[BreachExchange] Which type of CISO are you? Company fit matters

[Destry Winant]

The role of CISO has grown in profile and importance in recent years,
as evolving and escalating digital threats raise the stakes for
organizations of every size and stripe. But organizations aren't
always clear about what they want from their CISOs, and CISOs aren't
always clear what kind of leaders they are or want to be.

"CISOs are not the same from company to company and industry to
industry," said Steve Tcherchian, CISO for XYPRO Technology Corp., a
cybersecurity analytics company. "We're still in the infancy of what
this role really is and how it fits into the strategic focus of a
business."

As a result, enterprises often look to CISOs themselves to define the
role, he added. Experience and personality greatly influence how a
given type of CISO leads, often with unforeseen implications for the
organization.

"Some CISOs will see an opportunity and drive it forward," Tcherchian
said. "Others in the same role will be risk-averse and maintain the
status quo."

Jeff Pollard, vice president and principal analyst at Forrester
Research, believes incompatibility between cybersecurity executives
and their organizations -- which he refers to as poor "CISO-company
fit" -- leads to burnout and helps drive high CISO turnover rates.
According to research from Enterprise Strategy Group, the average CISO
lasts just two to four years.

"When you have a mismatch in terms of fit, the CISO can still be
successful, but they won't be as passionate about the job," Pollard
said. "They are not going to feel happy, motivated or energized, and
so they're generally going to leave earlier."

But today's CISOs lack a cultural framework to help them understand
their leadership styles and inform their career decisions, he argued.
Familiar CEO archetypes, on the other hand, abound. Consider the 1987
film Wall Street, for example, in which Michael Douglas plays the
corporate raider -- buying companies and dismantling them for profit.
The archetypal turnaround artist, in contrast, parachutes into
troubled organizations and revitalizes them, while the startup CEO --
think Mark Zuckerberg's character in The Social Network -- gets
innovative young companies off the ground. Pollard also cited a sales
executive he recently met who introduced himself as the kind of leader
that repeatedly scales million-dollar businesses into
hundred-million-dollar ones.

"The way he understood what he did, or said he did, and how he
described himself crystalized something for me," Pollard said. "I
don't know that the CISOs we speak with have that sort of elevator
pitch to succinctly explain themselves and their careers."

6 types of CISO

Pollard and his colleagues at Forrester -- fellow analysts Jinan
Budge, Paul McKay and Claire O'Malley -- decided CISOs, like CEOs,
need a framework to help them efficiently identify themselves and
define the situations in which they excel. An archetypal shorthand,
they believe, can both empower enterprises to find CISOs whose
personas align with their needs and help CISOs play to their strengths
so they avoid painful on-the-job identity crises.

In conducting research interviews with sitting CISOs for their report,
"The Future Of The CISO," Pollard said they saw the following six
distinct archetypes emerge.

1. Transformational CISO. Forrester described the transformational
CISO as energetic, extroverted, dynamic and outspoken. This person
typically hails from a change management, communication or business
background with experience navigating a complex political environment.
The transformational CISO leads the charge on turning an internally
focused security program into one that aligns with and supports
customer needs and business outcomes. Transformational CISOs should
look for energetic companies with similar cultural values that are
committed to macro-level change.

Once this type of CISO has successfully revolutionized a security
program, they may start to feel restless. At this point, it is likely
time to move onto another transformational role, enabling someone with
a different leadership style to step in and oversee the new status
quo.

"Once the transformational CISO has climbed the mountain, they
finished what they started, and they're onto the next one," Pollard
said. "They're leaving strategically and in a good place -- not
because they're unhappy."

2. Post-breach CISO. Forrester identified a post-breach CISO as having
a calm, succinct and process-oriented leadership style. This person
enters an enterprise after a major, often high-profile, breach to
mitigate the fallout and oversee significant new investments in
cybersecurity.

"The post-breach folks we interviewed told us, 'This is what I get
excited about -- I like the fact that it's really tough in the
beginning,'" Pollard said.

According to his research, this type of CISO should expect to stay in
a new role for at least a few years. Once the enterprise has regained
its equilibrium and achieved a stronger security stance, it's likely
ready for an operational or steady-state CISO. The post-breach CISO
can then move on to do more of what they love: helping another company
in crisis.

What type of CISO you are will inform how you juggle competing priorities.

