Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/17/2018
03:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Which CISO 'Tribe' Do You Belong To?

New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

If you're a CISO or another level of security manager, new research predicts you will fall squarely into one of four "tribes" depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO.

This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank.

The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.

"The coolest thing was that CISOs were so eager to find out what we were going to find out," says Gary McGraw, vice president of security technology at Synopsys. Most CISOs stay within their organizations and lack data to measure performance. This study aimed to collect data that would help CISOs learn where they stand and how they can improve.

There is no "universal blueprint" for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results.

Based on the data collected, researchers identified four groups of CISOs. These include:

  • Tribe 1: Security as an Enabler
  • Tribe 2: Security as Technology
  • Tribe 3: Security as Compliance
  • Tribe 4: Security as a Cost Center

"The tribe is an assignment that's not just for an individual," McGraw notes. "It applies both to the CISO and the firm they're in." A CISO's tribe is determined by 18 "discriminators," or factors used to tease CISOs apart. These include "CISO-board relations" and "program management."

What's your tribe?

Tribe 1 is, in a sense, "the goal tribe," says McGraw. "The board understands security, the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business."

In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody's job. The enterprise focus and CISO role as a senior executive set this group apart, McGraw says.

Tribe 2, which treats security as technology, is similar in the sense they have advanced security practices. "These are firms that have moved well past compliance," McGraw explains. "The firms in tribe 2 have great CISOs and are doing a great job with security."

However, CISOs in tribe 2 lack the "senior executive gravitas" of CISOs in tribe 1. "They're senior people, they have a lot of power and influence, but they're not the alpha in the room," he says. In a software firm or another tech-focused company, tier 2 CISOs don't need to aspire to move up because the business is already focused on tech and they don't need the executive pull.

Tribe 3 CISOs struggle because they're often strong leaders who know how to get things done - but their companies prioritize compliance above all else. McGraw says this often happens if a business has a data breach or gets in legal trouble. Further, historical underinvestment in cybersecurity means these firms continue to underinvest despite compliance requirements.

"Often compliance is the goal and they can't get their firm to move past that goal," he explains. "Compliance is a bare minimum; it's a low bar. You have to get over that bar, for sure."

Tribe 4 CISOs "are often overwhelmed and under-resourced," McGraw says. "They don't really create budgets, and sometimes they don't request budgets. They just get given budgets."

These are often middle-management professionals who are not called CISOs but perhaps "director of IT security" or a similar title. Their firms are relatively new to cybersecurity and haven't yet begun to prioritize it. McGraw anticipates tribe 4 is the largest group overall, taking all businesses outside this study into consideration.

Improving the CISO's Stance

Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.

Troy Hunt, information security author and instructor at Pluralsight, explains how CISOs can create a security-focused culture within the enterprise. "The objectives of security are often not consistent with the objectives of the business and development teams," he says. Many people want to know how they can make security concepts more pervasive.

One of his recommendations is to help different departments on the same page. If a business has separate security and development teams, there's often tension between the two.

"I've seen a lot of trouble with security and dev teams just getting along and speaking the same language," Hunt says. "There's often a lot of friction when developers think the security team is there to get in their way and stop things from getting done."

Skill development is another key component, he says, echoing the CISO Project report. Hunt recommends finding and focusing on "security champions," or people who are particularly motivated to learn more about security. Find this talent and send them to workshops and conferences, he says, then have them come back and teach other people.

"There's so much in the industry and so much changing that if you can find those people, that's a really valuable thing," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
1/24/2018 | 10:14:25 AM
Personally...
I am Tribe #3 but I aspire to be Tribe #1.
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
1/17/2018 | 8:45:55 PM
Get the CISO Report
You can download a copy of the report here http://bit.ly/CISO-4tribes 

gem
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.