The role of CISO has grown in profile and importance in recent years, as evolving and escalating digital threats raise the stakes for organizations of every size and stripe. But organizations aren't always clear about what they want from their CISOs, and CISOs aren't always clear what kind of leaders they are or want to be.
"CISOs are not the same from company to company and industry to industry," said Steve Tcherchian, CISO for XYPRO Technology Corp., a cybersecurity analytics company. "We're still in the infancy of what this role really is and how it fits into the strategic focus of a business."
As a result, enterprises often look to CISOs themselves to define the role, he added. Experience and personality greatly influence how a given type of CISO leads, often with unforeseen implications for the organization.
"Some CISOs will see an opportunity and drive it forward," Tcherchian said. "Others in the same role will be risk-averse and maintain the status quo."
Jeff Pollard, vice president and principal analyst at Forrester Research, believes incompatibility between cybersecurity executives and their organizations -- which he refers to as poor "CISO-company fit" -- leads to burnout and helps drive high CISO turnover rates. According to research from Enterprise Strategy Group, the average CISO lasts just two to four years.
"When you have a mismatch in terms of fit, the CISO can still be successful, but they won't be as passionate about the job," Pollard said. "They are not going to feel happy, motivated or energized, and so they're generally going to leave earlier."
But today's CISOs lack a cultural framework to help them understand their leadership styles and inform their career decisions, he argued. Familiar CEO archetypes, on the other hand, abound. Consider the 1987 film Wall Street, for example, in which Michael Douglas plays the corporate raider -- buying companies and dismantling them for profit. The archetypal turnaround artist, in contrast, parachutes into troubled organizations and revitalizes them, while the startup CEO -- think Mark Zuckerberg's character in The Social Network -- gets innovative young companies off the ground. Pollard also cited a sales executive he recently met who introduced himself as the kind of leader that repeatedly scales million-dollar businesses into hundred-million-dollar ones.
"The way he understood what he did, or said he did, and how he described himself crystalized something for me," Pollard said. "I don't know that the CISOs we speak with have that sort of elevator pitch to succinctly explain themselves and their careers."
6 types of CISO
Pollard and his colleagues at Forrester -- fellow analysts Jinan Budge, Paul McKay and Claire O'Malley -- decided CISOs, like CEOs, need a framework to help them efficiently identify themselves and define the situations in which they excel. An archetypal shorthand, they believe, can both empower enterprises to find CISOs whose personas align with their needs and help CISOs play to their strengths so they avoid painful on-the-job identity crises.
In conducting research interviews with sitting CISOs for their report, "The Future Of The CISO," Pollard said they saw the following six distinct archetypes emerge.
1. Transformational CISO. Forrester described the transformational CISO as energetic, extroverted, dynamic and outspoken. This person typically hails from a change management, communication or business background with experience navigating a complex political environment. The transformational CISO leads the charge on turning an internally focused security program into one that aligns with and supports customer needs and business outcomes. Transformational CISOs should look for energetic companies with similar cultural values that are committed to macro-level change.
Once this type of CISO has successfully revolutionized a security program, they may start to feel restless. At this point, it is likely time to move onto another transformational role, enabling someone with a different leadership style to step in and oversee the new status quo.
"Once the transformational CISO has climbed the mountain, they finished what they started, and they're onto the next one," Pollard said. "They're leaving strategically and in a good place -- not because they're unhappy."
2. Post-breach CISO. Forrester identified a post-breach CISO as having a calm, succinct and process-oriented leadership style. This person enters an enterprise after a major, often high-profile, breach to mitigate the fallout and oversee significant new investments in cybersecurity.
"The post-breach folks we interviewed told us, 'This is what I get excited about -- I like the fact that it's really tough in the beginning,'" Pollard said.
According to his research, this type of CISO should expect to stay in a new role for at least a few years. Once the enterprise has regained its equilibrium and achieved a stronger security stance, it's likely ready for an operational or steady-state CISO. The post-breach CISO can then move on to do more of what they love: helping another company in crisis.