3. Tactical and operational expert CISO. The CISO with tactical and
operational expertise is often a seasoned technology practitioner, the
Forrester researchers found. A successful security engineer might land
promotion after promotion, for example, eventually leading to C-level
roles. Pollard described these professionals as typically detail- and
action-oriented, analytical, capable, adaptable and decisive. Tactical
and operational CISOs excel at taking operational disruptions in
stride and bring a practical perspective to unanticipated technical
challenges as they arise.

Tactical and operational experts can remain happy and productive in
their CISO roles indefinitely. If an organization's business model
starts to undergo major changes, however, a transformational CISO
might be better suited to adapting the security program accordingly.

4. Compliance and risk guru CISO. The compliance and risk guru CISO
often has a less technical background, with expertise in data privacy
laws, regulatory requirements, audits and so on. This type of CISO's
cybersecurity leadership style tends to be based on a risk management
approach, with an emphasis on compliance. Compliance and risk guru
CISOs tend to be disciplined, organized, detail-oriented and
chaos-averse -- guarding the organization's interests via rigorous
processes and thorough documentation. This type of CISO, the Forrester
analysts wrote in their research report, "thinks 'lawful good' as a
character trait is a clear virtue."

We're still in the infancy of what this role really is and how it fits
into the strategic focus of a business.Steve TcherchianCISO and chief
product officer, XYPRO Technology Corp.

These security leaders should look for positions in organizations with
intense regulatory pressure, where they can make meaningful
contributions. A compliance and risk guru should consider departing a
CISO role if regulatory issues become less important, whether because
of divestments or shifting business priorities. For instance, a
compliance and risk CISO likely won't be happy at an organization
looking to reorient itself around an aggressive, externally facing
technology strategy.

5. Steady-state CISO. A steady-state type of CISO is best suited to an
organization that aims to maintain its existing security posture with
incremental improvements over time. This calls for a calm, measured
cybersecurity leadership style and an ability to advocate for
conservative but consistent investments in the program.

"Steady-state CISOs have a sort of quiet confidence," Pollard said.
"They're not afraid of change, but they're really good at adapting an
existing program within organizational constraints."

Because cybersecurity threats evolve so rapidly today, however, this
slow-and-steady approach may have a limited shelf life. The Forrester
analysts advised that steady-state CISOs move on to new positions if
they start to feel the organizational resistance to change means they
have to shoulder unacceptable levels of risk.

6. Customer-facing evangelist CISO. Customer-facing evangelists
embrace the opportunity to interact with external stakeholders, such
as customers, media and the public. They are typically confident and
charismatic leaders who thrive in chaotic, fast-paced environments and
also have a deep understanding of application development and product
management processes.

This type of CISO needs an organization that sees software development
as central to its business model and security as a key differentiator.
Finally, a customer-facing evangelist CISO should consider leaving a
role if the organization decides its security program should become
more internally oriented -- thus limiting opportunities for the
external-facing interactions this kind of executive loves.

So, what type of CISO are you? Avoiding an identity crisis

To some degree, CISOs who accept jobs without understanding their own
cybersecurity leadership archetypes are victims of chance, said Budge,
a principal analyst who works with Pollard on Forrester's CISO
research.

"Many just think, 'Oh, that's a great organization,' or 'That sounds
like a really cool job' and hope for the best," Budge said. "But, to
find a rewarding role, you have to choose the organization and culture
very, very carefully."

Jason Hicks, global CISO at Kudelski Security, said he enjoys
splitting his time between running a security program and engaging
with clients. He added he once considered a role offering experience
in a new vertical at an appealing company, but the position appeared
more internally facing than he would have liked.

"I decided to move in a different direction, and I think it was the
right call," Hicks said. "What I'm doing now is ideal."

Forrester's research suggested Hicks -- likely a customer-facing
evangelist CISO, at least in part -- chose wisely. When organizations
ask CISOs to behave against type, problems ensue, Pollard said.

"When someone has reached a pinnacle in their field from a leadership
perspective but they're not happy, that causes a sense of malaise," he
added. A steady-state type of CISO asked to act as a transformational
CISO, for example, experiences anxiety, and their self-confidence
suffers. Transformational CISOs tasked with steady-state
responsibilities tend to feel chronic frustration and angst.

"What they're being asked to do doesn't make sense to them," Pollard
said. "They almost feel like they're being set up for failure."

On the other hand, knowledge -- and, in particular, self-knowledge -- is power.

"Even in our research interviews, the idea of 'CISO types' really
resonated," Pollard said. "We started to see this excitement, with
people saying, 'I've never thought about it like that, but this would
be a great way to describe myself.'"