Last week I wrote two posts about CISOs. The first on Are we running out of CISOs? and the second on RSA: Are We Talking About the Right Things? Missing from both of these posts is a discussion of the types of CISOs. Not all CISO roles are created equal.
I’ll try below to describe the different types of CISO roles I see without applying the person I know who fills them. In most cases, the role is dictated by the company and less by the individual who fills in. In fact, one of the biggest mistakes companies make is hiring the wrong person for the wrong role. There are highly stereotyped roles and no actual job description would fit these perfectly.
Let’s also not get too focused on the actual title CISO (or CSO) as many people who fill each of these roles hold VP, SVP, Director, Managing Director or other titles that don’t explicitly say CISO.
The Executive CISO
This is the role we typically hear about. They report directly to the CIO or other CXO but have access to the C-suite and routinely brief the Board on security risks. They likely are enabling the business through security. The key success criteria is their ability to communicate.
The Non-Executive CISO
It’s the same as above, but instead of having the conversations directly with the C-Suite and Board, they’re passing the message on to the CIO who presents the information. They probably talk to the Audit Committee once or twice a year. There is nothing wrong with this role, just that it doesn’t have the C-suite and business access as the Executive CISO.
The Manager CISO
I’ve seen many situations where the organization says We need to put a really good manager to run security. Here the CISO doesn’t have too much security experience, but has a wealth of management experience. They are the conduit between the technical security team and the rest of the organization. If you can’t find an Executive CISO, many companies choose this option. Warning: the team under the CISO often has trouble working for a Manager CISO. I’ve also seen some Manager CISOs over time become great Executive CISOs. This option can work with the right person.
This was the classic CISO. A very technical individual rises through the ranks driven by his/her security intelligence. In technology driven organizations (like SaaS companies), this role works well. If everyone is a techy, so should the CISO. Where this role falls short is that often the Technical CISO has trouble showing the value proposition of security to the business.
Product CISO is very similar to the Technical CISO except at a product company (i.e. medical device, internet of things, etc). Since the product itself has to be secured, they spend much more of their time thinking about the product than they do about the enterprise itself. By its nature, the Product CISO tends to have a pretty good relationship with the business.
Let’s call the Non-CISO CISO the seat filler. Some regulatory agency came by and said you need a CISO. So they looked around and this person got the job. A few years ago, this would commonly be filled by the VP of Infrastructure. Recently I’ve seen a combination CIO and CISO. I assume this is a position in transition — they will hire a CISO — but I suppose this isn’t always true.
The Buried CISO can actually be someone who can fill any of the roles above. But their position within the organization is too low to be effective. There are situations where the CISO fills a role lower in the organization than is traditional, but is very effective. Especially in large, complex organizations, reporting to a CTO who reports to a CIO can still be a very effective CISO. Specifically, the CISO should report to whomever makes sense culturally. I’m not an advocate for specific reporting relationships other than the overall effectiveness of the role.
Hiring a CISO
Back to my original comment, companies often interview a bunch of candidates for the Executive CISO role and end up settling for someone who is a Non-Executive CISO. Unfortunately, they never change the role. All of these roles can be effective in many organizations, the important part is matching the person with the role they are best suited for.
Finally, when we talk about the changing role of the CISO, we’re often talking about the Executive CISO. And yet, we don’t have enough people in our industry to be Executive CISOs. As a community, we need to do a better job of growing our talent so we’re maturing more people to fill these roles.