[BreachExchange] The Tale Of Three CISOs And The Skills They Bring
Destry Winant
destry at riskbasedsecurity.com
Mon Mar 25 02:19:53 EDT 2019
https://securityboulevard.com/2019/03/the-tale-of-three-cisos-and-the-skills-they-bring/amp/
As with any position, there will be different types of people that
hold the CISO position. During our conversation with Rick Lemieux, CRO
of itSM, we dove deep into the three archetypes of CISO that have
emerged: the Visionary, the Teacher, and the Technician.
These three flavors of CISO each bring a unique set of skills to
tackle similar challenges, and as a result, these various strengths
and weaknesses illuminate their superpowers as well as opportunities
for development to accomplish their goals.
Every organization, of course, is different in its needs from a CISO.
For some organizations, the CISO is hired because the executive
leadership team needs a clear path forward, in other cases, the
organization is undereducated in information security best practices,
and some organizations require a leader to build the actual security
infrastructure necessary for the digital age.
The Visionary CISO
The Visionary CISO’s superpower is in their ability to align security
practices with business outcomes. They can articulate a concrete
vision for their security program and solicit buy-in from
non-technical stakeholders with ease. A visionary CISO typically
emerges in an organization that has an established information
security program but is perpetually playing catch-up. The visionary
CISO is best suited for these opportunities given that the
organizations that they succeed most at have at least a limited
awareness of the need for information security.
Consider this: an organization is reaching the point where the
Director IT will give way to a CISO. This organization has the
precursors to a mature cybersecurity program, but they have been
reactionary to date. They have been hung up on regulations and
checkbox compliance, securing new technologies as other departments
embrace digital business; the strategy is a patchwork approach to
keeping the organization secure. The plan is not in the hands of the
cybersecurity team.
It is at organizations like this one that the visionary can shine. The
CEO and board are aware that cybersecurity is essential and they may
even be accustomed to investing in security to a degree. The challenge
that a CISO at this type of organization will face is consolidating
the fragmented initiatives and teams that are trapped in perpetually
reacting to the organization into a group guided by a singular vision.
For this CISO, it will require buy-in above all. They must be able to
collaborate with the rest of the C-Suite to illustrate how security
and risk management can empower business growth. In this case, the
Visionary will be able to that most effectively.
You’ll notice, though, that the environment best suited for the
Visionary already has the precursors to an active security program –
the enterprise is already investing in security, and personnel is
there (albeit distributed), and all that’s necessary is a guide to
unite those pieces into a cohesive unit. Visionaries thrive in this
environment because they’re best suited for unifying and reconfiguring
existing pieces while adding more to existing infrastructure.
The Teacher
A Teacher CISO is best suited to tackle the problem of awareness
within an organization. Where the Visionary can guide, the Teacher can
teach.
Think of an organization that has a security team established, the
senior leadership is adjusted to investing in cybersecurity, and they
see the need for it. The senior leadership recognizes the need for
security, but not the whole organization. In the digital age, a
risk-aware culture is becoming ever important – attacks are no longer
merely technical but leverage non-technical employees lack of
risk-awareness to get access to secure systems. It is in this
environment that the Teacher can add the most value. Where the
Visionary is best at bridging the gap between the Board and
information security teams, the Teacher is best at bridging the gap
between IT and the rest of the enterprise. She brings an in-depth
technical knowledge of course, but what makes her unique is being able
to translate that jargon into non-technical concepts that other
business units can understand.
The Teacher thrives in a position where the goal is to expand security
awareness throughout the organization. A teacher CISO, though, needs
to come into a situation where there is already buy-in from the CEO
and Board. The Teacher is more a catalyst for change rather than a
component of the reaction. The goal for a Teacher is to expand
awareness throughout rather than building from the ground up.
The Technician
When most people outside of cyber think of a CISO they think of the
technician. The Technician has the iconic technical leader – he brings
a remarkably in-depth knowledge of the technology that drives security
and the threats that organizations face.
The Technician thrives in an environment that is building from the
ground up as he knows how to build things right. His brute force
knowledge of security makes him difficult to relate to for
non-technical stakeholders, but because his understanding is almost
misunderstood, it becomes practically ethereal.
Consider the organization that is going through a digital
transformation: rebuilding digital infrastructure around new
initiatives and revenue models. The Technician can thrive in this
environment for two reasons – first, an enterprise mid-digital
transformation is most receptive to the technical thinking and
personalities that the Technician brings. Second, is it during this
time that the skillset of the Technician is most needed: with the
rapid pace of change that is happening, the CISO holding this position
needs to command their knowledge of security and implement it at the
speed of the rest of the organization. Again, the brute force
knowledge of the Technician ensures that the new infrastructure will
be secure even after the initiative ends.
These are the poles.
As with any archetype, these three are caricatures of CISO’s today.
Embedded within formation security leaders are aspects of each of
these three types. The value of these three is not in knowing what
skills to which you naturally gravitate. Instead, it is knowing which
archetype to invoke based on the situation you find yourself in:
vision, education, technology. A successful CISO is not bound to one
over the other, and sure you may gravitate towards one or two but
being aware that a specific skillset comes naturally also illuminates
what skills you need to develop or outsource through hiring.
