The role of CISO has grown in profile and importance in recent years, as evolving and escalating digital threats raise the stakes for organizations of every size and stripe. But organizations aren’t always clear about what they want from their CISOs, and CISOs aren’t always clear what kind of leaders they are or want to be. CISO training helps to bring about clarity but communication and clear expectations are also critical.
“The way he understood what he did, or said he did, and how he described himself crystalized something for me,” Pollard said. “I don’t know that the CISOs we speak with have that sort of elevator pitch to succinctly explain themselves and their careers.”
6 types of CISO
“The way he understood what he did, or said he did, and how he described himself crystalized something for me,” Pollard said. “I don’t know that the CISOs we speak with have that sort of elevator pitch to succinctly explain themselves and their careers.”
1. Transformational CISO. Forrester described the transformational CISO as energetic, extroverted, dynamic and outspoken. This person typically hails from a change management, communication or business background with experience navigating a complex political environment. The transformational CISO leads the charge on turning an internally focused security program into one that aligns with and supports customer needs and business outcomes. Transformational CISOs should look for energetic companies with similar cultural values that are committed to macro-level change.
Once this type of CISO has successfully revolutionized a security program, they may start to feel restless. At this point, it is likely time to move onto another transformational role, enabling someone with a different leadership style to step in and oversee the new status quo.
“Once the transformational CISO has climbed the mountain, they finished what they started, and they’re onto the next one,” Pollard said. “They’re leaving strategically and in a good place — not because they’re unhappy.”
2. Post-breach CISO. Forrester identified a post-breach CISO as having a calm, succinct and process-oriented leadership style. This person enters an enterprise after a major, often high-profile, breach to mitigate the fallout and oversee significant new investments in cybersecurity.
“The post-breach folks we interviewed told us, ‘This is what I get excited about — I like the fact that it’s really tough in the beginning,'” Pollard said.
According to his research, this type of CISO should expect to stay in a new role for at least a few years. Once the enterprise has regained its equilibrium and achieved a stronger security stance, it’s likely ready for an operational or steady-state CISO. The post-breach CISO can then move on to do more of what they love: helping another company in crisis.
3. Tactical and operational expert CISO. The CISO with tactical and operational expertise is often a seasoned technology practitioner, the Forrester researchers found. A successful security engineer might land promotion after promotion, for example, eventually leading to C-level roles. Pollard described these professionals as typically detail- and action-oriented, analytical, capable, adaptable and decisive. Tactical and operational CISOs excel at taking operational disruptions in stride and bring a practical perspective to unanticipated technical challenges as they arise.
Tactical and operational experts can remain happy and productive in their CISO roles indefinitely. If an organization’s business model starts to undergo major changes, however, a transformational CISO might be better suited to adapting the security program accordingly.
4. Compliance and risk guru CISO. The compliance and risk guru CISO often has a less technical background, with expertise in data privacy laws, regulatory requirements, audits and so on. This type of CISO’s cybersecurity leadership style tends to be based on a risk management approach, with an emphasis on compliance. Compliance and risk guru CISOs tend to be disciplined, organized, detail-oriented and chaos-averse — guarding the organization’s interests via rigorous processes and thorough documentation. This type of CISO, the Forrester analysts wrote in their research report, “thinks ‘lawful good’ as a character trait is a clear virtue.”We’re still in the infancy of what this role really is and how it fits into the strategic focus of a business.
These security leaders should look for positions in organizations with intense regulatory pressure, where they can make meaningful contributions. A compliance and risk guru should consider departing a CISO role if regulatory issues become less important, whether because of divestments or shifting business priorities. For instance, a compliance and risk CISO likely won’t be happy at an organization looking to reorient itself around an aggressive, externally facing technology strategy.
5. Steady-state CISO. A steady-state type of CISO is best suited to an organization that aims to maintain its existing security posture with incremental improvements over time. This calls for a calm, measured cybersecurity leadership style and an ability to advocate for conservative but consistent investments in the program.
“Steady-state CISOs have a sort of quiet confidence,” Pollard said. “They’re not afraid of change, but they’re really good at adapting an existing program within organizational constraints.”
Because cybersecurity threats evolve so rapidly today, however, this slow-and-steady approach may have a limited shelf life. The Forrester analysts advised that steady-state CISOs move on to new positions if they start to feel the organizational resistance to change means they have to shoulder unacceptable levels of risk.
6. Customer-facing evangelist CISO. Customer-facing evangelists embrace the opportunity to interact with external stakeholders, such as customers, media and the public. They are typically confident and charismatic leaders who thrive in chaotic, fast-paced environments and also have a deep understanding of application development and product management processes.
This type of CISO needs an organization that sees software development as central to its business model and security as a key differentiator. Finally, a customer-facing evangelist CISO should consider leaving a role if the organization decides its security program should become more internally oriented –
So, what type of CISO are you? Avoiding an identity crisis
To some degree, CISOs who accept jobs without understanding their own cybersecurity leadership archetypes are victims of chance, said Budge, a principal analyst who works with Pollard on Forrester’s CISO research.
