The Seven Types of Incompetent CISOs

The Seven Types of Incompetent CISOs:

1. All day long they talk about risk management, user awareness training, how security is somehow everybody’s business, and how the CISO should report to the CEO instead of the CIO or CRO or any other C-level executive.

2. When a CISO waxes poetically about using SMART goals to improve the performance of staff. This CISO brags about how detailed their performance reviews are and teaches other CISOs that this is way to create a great cybersecurity program.

3. This type of CISO has a limited vocabulary. When there is ambiguity, competing business interests, and a variety of ways to solve them, the decision is always, “No” with no explanation provided.

4. This is a politically convenient executive who once upon a time was a certified public accountant but has decided that the CISO job is merely a simple game of dollars and cents. This CISO in training believes that cybersecurity risk is absolutely positively about quantitative analysis and lectures to their direct reports the beauty of the Bayesian inference model and how it solves all the cybersecurity risk the company faces.

5. This is a fraternity style CISO. You probably can tell because they may have had some military training in the past in the wrong way and thinks that hazing is a way to promote esprit de corps. This involves purposeful exclusion of team members that don’t do as they are told and assignment of pointless work to undesirables in the team.

Initially the corporation is thrilled to see a mover and shaker that fires staff left and right, just to find out that the firings were done only to bring in head count of the fraternity CISO’s inner circle, who also share their leader’s right to haze anyone.

But this fraternity CISO is no dummy because he keep the business ignorant of what they are doing and drip feeds them tender vittles just enough to fund a rampant wheel of fortune game where the vendor who pays them the biggest kick back gets the deal.

The business executives realize too late how toxic these CISOs are and discover the cybersecurity program went nowhere. To add insult to injury, the business executives realize too late the astonishing bill left behind when these CISOs are packaged out.

6. This CISO is what I call the dreamer. This creature is usually locked inside the corner office opining about what should be done about the organization. These CISOs occasionally have staff meetings where they continue to lecture about what the organization should do.

Completely fearful of their own shadow, when a senior executive or board member confronts them with a serious issue, they either become catatonic and are at a loss of words to say anything meaningful, or they simply agree and commit their team to fix the issue without knowing any details.

In many cases corporations enjoy hiring CISOs like this because they are the ideal scapegoat. They don’t do anything, they can conceive of implementing any of their so called great ideas, and when an incident occurs, they are perfect to take the hit. They are cheap salary wise anyway.

7. ?Here is another interesting creature of the CISO world. We call them the Awards Show/Conference Junkie CISO. These are highly intelligent time and resource wasters in the organizations that hired them. When first hired, they do all the right things, especially the talent assessment.

Why is the talent assessment so important to this CISO? It gives them a sense of how great or poor the previous CISO did with the team. Clearly if the previous CISO did not do a good job, these CISOs will exercise their exit package after 90 days because it is simply too much work to do a good job.

But if this CISO discovers that the previous CISO did an excellent job: Bingo! Why improve on greatness? When this CISO can spend time on the Conference Show and Awards Show circuit? And let the direct reports run the has been show?

Yet, even on the Conference Show and Awards Show circuit, these CISOs are outstanding for their command of insipid cybersecurity concepts that they read in the latest CSO magazine and try to pass it off as their own thought leadership. If fact they are so devoid of any innovative thinking, they consider themselves as a CME, a certified magazine engineer. You know the folks that drop the latest acronym or cybersecurity concept that they read in CSO magazine and tell their direct reports to just implement it.

There is also a dark side to this creature. To win an Award as a CISO, you have to implement a showy sexy new tool and talk about the “business value” of cybersecurity. Meanwhile, the direct reports are suffering under the crushing weight of vulnerability scans that have been ignored for months.

So as a business executive when the next time these types of CISOs request time to go to a conference and/or award shows, perhaps it is better for you to ask them the business value of these Conference and Award shows, before you allow these CISOs to waste even more time and money.

Now that you know how to spot an incompetent CISO, call them out! Especially you in the executive suite or you in the board room. Here are a few prompts you can ask these types of CISOs:

1. When was the last time you implemented an automated control?
2. I don't care about your performance reviews, is the cybersecurity program cost effective? I did not hire a babysitter!
3. I want a comprehensive measurement of all of our cybersecurity investments and how they add value to the business. Include 3 innovative projects that transformed the program.
4. I want to understand risk from a comprehensive perspective. All you do is give me statistics! Do you know what I think of your statistics? There are lies, damn lies, and statistics!
5. I am not funding your staff and cybersecurity tools until I see something substantial from you. Your sweet nothings are making my ears bleed.
6. You know your quite agreeable. That's why I gotta fire you!
7. How's come everytime I call you I hear background noise? Hows come I always see you on LinkedIn showing off your latest award? Hows come the only person I can talk to in person is your chief of staff? You've got 90 days to show me what you accomplished and we canceled your parachute package.