The term Chief Information Security Officer (CISO) means many things to many people. The role is often ill defined, challenging and definitely in flux as organizations embrace the opportunities offered by digital technologies while simultaneously encountering threats from the ruthless, rational, entrepreneurial criminals who inhabit cyberspace.
As I look around, it seems that the perspectives of CISOs are shaped by their backgrounds and life experiences. I often see three ‘types’ of CISO, each brings insights and a particular viewpoint on the challenges of cyber security.
Once the most common type of CISO – they bring a deep understanding of security technologies and products. Their world is anti-malware, firewalls, detonation chambers, micro-segmentation, deception grids, security operations and zero trust. They bring a passion for ‘silver bullets’, a technology solution which solves the problem of cyber security, and can occasionally be susceptible to ‘snake oil’ from less scrupulous product vendors. But they do really understand the detail of the tactics used by attackers, and appreciate the need to get the ‘cyber essentials’ right in terms of protecting systems and the enterprise.
Their challenges can be thinking more broadly about the problem of cyber security including the people dimension which focusses on culture, education and awareness; and the link to the business context which focusses on the ‘crown jewels’ which really matter to the business and the translation between securing the business and the underlying technologies.
At their worst techy CISOs retreat into jargon; at their best they engineer pragmatic defences against sophisticated threats.
The Risk professional…
These CISOs come from a risk management background. Their world is scenarios, risk heat maps, likelihood and impact modelling. They naturally focus on the risks to the business and the key assets the business is trying to protect, while seeking to quantify and measure cyber risk in a structured way to guide their investment decisions and choices. They tend to gravitate to controls and compliance based ways of managing risk, building partnerships with the broader operational risk community and persuading regulators that a structured approach is being taken to cyber risk.
But do these CISOs really understand enough of the detail of the individual controls and just how effective they really are in countering the techniques used by attackers, and in a world where technology enabled business transformation is changing organizations are they equipped with sufficient technical ‘savvy’ to be credible in the eyes of the CTO or CIO.
At their worst risk CISOs focus on process, controls and compliance; at their best they engage the business to really understand their risks and the best mitigation strategies – which are often broader than cyber security.
The Red CISO…
Becoming more common as more and more government and law enforcement professionals transition to business, and more “hackers” make the transition to white hat. Their world is the attacker and their modus operandi, whether State sponsored or criminal group. They instinctively understand how those groups operate and how they will threaten your business; they understand the dark side of the internet and the dark side of people. They come with access to a community which is often very different to the traditional community of security professionals, including police and intelligence links.
These CISOs can find it challenging to migrate to a corporate role and to understand enough of the business model, culture and constraints to apply their experience. They bring an aura of intrigue and many war stories which can open doors, but can find it hard to adjust to the routine of dealing with commoditized cybercrime. Sometimes switching from attack mindset to a defensive mindset can be more difficult than it appears.
At their worst, red CISOs fail to implement practical programs to get the basics of cyber security right focussing too much on high end threats; at their best they bring challenge and a valuable perspective on just how to counter and disrupt the business model of the attackers.
So, who is best…
And of course the answer is no-one and everyone. Each of these CISOs brings a different set of skills to the organization. The modern CISO must blend together all of these perspectives, either individually or in their team. Make a conscious effort to consider each viewpoint, build diverse teams to help you do that, and value and respect what each individual can bring.