the CEO, to all parties present.  The question lingers.  No answer is presented.  The CEO looks around the table, both astounded and frustrated, then gives a gentle shrug while looking at the consultant.

The consultant leans back and crosses his arms, with a little grin creeping across his face he begins to see that he has finally underscored the problem and the executive team is suddenly realizing what it is.

What is going on here?

This may sound implausible, but this happens quite often.  Cybersecurity is a multidisciplinary practice, even at its highest levels.  This presents a problem.  Who is ultimately responsible for the cybersecurity posture of an organization (specifically regarding this example: who should be answering the CEO’s question)?  The CISO? The COO?  The CEO, the executive team, the board?

I believe the source of this problem stems from a misunderstanding of what a CISO is, within each specific organization.  How can this be?  

It has occurred to me that the “CISO” role and associated tasks will be highly variable depending on a few key factors.  They are:

  • organizational maturity
  • the organizations vertical
  • executive team composition

Instead of defining how each of these factors impact the role of the CISO, I will instead describe a few common “CISO roles” found among organizations that map back to these factors.  The point here is to enable you to identify the type of CISO an organization has (or is looking for) so that you can be prepared to come in and make the greatest impact possible.

The “ex post facto CISO”

You will often find this person in a smaller organization, one that has not yet identified IT as a critical component to their success.  This organization could be a very old manufacturer of auto parts, or they could be a very new developer of a Ethereum platform.  They will often have regulation forced upon them, to which they will consult with a 3rd party or wing it and identify an individual internally that “handles all our security”.

While this person often won’t get the title of CISO, they are in fact the one at the helm of the security within the organization.  They most likely won’t integrate into the C-suite and will often be brought into projects after they have started (hence the name).  This person will be loved and admired then forgotten until either a question about the security budget is raised or a project deliverable is missed because of a security concern.  If you’re this person, in this role you have a tough decision to make.  You must ask yourself, “will this organization one day realize the value I bring via the work I perform?”  If the answer is no and your unhappy about that, start looking around…your skill sets in high demand!  If the answer is either no and your ok with that or a yes and there is room to grow this role then get ready to enter the “Startup CISO” mentality described below!

The “Startup CISO”

The “startup CISO” will find themselves working on tasks and (metaphorically) look up and say, “why am I doing this….im the CISO”.  The startup mentality is a real thing, “wears many hats” as you might see in a headhunter’s job description for this organizations CISO role.  This will often include security engineering, GRC work, security analyst tasks and of course CISO tasks like choosing strategic solutions for the future.

If you find yourself or are considering the “startup CISO” role there is tremendous opportunity here.  The most obvious benefit is the chance to craft an information security program from the ground up!  Second, you will very likely still be “hands on” with tech. This will vary from employer to employer, but the fact is the startup mentality demands most technologist to be hands on until growth dictates otherwise.

The “Established CISO”

A CISO in an established role, may sound like the easiest to walk into of all the CISO types defined here but don’t be fooled!  There is likely a reason for the vacancy!  Not to say that you’re going to become a patsy, just don’t make any assumptions about the quality of work prior to your arrival.

If you’re an established CISO in the trade or looking to move into the classic CISO position this is the role for you!  You’re going to be the least hands on of all the CISO roles defined here.  You will be very strategic in planning and will often need a background of experiences that support the organizations vertical (regulation, compliance, etc…).

The Fortune 500 CISO

The big Fortune 500! The coveted list of the 500 largest corporations in the United States ranked by their total revenue.  When your employed by a company on this list, there are very good chances your concerns will focus primarily on litigation, regulation and compliance.  This will of course depend on the organization; some are more risk averse than others.  An interesting note before we move on to the next CISO role, of all 500 companies on the list in 2019 nearly 200(!) do not have a CISO.

So, what kind of CISO are you or will you become?