Different Shades of CISO

A little while ago, in this video, our behavioral expert talked how a CISO's authority is limited, but in  order to do a good job, their influence must be wide. By this, Ted meant that a CISO has a limited number of direct reports but needs to change the behavior of large numbers of colleagues in order to succeed. The CIO or CTO has direct authority over the colleagues on whose performance the CIO's or CTO's success depends. Not so the CISO. This is why we at Pythia Cyber stress the leadership qualities and behavioral acumen a CISO needs to succeed. Picking a crackerjack techie is risky, unless they also have great people skills. Picking a people person with no technical chops is similarly risky.

This got me thinking about what else is involved in being or choosing a CISO.

First of all, there is not one-size-fits-all CISO manual. In my experience, there are race car driver CISOs, ambulance driver CISOs and school bus driver CISOs, because each of these modes is appropriate to a particular situation.

If you are a company racing toward that all-important IPO, you need someone who will go fast, take chances and get you over that line with time to spare. You need a working program with a track record ASAP. You don't need a steady-as-she-goes CISO. You need speed.

If you are an organization in an active threat profile, you need someone who will move with all deliberate speed, stop the bleeding now and give you the space to operate. You need assurance that you are doing everything you can do, as quickly as possible while still being as deliberate as possible. It's a jungle out there.

If you are a mature organization with a moderate threat profile, you need someone who will get all of you there safely and on time, but safely is more important than timely. You need someone calm and experienced and great at driving the routes which change, but not that rapidly.

Each of these models works well in the environment to which they are suited. Each of these models is a poor fit for any other environment.

When hiring a CISO, you need to know what kind of CISO you need. When applying for a CISO position, you need to know which kind of CISO you are or will be. Perhaps you are super adaptable and can do whatever is needed, growing and changing with the position. Perhaps you are less flexible but great at what you do.

Which brings up something I will mention briefly here but to which I am sure we will return: if your organization does not currently have a Cyber Security program, do not assume that you can hire the CISO first and build the program second. Similarly, if you are a CISO being hired to create a program, rather than run an existing program, do not assume that if you are a great builder, you are also a great administrator. There are unicorns who can do both, but in my experience most of us are one or the other: we are either good at designing a program, with the love of novelty and adaptability that entails, or we are good at adjusting a working program, with the love of consistency and discipline that entails.

This is why we at Pythia Cyber suggest that, for your first Cyber Security program, you want someone to help you design and implement your program so that you can then hire someone to fill a well-defined position.