Why is it that CISOs have such a low retention in firms and leave after 1-2 years? Is this because recruiters and HR professionals find it hard to discover what is actually needed and “copy paste” function profiles with the exact same requirements, rather than looking at the real need in the organization: M&A strategy, family business, scale-up phase, consolidation, preparing for sales of the company, cultural differences etc.? The CISO role is an embryonic role compared to the CFO, and not one hundred percent clear about exact expectations.
4 archetype CISOs
To get a better understanding of the infancy issue of the CISO role, let us elaborate on four archetype CISOs based on our experience and research. We detail our observations on span of control, mandate, organizational position, and main challenges of the archetype. We do this to empathize on the current challenges we see on why certain CISOs are more successful than others and it has to do with getting the CISO you deserve / getting the right CISO to get the job done.
(Corporate) Information Security Officer (CISO)
Advisor to the corporation, most of the time the board or CIO. Has no staff and no budget. Enforces their strategy via functional steering and has limited control or power in the Business. Build "security-in" afterwards. Mostly found in Governments or non tech-born companies that have limited technology dependencies, like traditional industries.
Chief IT security officer (CISO)
Is positioned in the IT and sometimes in the CIO Office. Small staff and no budget. Budgets are mainly the annual CIO-related IT budgets that are calculated via old-school budgeting methods of percentage of IT, mainly HR cost. Very little interaction with the Business and working in the IT silo on implementing IT security controls. Limited focus on Security returns (e.g. ROSI modelling) and limited opportunities to sell to board or business executives that hold the “real budgets”. Mostly found in decentralized enterprises where IT (security) is separated in a central delivery organization. This CISO is in hierarchy conflict with his boss who is ultimately the boss and can overrule. This CISO is more in a squeeze when his ally, the DPO, is also in a “staff” position at the central organization.
Chief Information Security Orchestrator (CISO)
Orchestrates their security control via multiple third parties, such as IT service suppliers, cloud providers, pen testers and SOC suppliers. Organizations that are part of an eco-system of suppliers, aka hybrid environments. They oversee the full field of responsibilities and expected outcomes. Aligns with their business executives as partners and makes business agreements on first line business ownership, craftsmanship and KPIs. Has a Target Operating Model in place to exercise their first-line responsibility of directing policies and standards and their 1.5-line oversight and quality assurance on control effectiveness. Has own staff, budget, and board support. Is independently positioned from IT and is an enabler towards new business initiatives and has a seat at the business and board table. You see this CISO typically in organizations that understand security is part of doing business. Understand that talent is scarce and you are better off buying it from the market via RFPs and tenders with clear SLAs rather than building your own team of “less sharp knives in drawer” or nagging ducks that are not able to swing like an eagle. This CISO applies clear economic drivers to justify investments and understands they are “part of the business”
Chief Information Security Officer (CISO)
The new generation CISOs in tech companies (Uber, Google, ZOOM, Booking.com) that “is the business”. Has a direct reporting line to the management board or/and supervisory board. Is in constant dialogue with key stakeholders like 2nd line risk management, internal and external auditors and regulators.
Their board understands that the word “chief” actually entails mandate, budget and personnel to fix the job and the chief can actually take full accountability. This CISO has direct lines to the IT security department and has “hire, admire and fire power”. They own their profession and organize their security via clear Target Operating Models with internal and external SLAs to measure and monitor the entire security performance of the entire extended enterprise (cloud, IoT, OT). IT and business are fused and at every new business initiative the CISO (or team-member) is at the table. The deputy CISO organizes the internal security organization as a "COO" and makes sure the administration is up to par and talent in teams is nurtured, educated and constantly challenged. The enterprise security architect in the team ensures that the complete environment is designed and implemented with the latest comprehensive technologies and methods. We sometimes refer to the level 4 CISO.
We see the last two CISOs emerge more and more and become the de facto for well-prepared companies. In more and more cases this is a woman with no IT background but with strong alignment and leadership skills. But we also understand that every organization has a legacy, organizational structures and attitudes that cannot be changed overnight.
Guidance on getting the CISO you deserve is still in limited availability, especially on the last two CISO archetypes we mention. The European Competence Framework (eCF) defines the role of the CISO as strategic and mainly focuses on the hard capabilities but never on softer organizational aspects as we discuss in this blog.
The digital security profession has a long history and in the current era it is becoming even more important, with more people in organizations working on digital security. However, we often see those people having a more operational and tactical history and approach, without actual hands-on governance and leadership experience.
Which CISO do you deserve?
So, if you need to make digital security a success, you need a leader to lead you through the change and reach the end goal. In addition to how this leader needs to act based on employees’ needs, the leader should also consider the change a company needs to go through. For example, if you want to get digital security on the Board’s agenda you might need someone with some good political and marketing skills. If you want people to go in a certain direction, you might need a visionary person. If everyone is on board and you just need to get things done, you might need a more control-focused leader.
So, what does this mean? This means that you might need to choose digital security leaders not only based on what your employees need, but also based on which phase digital security is actually in and the journey the company is going to embark on (e.g. mergers & acquisitions, global growth, hyper scaling). Also, the culture (see also figure) of the organization has a high influence on the success of the CISO. It might mean that the person who created the vision and got digital security rolling is not the same as the one who actually made it a success. Does that mean that the first one is a worse leader than the second? We do not think so; it is all about who is the right person for the right moment in time. And if your selection is not thorough enough, you get the CISO you deserve.
To help you to get that CISO you deserve, we propose the use of the globally recognized CISO self-assessment of Russel Reynolds, a global HR firm that has also been included in our book. Looking also at aspects such as Leadership, Change needed, Stakeholder Management and Strategic Capabilities, which we teach at Antwerp Management School’s Executive Master in IT Risk & Cyber Security Management and explain here. What archetype CISO you need really depends on the organization the CISO needs to be in and the challenges that lie ahead.
Want to read more about this subject? Order a copy of our book Leading in Digital Security(2) here
Want to learn more about our Executive Master in IT Risk & Cyber Security Management?
 The model explained in our book shows four levels of CISO.11 Level 1 CISOs are mostly heads of IT security who mainly focus on governance and controls. Level 4 CISOs are deeply intimate with their businesses; involved in the background in senior hiring and firing, M&A, divestments, supply chain, IP protection and anything shareholder-sensitive. They also have regular sessions with the Chairman of the Board and train non-executives and their families.
(2) Bobbert, Y. & Butterhof, M. (2020). Leading in Digital Security: Twelve ways to combat the silent enemy (Bobbert & Butterhof).