What type of CISO are you? How to choose a company for your style of doing business?
The effectiveness of the head of the cybersecurity department largely depends on the company where he works.
Incompatibilities between a CISO and the company they work for can lead to stress, frustration, burnout, and employee turnover. Moreover, both the CISO itself and its subordinates. To create the ideal environment for comfortable work, it is worthwhile to determine the style of your leadership in advance.
The role of the CISO has grown in importance in recent years as evolving and escalating digital threats raise the stakes for organizations of all sizes and backgrounds. But only organizations do not always clearly understand what they want from their CISO. And CISOs, in turn, are not always clear about what kind of leaders they are or want to be.
“CISOs are not the same for different companies and industries. We are still in the infancy of understanding what this role really is and how it fits into the strategic focus of the business,” said Steve Cherchian, CISO XYPRO Technology Corp., a cybersecurity analytics firm.
Businesses often look to CISOs themselves to determine their role. Experience and personality greatly influence how a particular type of CISO does business, often with unintended consequences for the organization.
“Some CISOs will see an opportunity and push it forward. Others in the same role will avoid risk and maintain the status quo,” Cherchyan added.
Jeff Pollard, vice president and principal analyst at Forrester Research, believes that the incompatibility between cybersecurity leaders and their organizations, which he calls “lack of company CISO compliance,” leads to burnout and contributes to high employee turnover. According to a study by the Enterprise Strategy Group, on average, one specific person works in a CISO position for two to four years, after which he changes either the position or the company in which he works.
“When the views on the nature of the activities of the company’s management and the CISO differ, the CISO can be effective, but the involvement in the work will be weak. Such a CISO will not feel happy, motivated and energized, and the thought of soon leaving the company will follow him around,” said Pollard.
6 CISO types
Jeff Pollard and Forrester colleagues Jeanan Budge, Paul McKay, and Claire O’Malley decided that CISOs, like CEOs, needed a structure to help them effectively identify themselves and define the situations in which they excel. They believe that an archetypal classification can determine whether a particular CISO can work for a particular company. This will help CISOs discover their strengths in order to avoid painful identity crises in the workplace. And the company will help to avoid the accompanying disadvantages associated with CISO dissatisfaction with their work.
According to Pollard, in conducting exploratory interviews with current CISOs, six different archetypes were seen to emerge.
1. Transformational CISO. Forrester described the transformational CISO as energetic, extroverted, dynamic, and outspoken. This person usually already has significant business experience. The transformational CISO is leading the effort to transform an in-house security program into one that aligns with customer needs and business outcomes. Transformational CISOs should look for vibrant companies with similar cultural values that are committed to change at the macro level.
When transformational CISOs have successfully reorganized and achieved what they want, they tend to lose interest in the job, get promoted, or change companies. Not because they are dissatisfied, but because they have nothing more to strive for within this position.
2. CISO after hacking. Forrester defined “Post Hack CISO” as having a calm, concise, and result-oriented leadership style. This person joins the enterprise after a major, often high-profile cyber incident to mitigate the impact and oversee significant new security investments.
“The leaders of this archetype we spoke to told us that they love that the job is very difficult at first and requires massive change,” Pollard said.
According to the study, this type of CISO should remain in the new role for at least a few years. Once the enterprise regains its balance and reaches a stronger position in the field of security, it will most likely be ready for a new CISO. And the current leader, most likely, will want to move to another company that finds itself in a similar situation in order to continue doing what he loves.
3. Tactical expert. As Forrester researchers have found, CISOs with tactical and operational experience are often seasoned technology practitioners. For example, a successful security engineer may get promoted after promotion, eventually leading to a senior CISO position. Pollard described these professionals as detail-oriented, analytical, capable, adaptable, and determined. These CISOs excel at handling operational disruptions and bring a hands-on approach to unforeseen technical issues as they arise.
Tactical and operational experts can remain happy and productive in their CISO roles indefinitely. However, if an organization’s business model begins to undergo major changes, a transformational CISO may be better suited to adapt the security program accordingly.
4. Compliance Guru. This CISO archetype often has a less technical background, but is well versed in data privacy laws, regulations, audits, and so on. This type of CISO leadership style is typically based on a risk management approach with an emphasis on compliance with all relevant standards and requirements. Compliance gurus tend to be disciplined, organized, detail-oriented, and dislike chaos. They protect the interests of the organization through rigorous processes and careful documentation.
These safety leaders should seek positions in organizations with intense regulatory pressure where they can make a meaningful contribution.
The Compliance Officer should consider leaving the CISO role if regulatory issues become less important, whether due to asset divestitures or shifts in business priorities. For example, such a CISO is likely to dislike working in an organization looking to refocus on an aggressive, outward-facing technology strategy.
5. Sustainable CISO. This type of leader is best suited for an organization that seeks to maintain an existing security system with incremental improvements over time. This requires a calm, measured leadership style and the ability to advocate for a conservative but consistent investment in a cybersecurity program.
“Resilient CISOs have a kind of calm confidence. They are not afraid of change, but they are really good at adapting an existing program within organizational constraints,” Pollard said.
However, because cybersecurity threats evolve so rapidly today, this slow and steady approach may have a limited shelf life. Forrester analysts advised CISOs of a sustainable archetype to move into new roles if they begin to feel that organizational resistance to change means they have to take on an unacceptable level of risk.
6. Customer oriented CISO. Customer-focused executives take advantage of the opportunity to interact with external stakeholders such as customers, the media and the public. They are typically confident and charismatic leaders who thrive in a chaotic, fast-paced environment and have a deep understanding of application development and product management processes.
This type of CISO needs a company that sees software development as a central part of its business model and security as a key differentiator.
A customer-focused CISO should consider leaving the position if the organization decides that its security program needs to become more internally focused, thereby limiting the opportunities for external interactions that this type of leader loves.
How to define your archetype CISO to avoid an identity crisis?
To some extent, CISOs who accept a job in a particular company most often do not understand their own cybersecurity leadership archetypes and are “victims of chance”. Many, having received an invitation to an interview, simply think that they do not refuse such opportunities, and simply hope for the best.
The mismatch of the CISO archetype of the company in which he works can even cause a feeling of malaise over time. For example, a resilient CISO that is expected to revolutionize company security is often anxious and its self-confidence suffers. In turn, the transformational CISO, which is suddenly charged with the responsibility of maintaining stability and permanence without any reformation, as a rule, experiences chronic disappointment and a sense of the meaninglessness of its activities.
In order not to regret employment in any company, even a very large and well-known one, it is advisable to determine your archetype in advance and look for a company that meets all the requirements, and not desperately grab the first offer.
However, any experience, even a negative one, is still an experience. And if for the first time you are not lucky with employment, then the CISO will already know exactly what he wants and in which company he would prefer to work