Most of today’s CISOs got into the role accidentally. Yet tomorrow’s CISO will have chosen this role by intent. It will be a chosen vocation. Therefore, CISOs will need to focus on the role and start cultivating the skills required to become a security leader. This was a key message from a presentation on The Future CISO by Jeff Pollard, Principal Analyst, Forrester Research. Speaking at the Forrester Security & Risk Global 2020 Live Virtual Experience on September 22, Pollard urged CISOs to check if they are “Company Fit” and to prepare for what’s next. He also outlined the six different types of CISOs: transformational, post-breach, tactical/operational, compliance guru, steady-state, and customer-facing evangelist. Pollard showed how CISOs can build a roadmap for transitioning from one type to another and explore strategies for obtaining future CISO and related roles.
By Brian Pereira, Principal Editor, CISO MAG
“CISOs do an insanely challenging job under challenging circumstances. They have to worry about their company, adversaries who attack, insider threats, and also employee and customer experience. This is not easy. That’s why intent matters,” said Pollard.
He advised CISOs to plan for the role and make a meaningful contribution at the C-Level. Skills enhancement, both for the CISO and the security teams is also crucial.
Pollard alluded to the example of Pixar Animation Studios, which achieved immense success and bagged many awards because it has intent and focus.
“Pixar is a company that matches this intent. They know exactly what they want to do. They have a specific methodology for stories, how they think about content. Technology drives the stories that they tell. They are an incredibly innovative company. There is a secret history of Pixar that ties in with the CISO role,” said Pollard.
Pixar earned 16 Academy awards, 11 Grammys, and 10 Golden Globes.
“They earned all these awards because they operate with intent and focus. When you operate without intent and focus, and when you don’t plan for this role, and when you don’t actively cultivate all of the skills that you need, then this happens,” said Pollard.
By “this” he meant that CISOs lose focus and find their role challenging, which could even lead to burn out.
He urged security leaders to start writing their own stories and to think about their stories with intent, discipline, and rigor.
Why CISOs lose focus
The CISO was never a “No” department. In saying “Yes” to everyone and trying to do everything for everyone, CISOs lost their focus.
CISOs juggle many tasks like product security concerns, compliance concerns, regulatory issues, legal issues, beaches and attackers, and incident response. And then, there are new priorities that come up.
“0% of CISOs are great at everything. And that’s what most security leaders have had to do. You can’t do all of that and be effective. It’s not possible. But that’s what happened to the role — priority after priority and trade-off after trade-off. None of it results in the success that we want,” said Pollard.
He added, “CISOs haven’t operated with constraints, which lead to focus. And focus leads to innovation. We are just doing too much and not succeeding. We are too tactical. We say yes to a lot. The CISO is not the department of No.”
How many are C-level?
While most security leaders aspire for a seat at the table in the board room, very few make the cut.
A 2020 study by Forrester Research shows that just 13% of all security leaders are actual C-level titles or CISO.
The Forrester study considered those with an SVP or an EVP title and compared that to those with a VP, Director, or another title — across Fortune 500 companies. The other data point from this study is that the average tenure of the CISO is 4.2 years and not two or three years.
“Even those who got a seat at the table are not treated like a true C-level executive. They do not have the same access for authority that those others have. And most of the 13% are on their third or fourth CISO role. After the second one, they don’t take that laying down anymore. They demand to be an actual C-level,” said Pollard.
What CISOs need to do
CISOs need to plan for a four-year stay, and they can take some inspiration from Pixar by writing their own stories.
“The reason why this is so important is because you are looking at a four-year stay. It’s going to be hard for CISOs because they are going to do all their tasks for four years with all these limitations. They can make mistakes if they do not operate with intentionality and if they don’t fight for what they deserve. The good news is that CISOs can get this right and write their own story. It’s just about thinking about it in terms of intent and our own story,” advised Pollard.
Going back to the Pixar example, he urged CISOs to simplify and focus. Like Pixar, they should combine characters (or tasks) and hop over detours.
“You will feel like you are losing valuable stuff, but it is actually freeing you. Fire yourself. find a way to replace yourself. Get rid of activities that you don’t need to do. And don’t be afraid to empower the direct reports that work for you,” he said.
Reproduced with permission from Forrester Research
The 6 types of CISOs
Forrester Research began thinking about the future or the CISO two years ago and came up with a concept that there were 6 types of CISOs. The roles could overlap, and one could have the attributes of other types as well.
Pollard said the CISO should consider these 6 types when thinking about their intent and focus. These types give one the opportunity to think about their roles and future careers — and even life after being a CISO.
We started thinking about this concept of the future CISO two years ago. We figured out there were 6 types of CISOs out there.
1. The Transformational CISO
This is a more strategic type of CISO who thinks about customers and business outcomes. They focus on turn around and transformation of the security program. They take it from one that may be too insular and too internally focused to one that focusses on the outside of the organization. They do this to make the security program more relevant to the rest of the business.
2. The Post-breed CISO
This CISOs comes in after the organization has been breached. There is intense media and board speculation. Add to that, litigation, regulatory investigations, and potential fines. There is a lot of chaos and they must remediate the situation and lead through the turbulence.
3. Tactical / Operational expert
This is the action-oriented CISO who gets things done. They are adept at sorting out technical issues and building out cybersecurity programs for the company.
4. Compliance Guru
They have a thorough knowledge of compliance requirements and they operate in a heavily regulated industry. They help the company to figure out how to navigate international issues and wars as well as oversight from the FTC, PCI, HIPPAA, and other regulatory bodies. For them, Security is always a risk management conversation.
5. The Steady-State CISO
The minimalist who doesn’t rock the boat and change the status quo overnight. They maintain a balance between minimal change and keeping up. Maybe things are just fine at the company right now and security is working for them.
6. Customer Facing Evangelist
This type is common at the tech and product companies. They evangelize the company’s products and services with a commitment to cybersecurity. And they speak about how security and privacy help customers.
CISO Company Fit
Forrester defines “CISO Company Fit” as the degree to which the CISO type at the company matches the type the company needs to maximize the success of both parties.
“If the company fit is not suitable, then security leaders have to deal with burn-out and angst. And part of that burn-out comes from the fact that they may not have CISO Company fit,” said Pollard.
Life After CISO
What happens at the end of a CISO’s career? What are the avenues that one should pursue as one moves towards semi-retirement?
Forrester analysts speak to many security leaders, some who have led successful 20-year careers. And those discussions have identified typical post-career avenues.
“CISO roles are not terminal roles. There is life after CISO. You have got to start thinking about what comes after this for me,” urged Pollard.
Some of the avenues a CISO could take are:
CIO – If you think the CIO is a tough boss, try working for a former CISO – and be a CIO yourself.
Founder/CEO – Commercialize those DIY tools your teams built.
Board Member – Help other CISOs by being a cybersecurity board member. Your company may need a cybersecurity expert on the board.
Author / Speaker – The storyteller who can write their story and help other leaders who are going through the journey that they are going through right now.