What type of CISO do you need?
Hello friends,
Context matters for leadership. There are moments when the strengths of a leader match the circumstances (Churchill) and moments when they don’t (Chamberlain). But oftentimes the ‘spec’ for a leader doesn’t do a great job taking that context into consideration. Typically most companies press the easy button with CISO requisitions (just as they do for lower level roles) and look for somebody that 1) has done it before, 2) in the same industry.?
We can do better.?
Today, I want to share a piece that we drafted to help business leaders think about the right type of security leader they need- taking into account where they are and what they want to accomplish.
An ebook of this post is available here.
Additionally, we are debuting a new section to the newsletter: ‘What I’m reading.’ It’s a chance to share great stories and thinking on a variety of topics- cybersecurity, hiring, and beyond.?
As a reminder, I wanted to let you know about our referral program. Whether you are part of a VAR/MSSP/ services provider, or simply know people that may need some support, you have an opportunity to earn significant passive income by referring potential clients. If you are curious, please drop me a line and I can share more. As a quick refresher, we offer:
Enjoy,
Brad
What type of CISO do you need?
Would you expect an MMA fighter to compete in the Preakness?
Or a pro golfer to do a triple lutz?
No. So you shouldn’t expect to find a one size fits all CISO.
Cybersecurity is both broad and deep. Just as technical unicorns don’t really exist that can do everything in the job descriptions that have 80 requirements, CISOs that know everything about security AND have all of the leadership and business skills that could possibly be needed also don’t really exist.
The type of CISO you need will depend on your company size, culture, technology, security maturity, risk posture, and business objectives.
The role and responsibilities of a CISO
CISOs sit at an intersection.
They are responsible for optimizing the cybersecurity posture of a company, in a way that supports the growth priorities and desired risk position of the business.
The CISO's role and responsibilities vary depending on the size, industry, and maturity of the organization, as well as the specific challenges and objectives it faces. However, some of the common duties of a CISO include:
Success requires a combination of technical, business, and leadership skills, as well as a deep understanding of the business’s context and challenges. However, not all CISOs have the same profile, and different types of CISOs may be more or less suited for different situations.
If you are in the market for a CISO, as yourself these questions
Instead of the easy button profile (I’d like a person who’s done this before for 10 years in a company in our industry in a location that is where our headquarters is), we need to consider context.
Companies should ask these questions before deciding what type of CISO they need:
If you don’t have the answers to these questions, you need to find someone that can help you get there and figure it out.
CISO archetypes
There are several frameworks for types of CISOs out there. We have our own, based on our own observations and experience. What’s important to understand is that these are just characterizations. Every individual has some combination of these traits and experiences. But we’ve found this framework helpful both in exercises of self discovery and identifying the proper type of CISO for the need.
The Builder
The Builder excels at creating and implementing a security program from scratch, or transforming an existing one that is ineffective or outdated. The Builder is a visionary and a strategist, who can define a clear and compelling security vision, and translate it into a realistic and actionable roadmap. The Builder is also a hands-on leader, who can roll up their sleeves and get things done, as well as recruit, train, and mentor a high-performing security team. The Builder is often brought in when an organization is undergoing a major change, such as a digital transformation, a merger or acquisition, or post breach, and needs a strong security foundation to support its growth and innovation.
The Builder's strengths often include:
The Builder's weaknesses can include:
The Builder is best suited for organizations that:
The Navigator
The Navigator excels in complex, often political internal environments. These are typically found in big companies with a broad sprawl of stakeholders and functions. The Navigator is a resilient and resourceful leader, keenly capable of building relationships and reading the tea leaves, and typically has the most impact through influence rather than direct authority.
The Navigator's strengths often include:
The Navigator's weaknesses can include:
The Navigator is best suited for organizations that:
The Technician
The Technician excels at designing and implementing the granular aspects of the security program. The Technician has a deep and broad knowledge of the security technologies, tools, and best practices, and can apply them to the specific security needs and challenges of the organization. This type of CISO is a hands-on and detail-oriented leader, who can oversee and manage the technical elements of the program, and ensure the quality and compliance of the security solutions and services. This type of leader is appropriate when an organization is heavily reliant on technology (for example a software company), has a highly complex technical environment, or is of the size where the leader needs to be a player-coach.
The Technician's strengths often include:
The Technician's weaknesses can include:
The Technician is best suited for organizations that:
The Statesman
The Statesman has a dual role: both building and running the security program for the company, and also being an evangelist for the company externally. These are balanced internal/ external roles which lean heavily on a combination of security knowledge and selling/ client relationship skills. They are commonly found in CISO or field CISO roles for security technology and services companies.
