Operations

1/17/2018
03:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Which CISO 'Tribe' Do You Belong To?

New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

If you're a CISO or another level of security manager, new research predicts you will fall squarely into one of four "tribes" depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO.

This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank.

The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.

"The coolest thing was that CISOs were so eager to find out what we were going to find out," says Gary McGraw, vice president of security technology at Synopsys. Most CISOs stay within their organizations and lack data to measure performance. This study aimed to collect data that would help CISOs learn where they stand and how they can improve.

There is no "universal blueprint" for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results.

Based on the data collected, researchers identified four groups of CISOs. These include:

  • Tribe 1: Security as an Enabler
  • Tribe 2: Security as Technology
  • Tribe 3: Security as Compliance
  • Tribe 4: Security as a Cost Center

"The tribe is an assignment that's not just for an individual," McGraw notes. "It applies both to the CISO and the firm they're in." A CISO's tribe is determined by 18 "discriminators," or factors used to tease CISOs apart. These include "CISO-board relations" and "program management."

What's your tribe?

Tribe 1 is, in a sense, "the goal tribe," says McGraw. "The board understands security, the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business."

In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody's job. The enterprise focus and CISO role as a senior executive set this group apart, McGraw says.

Tribe 2, which treats security as technology, is similar in the sense they have advanced security practices. "These are firms that have moved well past compliance," McGraw explains. "The firms in tribe 2 have great CISOs and are doing a great job with security."

However, CISOs in tribe 2 lack the "senior executive gravitas" of CISOs in tribe 1. "They're senior people, they have a lot of power and influence, but they're not the alpha in the room," he says. In a software firm or another tech-focused company, tier 2 CISOs don't need to aspire to move up because the business is already focused on tech and they don't need the executive pull.

Tribe 3 CISOs struggle because they're often strong leaders who know how to get things done - but their companies prioritize compliance above all else. McGraw says this often happens if a business has a data breach or gets in legal trouble. Further, historical underinvestment in cybersecurity means these firms continue to underinvest despite compliance requirements.

"Often compliance is the goal and they can't get their firm to move past that goal," he explains. "Compliance is a bare minimum; it's a low bar. You have to get over that bar, for sure."

Tribe 4 CISOs "are often overwhelmed and under-resourced," McGraw says. "They don't really create budgets, and sometimes they don't request budgets. They just get given budgets."

These are often middle-management professionals who are not called CISOs but perhaps "director of IT security" or a similar title. Their firms are relatively new to cybersecurity and haven't yet begun to prioritize it. McGraw anticipates tribe 4 is the largest group overall, taking all businesses outside this study into consideration.

Improving the CISO's Stance

Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.

Troy Hunt, information security author and instructor at Pluralsight, explains how CISOs can create a security-focused culture within the enterprise. "The objectives of security are often not consistent with the objectives of the business and development teams," he says. Many people want to know how they can make security concepts more pervasive.

One of his recommendations is to help different departments on the same page. If a business has separate security and development teams, there's often tension between the two.

"I've seen a lot of trouble with security and dev teams just getting along and speaking the same language," Hunt says. "There's often a lot of friction when developers think the security team is there to get in their way and stop things from getting done."

Skill development is another key component, he says, echoing the CISO Project report. Hunt recommends finding and focusing on "security champions," or people who are particularly motivated to learn more about security. Find this talent and send them to workshops and conferences, he says, then have them come back and teach other people.

"There's so much in the industry and so much changing that if you can find those people, that's a really valuable thing," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
1/24/2018 | 10:14:25 AM
Personally...
I am Tribe #3 but I aspire to be Tribe #1.
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
1/17/2018 | 8:45:55 PM
Get the CISO Report
You can download a copy of the report here http://bit.ly/CISO-4tribes 

gem
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...