Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/17/2018
03:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Which CISO 'Tribe' Do You Belong To?

New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

If you're a CISO or another level of security manager, new research predicts you will fall squarely into one of four "tribes" depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO.

This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank.

The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.

"The coolest thing was that CISOs were so eager to find out what we were going to find out," says Gary McGraw, vice president of security technology at Synopsys. Most CISOs stay within their organizations and lack data to measure performance. This study aimed to collect data that would help CISOs learn where they stand and how they can improve.

There is no "universal blueprint" for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results.

Based on the data collected, researchers identified four groups of CISOs. These include:

  • Tribe 1: Security as an Enabler
  • Tribe 2: Security as Technology
  • Tribe 3: Security as Compliance
  • Tribe 4: Security as a Cost Center

"The tribe is an assignment that's not just for an individual," McGraw notes. "It applies both to the CISO and the firm they're in." A CISO's tribe is determined by 18 "discriminators," or factors used to tease CISOs apart. These include "CISO-board relations" and "program management."

What's your tribe?

Tribe 1 is, in a sense, "the goal tribe," says McGraw. "The board understands security, the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business."

In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody's job. The enterprise focus and CISO role as a senior executive set this group apart, McGraw says.

Tribe 2, which treats security as technology, is similar in the sense they have advanced security practices. "These are firms that have moved well past compliance," McGraw explains. "The firms in tribe 2 have great CISOs and are doing a great job with security."

However, CISOs in tribe 2 lack the "senior executive gravitas" of CISOs in tribe 1. "They're senior people, they have a lot of power and influence, but they're not the alpha in the room," he says. In a software firm or another tech-focused company, tier 2 CISOs don't need to aspire to move up because the business is already focused on tech and they don't need the executive pull.

Tribe 3 CISOs struggle because they're often strong leaders who know how to get things done - but their companies prioritize compliance above all else. McGraw says this often happens if a business has a data breach or gets in legal trouble. Further, historical underinvestment in cybersecurity means these firms continue to underinvest despite compliance requirements.

"Often compliance is the goal and they can't get their firm to move past that goal," he explains. "Compliance is a bare minimum; it's a low bar. You have to get over that bar, for sure."

Tribe 4 CISOs "are often overwhelmed and under-resourced," McGraw says. "They don't really create budgets, and sometimes they don't request budgets. They just get given budgets."

These are often middle-management professionals who are not called CISOs but perhaps "director of IT security" or a similar title. Their firms are relatively new to cybersecurity and haven't yet begun to prioritize it. McGraw anticipates tribe 4 is the largest group overall, taking all businesses outside this study into consideration.

Improving the CISO's Stance

Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.

Troy Hunt, information security author and instructor at Pluralsight, explains how CISOs can create a security-focused culture within the enterprise. "The objectives of security are often not consistent with the objectives of the business and development teams," he says. Many people want to know how they can make security concepts more pervasive.

One of his recommendations is to help different departments on the same page. If a business has separate security and development teams, there's often tension between the two.

"I've seen a lot of trouble with security and dev teams just getting along and speaking the same language," Hunt says. "There's often a lot of friction when developers think the security team is there to get in their way and stop things from getting done."

Skill development is another key component, he says, echoing the CISO Project report. Hunt recommends finding and focusing on "security champions," or people who are particularly motivated to learn more about security. Find this talent and send them to workshops and conferences, he says, then have them come back and teach other people.

"There's so much in the industry and so much changing that if you can find those people, that's a really valuable thing," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
1/24/2018 | 10:14:25 AM
Personally...
I am Tribe #3 but I aspire to be Tribe #1.
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
1/17/2018 | 8:45:55 PM
Get the CISO Report
You can download a copy of the report here http://bit.ly/CISO-4tribes 

gem
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25773
PUBLISHED: 2020-09-29
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products. User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file.