The Statesman's strengths often include:
领英推荐
The Statesman's weaknesses can include:
The Statesman is best suited for organizations that:
The Auditor
The Auditor is a detail oriented CISO that excels in environments where there is a strong orientation toward compliance. These types of CISOs are ‘steady hands’ and a good fit when an organization is facing a high level of compliance scrutiny, liability, or risk, and needs a rigorous and reliable security leader to ensure alignment.
The Auditor's strengths often include:
The Auditor's weaknesses can include:
The Auditor is best suited for organizations that:
The Operator
The Operator excels at running and optimizing the security program. These people are good at taking something that is already in solid shape and making it even better. The Operator is often brought in when an organization has a stable and mature security program, and needs an experienced steward to optimize and adapt the security program. These are well-rounded and strong leaders where fit is less about unique skills and more about the type of work that they enjoy doing.
The Operator's strengths often include:
The Operator's weaknesses can include:
The Operator is best suited for organizations that:
The Fractional CISO
The Fractional CISO provides security leadership and guidance to a client on a part-time, temporary, or project-based basis. The Fractional CISO is a generalist and a consultant, who can adapt and adjust to the different security needs and challenges of the company, and provide the appropriate security solutions and services. This type of CISO may also fit many of the above archetypes, but generally enjoys the challenge and variety of serving multiple clients. This is a good avenue for companies that don’t need a full-time or permanent CISO, based on their size or risk appetite.
A Fractional CISO's strengths often include:
The Fractional CISO is best suited for organizations that:
If your company is in the market for a CISO, give Crux a call
What I’m reading
This is a new section, to share awesome content that I’ve come across. Enjoy, and share what you’ve been reading (and listening to) too!
??Daniel Miessler is one of the best thinkers at the intersection of AI, tech, and security. He also occasionally writes pieces on humanity, and psychology. He recently published a piece reflecting on how important framing is to our happiness and general perspectives on life. As I’ve pointed out before, happiness comes much more from how we view the world and experience life than what happens to us.?
???CrowdStrike has released their annual global threat report. It has great data on the latest adversarial tactics, as well as a focused section on the wave of elections in 2024, and what to expect from influence operations this year.?
??Ross Haleliuk publishes a great blog at Venture in Security and recently collected his insights into a new book for those starting cybersecurity companies. Cyber for Builders is a great overview for founders and those helping support the vendor ecosystem.?
??You won’t find more poignant writing about Alexei Navalny than from Arkady Ostrovsky, Russia editor of the Economist and a friend of Nalvany’s. This long from piece from 2021 captures his life and spirit. May that spirit live on.
Jobs
This week we are featuring high paying, senior level roles. As always, check out our job board for hundreds of opportunities, all classified by security domain and NIST/ NICE specialization.
??Nvidia. Distinguished Cloud Security Architect. Santa Clara, CA ($304-460K)
??Anthropic. Application Security Engineer. San Francisco, New York, or London ($300-405K)
??Nvidia. Principal Offensive Security Engineer. Santa Clara, CA ($268-414K)
??Etsy. Senior Engineering Manager, Security Operations. Brooklyn, NY ($230-299K)
??SpaceX. Principal Security Software Engineer (Blue Team). Hawthorne, CA ($221-270K)
??Palo Alto Networks. Senior Solutions Architect - Application Security Expert. Remote ($216-297K)
??Workday. Senior Director, Cybersecurity Technical Risk. Atlanta, GA ($198-350K)
??Zscaler. Senior Manager, Software Engineering – Cloud Security. San Jose, CA ($180-230K)
Events
One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out!?
A few of the exciting ones in store over the next few months:
??FS-ISAC Americas Spring Summit. San Diego, CA. March 3-6.
??SnowFROC. Denver, CO. March 7.
??SXSW. Austin, TX. March 8-16.
??HIMSS. Orlando, FL. March 11-15.
??Utility Cyber Security Forum. Chicago, IL. March 19-20.
??CISO 360 Americas. New York, NY. March 28.
Thinking about your next move? Join our network
Looking for awesome talent? Post a need for free
Crux is the talent platform for cybersecurity. Check us out
Cyber Security Leader | Managed Detection and Response | Coaching | Risk Management | Vulnerability Management
1 年Just curious what would be the weakness?for a fractional CISO?