This blog post is part of a multi-part series on designing an information security program in alignment with your most important business objectives. You can also watch the webinar/podcast which accompanies each blog post for more ideas.
Imagine hiring a carpenter to install custom marble tile for your dream kitchen. You would start your search by finding carpenters in your area that specialize in tile installation. Then, you would narrow down the search to carpenters that focus on interior installation – and kitchens in particular.
Finally, you would shortlist the carpenters that specialize in custom cut marble tile at a fair rate. It seems obvious – hire someone who is an expert based on your needs.
However, when it comes to hiring a CISO most organizations do not realize that CISOs are similarly specialized and the role at each will vary based on specific business challenges.
For example, consider your own company. What are your biggest challenges? Compliance, regulations, application security, security questionnaires in the sales cycle? To succeed, the CISO role must be designed to align with the specific needs of your organization.
In this post, we will provide a framework to design a CISO role that will support your most important business objectives.
Designing a CISO Role That is Right for Your Organization
There is a large universe of potential responsibilities a CISO may be asked to fill. However, we must establish upfront that no CISO can meet all of them alone. Your organization likely has a long list of “must-haves”, but it is a fact that you will not be able to find all these attributes in a single person. Therefore, your organization must prioritize those skills most valued in their security executive and design a job description to meet those required skills.
To begin this process, we recommend a three-step process: identify your biggest business problems, prioritize CISO roles and responsibilities and build a CISO RACI Diagram.
Identify Your Biggest Business Problems
To start, the organization must identify the “why” behind building a security organization. I recommend making a “top 10” list and ranking each in order of priority. This will inform the decision process of designing the CISO role. Below is a simple example:
Tip: If you are unsure about your biggest business problems and their link to information security, you may want to consider a formal risk assessment. Reference ISO 27005 or NIST 800-30 as a starting point
Prioritize CISO Role and Responsibilities
In the figure below is a list of responsibilities often associated with a CISO. This is only a partial list, but as you can see the typical needs are broad, and each requires a significant depth of technical knowledge and experience to execute well.
As a rule, a CISO with 2080 hours in a standard work year can handle a primary and secondary responsibility (two columns from the figure below). Anything more is not feasible to be executed well without significant support.
As an exercise, we highlighted in blue the areas that correspond to the business problems identified above. This helps make it clear that the CISO will focus most of their time on Governance and Compliance related activities, which is in alignment with the outlined business problems.
CISO RACI Diagram
Now that we have a firm understanding of the organization’s business problems and the CISO’s primary focus areas we need to be able to communicate how the remainder of the security universe will be managed as a shared responsibility. We can do this by creating a RACI diagram across the five identified focal areas.
This exercise makes clear that the CISO will focus on Governance and Compliance (highlighted in blue), but will require support from leaders across the organization. This is a powerful tool to communicate expectations to your CISO as well as the rest of the team.
Tip: If you are designing a security committee (we like to call it an Information Risk Council) this exercise also makes it easy to identify who will likely need to be a member.
Common CISO Profiles
After completing the exercises above you will have a good understanding of the type of CISO your organization requires. You have likely landed on one of three common CISO profiles. We will provide a brief description of each, as a helpful starting point in designing your CISO job description and keeping an eye out for the right candidate.
CISO Type I: The Security-Focused CISO
Typical Profile: The security-focused CISO often has prior experience in information technology or product. They were often “doers” or “builders” with an engineering background.
Strengths: Security-focused CISO’s thrive in engineering-minded organizations with technically minded staff charged with building secure systems. They are especially effective when communicating with software developers or system architects.
Weaknesses: They typically understand security at a deeper technical level, but often struggle with the bureaucracy that accompanies compliance.
Support Needed: They will help the organization thrive when paired with GRC managers who can help run the compliance side of the program.
From my experience, about 30% of CISOs fall into this category.
CISO Type II: The Compliance-Focused CISO
Typical Profile: The compliance-focused CISO likely has prior public accounting, auditing, and governance experience.
Strengths: Compliance-focused CISOs will thrive in highly regulated environments with the ability to follow a framework, achieve certification, and collaborate with auditors and regulators. They typically understand how to interpret and navigate audit, certification, and regulatory frameworks. In addition, compliance-oriented CISOs are typically well trained to navigate executive and board reporting.
Weaknesses: Compliance focused CISOs often lack deep technical acumen or engineering experience. As a result, they may not have hands-on experience using security tools or building software. Because of this, they may not empathize as deeply with those tasked with carrying out security functions.
Support Needed: Compliance focused CISOs will be well paired with technical subject matter experts that are comfortable executing technical “hands-on” job requirements.
From my experience, about 50% of CISOs fall into this category.
CISO Type III: The Successful Executive With a CISO Title
Typical Profile: The Non-CISO CISO is an executive (typically a former COO or CTO) that somehow found themselves with the responsibility of running the security organization.
Strengths: They are often great cross-functional leaders that can get things done. They are naturally attached to the priorities of the business and run security accordingly. They also typically empathize with those outside the security organization and as a result can collaborate effectively.
Weaknesses: Probably lack the technical skills or compliance experience typically associated with the CISO title.
Support Needed: Non-CISO CISOs will need to be supported by a strong team of non-executive subject matter experts at the management level. There should also be an enhanced focus on reporting on key performance indicators that clearly communicate the health of the program to the non-traditional CISO. Further, the non-traditional CISO should be well respected by the organization at large and be candid about their lack of technical acumen. Otherwise, posturing may erode their credibility.
From my experience, about 20% of CISOs fall into this category.
Honorable Mention: The I.T. Leader with Security Responsibilities
Typical Profile: An I.T. Leader who has informally adopted security responsibilities.
Strengths: They have the best understanding of the technical components of various systems that support the organization.
Weaknesses: Since I.T. builds and supports the systems in question they may have blind spots when it comes to assessing their security posture. Further, there is a natural conflict of interest as the I.T. leader may be apprehensive to point out security weaknesses in the systems they built. Finally, there is simply too much to do – the I.T. leader will not have the time to oversee all of I.T. and security effectively.
Support Needed: While the I.T. leader may be required to support security as a matter of necessity (due to resource or budget constraints), it is not a long-term solution for most organizations at scale. Therefore, the I.T. leader will require a security manager or analyst as soon as is feasible.
While this position is common, it is not a CISO role and it is not effective/fair to hold this individual accountable to security activities without appropriate support, resources and budget).
We have Designed the CISO Role, Now What?
Now that you have designed the CISO role, your organization should be well-positioned to hire a CISO candidate that is customized to the needs of your organization. Your organization will also be able to effectively communicate expectations and accountability. Clarity will help eliminate uncertainty and help align the security program with your most important business initiatives.
If you found this post helpful, watch out for part 2 where we will continue the series and discuss how to design a clear and effective security program organizational structure that supports your organization’s strategy.