As with any position, there will be different types of people that hold the CISO position. During our conversation with Rick Lemieux, CRO of itSM, we dove deep into the three archetypes of CISO that have emerged: the Visionary, the Teacher, and the Technician.
These three flavors of CISO each bring a unique set of skills to tackle similar challenges, and as a result, these various strengths and weaknesses illuminate their superpowers as well as opportunities for development to accomplish their goals.
Every organization, of course, is different in its needs from a CISO. For some organizations, the CISO is hired because the executive leadership team needs a clear path forward, in other cases, the organization is undereducated in information security best practices, and some organizations require a leader to build the actual security infrastructure necessary for the digital age.
The Visionary CISO
The Visionary CISO’s superpower is in their ability to align security practices with business outcomes. They can articulate a concrete vision for their security program and solicit buy-in from non-technical stakeholders with ease. A visionary CISO typically emerges in an organization that has an established information security program but is perpetually playing catch-up. The visionary CISO is best suited for these opportunities given that the organizations that they succeed most at have at least a limited awareness of the need for information security.
Consider this: an organization is reaching the point where the Director IT will give way to a CISO. This organization has the precursors to a mature cybersecurity program, but they have been reactionary to date. They have been hung up on regulations and checkbox compliance, securing new technologies as other departments embrace digital business; the strategy is a patchwork approach to keeping the organization secure. The plan is not in the hands of the cybersecurity team.
It is at organizations like this one that the visionary can shine. The CEO and board are aware that cybersecurity is essential and they may even be accustomed to investing in security to a degree. The challenge that a CISO at this type of organization will face is consolidating the fragmented initiatives and teams that are trapped in perpetually reacting to the organization into a group guided by a singular vision. For this CISO, it will require buy-in above all. They must be able to collaborate with the rest of the C-Suite to illustrate how security and risk management can empower business growth. In this case, the Visionary will be able to that most effectively.
You’ll notice, though, that the environment best suited for the Visionary already has the precursors to an active security program - the enterprise is already investing in security, and personnel is there (albeit distributed), and all that’s necessary is a guide to unite those pieces into a cohesive unit. Visionaries thrive in this environment because they’re best suited for unifying and reconfiguring existing pieces while adding more to existing infrastructure.
A Teacher CISO is best suited to tackle the problem of awareness within an organization. Where the Visionary can guide, the Teacher can teach.
Think of an organization that has a security team established, the senior leadership is adjusted to investing in cybersecurity, and they see the need for it. The senior leadership recognizes the need for security, but not the whole organization. In the digital age, a risk-aware culture is becoming ever important - attacks are no longer merely technical but leverage non-technical employees lack of risk-awareness to get access to secure systems. It is in this environment that the Teacher can add the most value. Where the Visionary is best at bridging the gap between the Board and information security teams, the Teacher is best at bridging the gap between IT and the rest of the enterprise. She brings an in-depth technical knowledge of course, but what makes her unique is being able to translate that jargon into non-technical concepts that other business units can understand.
The Teacher thrives in a position where the goal is to expand security awareness throughout the organization. A teacher CISO, though, needs to come into a situation where there is already buy-in from the CEO and Board. The Teacher is more a catalyst for change rather than a component of the reaction. The goal for a Teacher is to expand awareness throughout rather than building from the ground up.
When most people outside of cyber think of a CISO they think of the technician. The Technician has the iconic technical leader - he brings a remarkably in-depth knowledge of the technology that drives security and the threats that organizations face.
The Technician thrives in an environment that is building from the ground up as he knows how to build things right. His brute force knowledge of security makes him difficult to relate to for non-technical stakeholders, but because his understanding is almost misunderstood, it becomes practically ethereal.
Consider the organization that is going through a digital transformation: rebuilding digital infrastructure around new initiatives and revenue models. The Technician can thrive in this environment for two reasons - first, an enterprise mid-digital transformation is most receptive to the technical thinking and personalities that the Technician brings. Second, is it during this time that the skillset of the Technician is most needed: with the rapid pace of change that is happening, the CISO holding this position needs to command their knowledge of security and implement it at the speed of the rest of the organization. Again, the brute force knowledge of the Technician ensures that the new infrastructure will be secure even after the initiative ends.
These are the poles.
As with any archetype, these three are caricatures of CISO’s today. Embedded within formation security leaders are aspects of each of these three types. The value of these three is not in knowing what skills to which you naturally gravitate. Instead, it is knowing which archetype to invoke based on the situation you find yourself in: vision, education, technology. A successful CISO is not bound to one over the other, and sure you may gravitate towards one or two but being aware that a specific skillset comes naturally also illuminates what skills you need to develop or outsource through hiring.