As with any position, there will be different types of people that
hold the CISO position. During our conversation with Rick Lemieux, CRO
of itSM, we dove deep into the three archetypes of CISO that have
emerged: the Visionary, the Teacher, and the Technician.
These three flavors of CISO each bring a unique set of skills to
tackle similar challenges, and as a result, these various strengths
and weaknesses illuminate their superpowers as well as opportunities
for development to accomplish their goals.
Every organization, of course, is different in its needs from a CISO.
For some organizations, the CISO is hired because the executive
leadership team needs a clear path forward, in other cases, the
organization is undereducated in information security best practices,
and some organizations require a leader to build the actual security
infrastructure necessary for the digital age.
The Visionary CISO
The Visionary CISO’s superpower is in their ability to align security
practices with business outcomes. They can articulate a concrete
vision for their security program and solicit buy-in from
non-technical stakeholders with ease. A visionary CISO typically
emerges in an organization that has an established information
security program but is perpetually playing catch-up. The visionary
CISO is best suited for these opportunities given that the
organizations that they succeed most at have at least a limited
awareness of the need for information security.
Consider this: an organization is reaching the point where the
Director IT will give way to a CISO. This organization has the
precursors to a mature cybersecurity program, but they have been
reactionary to date. They have been hung up on regulations and
checkbox compliance, securing new technologies as other departments
embrace digital business; the strategy is a patchwork approach to
keeping the organization secure. The plan is not in the hands of the
cybersecurity team.
It is at organizations like this one that the visionary can shine. The
CEO and board are aware that cybersecurity is essential and they may
even be accustomed to investing in security to a degree. The challenge
that a CISO at this type of organization will face is consolidating
the fragmented initiatives and teams that are trapped in perpetually
reacting to the organization into a group guided by a singular vision.
For this CISO, it will require buy-in above all. They must be able to
collaborate with the rest of the C-Suite to illustrate how security
and risk management can empower business growth. In this case, the
Visionary will be able to that most effectively.
You’ll notice, though, that the environment best suited for the
Visionary already has the precursors to an active security program –
the enterprise is already investing in security, and personnel is
there (albeit distributed), and all that’s necessary is a guide to
unite those pieces into a cohesive unit. Visionaries thrive in this
environment because they’re best suited for unifying and reconfiguring
existing pieces while adding more to existing infrastructure.
The Teacher
A Teacher CISO is best suited to tackle the problem of awareness
within an organization. Where the Visionary can guide, the Teacher can
teach.
Think of an organization that has a security team established, the
senior leadership is adjusted to investing in cybersecurity, and they
see the need for it. The senior leadership recognizes the need for
security, but not the whole organization. In the digital age, a
risk-aware culture is becoming ever important – attacks are no longer
merely technical but leverage non-technical employees lack of
risk-awareness to get access to secure systems. It is in this
environment that the Teacher can add the most value. Where the
Visionary is best at bridging the gap between the Board and
information security teams, the Teacher is best at bridging the gap
between IT and the rest of the enterprise. She brings an in-depth
technical knowledge of course, but what makes her unique is being able
to translate that jargon into non-technical concepts that other
business units can understand.
The Teacher thrives in a position where the goal is to expand security
awareness throughout the organization. A teacher CISO, though, needs
to come into a situation where there is already buy-in from the CEO
and Board. The Teacher is more a catalyst for change rather than a
component of the reaction. The goal for a Teacher is to expand
awareness throughout rather than building from the ground up.
The Technician
When most people outside of cyber think of a CISO they think of the
technician. The Technician has the iconic technical leader – he brings
a remarkably in-depth knowledge of the technology that drives security
and the threats that organizations face.
The Technician thrives in an environment that is building from the
ground up as he knows how to build things right. His brute force
knowledge of security makes him difficult to relate to for
non-technical stakeholders, but because his understanding is almost
misunderstood, it becomes practically ethereal.
Consider the organization that is going through a digital
transformation: rebuilding digital infrastructure around new
initiatives and revenue models. The Technician can thrive in this
environment for two reasons – first, an enterprise mid-digital
transformation is most receptive to the technical thinking and
personalities that the Technician brings. Second, is it during this
time that the skillset of the Technician is most needed: with the
rapid pace of change that is happening, the CISO holding this position
needs to command their knowledge of security and implement it at the
speed of the rest of the organization. Again, the brute force
knowledge of the Technician ensures that the new infrastructure will
be secure even after the initiative ends.
These are the poles.
As with any archetype, these three are caricatures of CISO’s today.
Embedded within formation security leaders are aspects of each of
these three types. The value of these three is not in knowing what
skills to which you naturally gravitate. Instead, it is knowing which
archetype to invoke based on the situation you find yourself in:
vision, education, technology. A successful CISO is not bound to one
over the other, and sure you may gravitate towards one or two but
being aware that a specific skillset comes naturally also illuminates
what skills you need to develop or outsource through hiring.
More information about the BreachExchange
mailing list