Do you ever wonder: How am I stacking up against my peers? What is everyone else doing? Am I missing something obvious? How do I improve my performance?
To determine this, three researchers set out to identify how CISOs approach their job, to establish a coherent model describing how CISO’s organize and execute their work. Synopsys published their findings in a report titled; Four CISO Tribes and Where to Find Them.
The data was gathered to understand what CISO’s do, what is their typical career progression and what types of people and organizations have the best security situations. They found two major factors when it comes to success in the role: the person and the organization. The key elements are the personality and experience of the leader, the culture, security ethics, and resources of the company. The real question is, whether these factors can be changed or improved in each situation.
The researchers identified four distinct approaches, or tribes, within the role with unique characteristics and discriminators. Using these approaches, you will understand your place in the four “tribes”. An in-depth dive into the discriminators helps CISO’s discover whether it is them or the organization which needs to change for their situation to improve.
Tribes one and two are very closely aligned: Security as an Enabler and Security as Technology. Each have very much to do with the background of the CISO, (have you evolved into a real business executive or are you still a deep technologist). These two tribes are far left on their scale. Moving to the right, you have Security as Compliance, where the CISO is trapped in compliance land, and significantly further right. The largest tribe by far, tribe four, is Security as a Cost Center.
This report takes an interesting approach to understanding CISOs, what they actually do, why they do it, and how they can do it better. We learned a lot about CISOs, and think you can too. Remember, moving between tribes is possible and we agree with the researchers that when CISOs understand their own approaches with reference to others, they will be better informed about their own ways forward
You can find the entire article here! Feel free to pass this along to security colleagues, to help them improve their career as well as organizational security outcomes.