Request Demo

Integrated Risk Management

The Tale Of Three CISOs And The Skills They Bring


As with any position, there will be different types of people that hold the CISO position. During our conversation with Rick Lemieux, CRO of itSM, we dove deep into the three archetypes of CISO that have emerged: the Visionary, the Teacher, and the Technician.

These three flavors of CISO each bring a unique set of skills to tackle similar challenges, and as a result, these various strengths and weaknesses illuminate their superpowers as well as opportunities for development to accomplish their goals.

Every organization, of course, is different in its needs from a CISO. For some organizations, the CISO is hired because the executive leadership team needs a clear path forward, in other cases, the organization is undereducated in information security best practices, and some organizations require a leader to build the actual security infrastructure necessary for the digital age.

The Visionary CISO

The Visionary CISO’s superpower is in their ability to align security practices with business outcomes. They can articulate a concrete vision for their security program and solicit buy-in from non-technical stakeholders with ease. A visionary CISO typically emerges in an organization that has an established information security program but is perpetually playing catch-up. The visionary CISO is best suited for these opportunities given that the organizations that they succeed most at have at least a limited awareness of the need for information security.

Consider this: an organization is reaching the point where the Director IT will give way to a CISO. This organization has the precursors to a mature cybersecurity program, but they have been reactionary to date. They have been hung up on regulations and checkbox compliance, securing new technologies as other departments embrace digital business; the strategy is a patchwork approach to keeping the organization secure. The plan is not in the hands of the cybersecurity team.

It is at organizations like this one that the visionary can shine. The CEO and board are aware that cybersecurity is essential and they may even be accustomed to investing in security to a degree. The challenge that a CISO at this type of organization will face is consolidating the fragmented initiatives and teams that are trapped in perpetually reacting to the organization into a group guided by a singular vision. For this CISO, it will require buy-in above all. They must be able to collaborate with the rest of the C-Suite to illustrate how security and risk management can empower business growth. In this case, the Visionary will be able to that most effectively.

You’ll notice, though, that the environment best suited for the Visionary already has the precursors to an active security program - the enterprise is already investing in security, and personnel is there (albeit distributed), and all that’s necessary is a guide to unite those pieces into a cohesive unit. Visionaries thrive in this environment because they’re best suited for unifying and reconfiguring existing pieces while adding more to existing infrastructure.

The Teacher

A Teacher CISO is best suited to tackle the problem of awareness within an organization. Where the Visionary can guide, the Teacher can teach.

Think of an organization that has a security team established, the senior leadership is adjusted to investing in cybersecurity, and they see the need for it. The senior leadership recognizes the need for security, but not the whole organization. In the digital age, a risk-aware culture is becoming ever important - attacks are no longer merely technical but leverage non-technical employees lack of risk-awareness to get access to secure systems. It is in this environment that the Teacher can add the most value. Where the Visionary is best at bridging the gap between the Board and information security teams, the Teacher is best at bridging the gap between IT and the rest of the enterprise. She brings an in-depth technical knowledge of course, but what makes her unique is being able to translate that jargon into non-technical concepts that other business units can understand.

The Teacher thrives in a position where the goal is to expand security awareness throughout the organization. A teacher CISO, though, needs to come into a situation where there is already buy-in from the CEO and Board. The Teacher is more a catalyst for change rather than a component of the reaction. The goal for a Teacher is to expand awareness throughout rather than building from the ground up.

The Technician

When most people outside of cyber think of a CISO they think of the technician. The Technician has the iconic technical leader - he brings a remarkably in-depth knowledge of the technology that drives security and the threats that organizations face.

The Technician thrives in an environment that is building from the ground up as he knows how to build things right. His brute force knowledge of security makes him difficult to relate to for non-technical stakeholders, but because his understanding is almost misunderstood, it becomes practically ethereal.

Consider the organization that is going through a digital transformation: rebuilding digital infrastructure around new initiatives and revenue models. The Technician can thrive in this environment for two reasons - first, an enterprise mid-digital transformation is most receptive to the technical thinking and personalities that the Technician brings. Second, is it during this time that the skillset of the Technician is most needed: with the rapid pace of change that is happening, the CISO holding this position needs to command their knowledge of security and implement it at the speed of the rest of the organization. Again, the brute force knowledge of the Technician ensures that the new infrastructure will be secure even after the initiative ends.

These are the poles.

As with any archetype, these three are caricatures of CISO’s today. Embedded within formation security leaders are aspects of each of these three types. The value of these three is not in knowing what skills to which you naturally gravitate. Instead, it is knowing which archetype to invoke based on the situation you find yourself in: vision, education, technology. A successful CISO is not bound to one over the other, and sure you may gravitate towards one or two but being aware that a specific skillset comes naturally also illuminates what skills you need to develop or outsource through hiring.

You may also like

Contextualize Quantified Cyber ...
on April 11, 2019

Now more than ever, CISO’s are being tasked with delivering hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned IT ...

NYDFS Implementation Grace Period ...
on April 9, 2019

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial ...

CEO's - Do You Know Where That ...
on April 5, 2019

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. With headlines dominated by breaches and hearings of information ...

Jerry Layden
Carbon Black Report Indicates ...
on April 2, 2019

In their third Global Incident Response Threat Report our Massachusetts neighbor, Carbon Black, illustrates not only the top industries for cyber attack but a deeply concerning ...

Legacy GRC And The Sunk Cost ...
on March 28, 2019

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to ...

Alison Furneaux
What To Expect From The Imminent ...
on April 6, 2019

While the NIST Privacy Framework may be the headliner for the most anticipated new publication from the National Institute of Standards and Technology, there are two imminent ...