Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/17/2018
03:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Which CISO 'Tribe' Do You Belong To?

New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

If you're a CISO or another level of security manager, new research predicts you will fall squarely into one of four "tribes" depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO.

This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank.

The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.

"The coolest thing was that CISOs were so eager to find out what we were going to find out," says Gary McGraw, vice president of security technology at Synopsys. Most CISOs stay within their organizations and lack data to measure performance. This study aimed to collect data that would help CISOs learn where they stand and how they can improve.

There is no "universal blueprint" for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results.

Based on the data collected, researchers identified four groups of CISOs. These include:

  • Tribe 1: Security as an Enabler
  • Tribe 2: Security as Technology
  • Tribe 3: Security as Compliance
  • Tribe 4: Security as a Cost Center

"The tribe is an assignment that's not just for an individual," McGraw notes. "It applies both to the CISO and the firm they're in." A CISO's tribe is determined by 18 "discriminators," or factors used to tease CISOs apart. These include "CISO-board relations" and "program management."

What's your tribe?

Tribe 1 is, in a sense, "the goal tribe," says McGraw. "The board understands security, the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business."

In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybody's job. The enterprise focus and CISO role as a senior executive set this group apart, McGraw says.

Tribe 2, which treats security as technology, is similar in the sense they have advanced security practices. "These are firms that have moved well past compliance," McGraw explains. "The firms in tribe 2 have great CISOs and are doing a great job with security."

However, CISOs in tribe 2 lack the "senior executive gravitas" of CISOs in tribe 1. "They're senior people, they have a lot of power and influence, but they're not the alpha in the room," he says. In a software firm or another tech-focused company, tier 2 CISOs don't need to aspire to move up because the business is already focused on tech and they don't need the executive pull.

Tribe 3 CISOs struggle because they're often strong leaders who know how to get things done - but their companies prioritize compliance above all else. McGraw says this often happens if a business has a data breach or gets in legal trouble. Further, historical underinvestment in cybersecurity means these firms continue to underinvest despite compliance requirements.

"Often compliance is the goal and they can't get their firm to move past that goal," he explains. "Compliance is a bare minimum; it's a low bar. You have to get over that bar, for sure."

Tribe 4 CISOs "are often overwhelmed and under-resourced," McGraw says. "They don't really create budgets, and sometimes they don't request budgets. They just get given budgets."

These are often middle-management professionals who are not called CISOs but perhaps "director of IT security" or a similar title. Their firms are relatively new to cybersecurity and haven't yet begun to prioritize it. McGraw anticipates tribe 4 is the largest group overall, taking all businesses outside this study into consideration.

Improving the CISO's Stance

Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.

Troy Hunt, information security author and instructor at Pluralsight, explains how CISOs can create a security-focused culture within the enterprise. "The objectives of security are often not consistent with the objectives of the business and development teams," he says. Many people want to know how they can make security concepts more pervasive.

One of his recommendations is to help different departments on the same page. If a business has separate security and development teams, there's often tension between the two.

"I've seen a lot of trouble with security and dev teams just getting along and speaking the same language," Hunt says. "There's often a lot of friction when developers think the security team is there to get in their way and stop things from getting done."

Skill development is another key component, he says, echoing the CISO Project report. Hunt recommends finding and focusing on "security champions," or people who are particularly motivated to learn more about security. Find this talent and send them to workshops and conferences, he says, then have them come back and teach other people.

"There's so much in the industry and so much changing that if you can find those people, that's a really valuable thing," he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
GaryM2712105
100%
0%
GaryM2712105,
User Rank: Strategist
1/17/2018 | 8:45:55 PM
Get the CISO Report
You can download a copy of the report here http://bit.ly/CISO-4tribes 

gem
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
1/24/2018 | 10:14:25 AM
Personally...
I am Tribe #3 but I aspire to be Tribe #1.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.