3. Tactical and operational expert CISO. The CISO with tactical and operational expertise is often a seasoned technology practitioner, the Forrester researchers found. A successful security engineer might land promotion after promotion, for example, eventually leading to C-level roles. Pollard described these professionals as typically detail- and action-oriented, analytical, capable, adaptable and decisive. Tactical and operational CISOs excel at taking operational disruptions in stride and bring a practical perspective to unanticipated technical challenges as they arise.
Tactical and operational experts can remain happy and productive in their CISO roles indefinitely. If an organization's business model starts to undergo major changes, however, a transformational CISO might be better suited to adapting the security program accordingly.
4. Compliance and risk guru CISO. The compliance and risk guru CISO often has a less technical background, with expertise in data privacy laws, regulatory requirements, audits and so on. This type of CISO's cybersecurity leadership style tends to be based on a risk management approach, with an emphasis on compliance. Compliance and risk guru CISOs tend to be disciplined, organized, detail-oriented and chaos-averse -- guarding the organization's interests via rigorous processes and thorough documentation. This type of CISO, the Forrester analysts wrote in their research report, "thinks 'lawful good' as a character trait is a clear virtue."
Steve TcherchianCISO and chief product officer, XYPRO Technology Corp.
These security leaders should look for positions in organizations with intense regulatory pressure, where they can make meaningful contributions. A compliance and risk guru should consider departing a CISO role if regulatory issues become less important, whether because of divestments or shifting business priorities. For instance, a compliance and risk CISO likely won't be happy at an organization looking to reorient itself around an aggressive, externally facing technology strategy.
5. Steady-state CISO. A steady-state type of CISO is best suited to an organization that aims to maintain its existing security posture with incremental improvements over time. This calls for a calm, measured cybersecurity leadership style and an ability to advocate for conservative but consistent investments in the program.
"Steady-state CISOs have a sort of quiet confidence," Pollard said. "They're not afraid of change, but they're really good at adapting an existing program within organizational constraints."
Because cybersecurity threats evolve so rapidly today, however, this slow-and-steady approach may have a limited shelf life. The Forrester analysts advised that steady-state CISOs move on to new positions if they start to feel the organizational resistance to change means they have to shoulder unacceptable levels of risk.
6. Customer-facing evangelist CISO. Customer-facing evangelists embrace the opportunity to interact with external stakeholders, such as customers, media and the public. They are typically confident and charismatic leaders who thrive in chaotic, fast-paced environments and also have a deep understanding of application development and product management processes.
This type of CISO needs an organization that sees software development as central to its business model and security as a key differentiator. Finally, a customer-facing evangelist CISO should consider leaving a role if the organization decides its security program should become more internally oriented -- thus limiting opportunities for the external-facing interactions this kind of executive loves.
So, what type of CISO are you? Avoiding an identity crisis
To some degree, CISOs who accept jobs without understanding their own cybersecurity leadership archetypes are victims of chance, said Budge, a principal analyst who works with Pollard on Forrester's CISO research.
"Many just think, 'Oh, that's a great organization,' or 'That sounds like a really cool job' and hope for the best," Budge said. "But, to find a rewarding role, you have to choose the organization and culture very, very carefully."
Jason Hicks, global CISO at Kudelski Security, said he enjoys splitting his time between running a security program and engaging with clients. He added he once considered a role offering experience in a new vertical at an appealing company, but the position appeared more internally facing than he would have liked.
"I decided to move in a different direction, and I think it was the right call," Hicks said. "What I'm doing now is ideal."
Forrester's research suggested Hicks -- likely a customer-facing evangelist CISO, at least in part -- chose wisely. When organizations ask CISOs to behave against type, problems ensue, Pollard said.
"When someone has reached a pinnacle in their field from a leadership perspective but they're not happy, that causes a sense of malaise," he added. A steady-state type of CISO asked to act as a transformational CISO, for example, experiences anxiety, and their self-confidence suffers. Transformational CISOs tasked with steady-state responsibilities tend to feel chronic frustration and angst.
"What they're being asked to do doesn't make sense to them," Pollard said. "They almost feel like they're being set up for failure."
On the other hand, knowledge -- and, in particular, self-knowledge -- is power.
"Even in our research interviews, the idea of 'CISO types' really resonated," Pollard said. "We started to see this excitement, with people saying, 'I've never thought about it like that, but this would be a great way to describe myself.'"