As with many cybersecurity professionals, some CISOs were "accidented" into the role, said Jeff Pollard, Forrester VP and principal analyst, while speaking at the virtual Forrester Security and Risk Global 2020 conference Tuesday. But as the CISO role evolves and takes shape,the decisions they make and projects they oversee will become more intentional.
Security is involved in privacy, legal, productivity, breaches, threats, software — CISOs have their hands in everything. But as the CISO's plate is overloaded with responsibility, they become a master of none, to the detriment of the company.
Of all CISOs, 0% are effective at everything, said Pollard. "We can't do everything for everyone" and historically, that's what security leaders have had to do.
Today's CISO faces a daily inundation of competing priorities, forcing them to table projects and make tradeoffs.
Only 13% of CISOs are considered C-suite executives, up from 5% or 6% a couple years ago, according to Forrester research. The rest of security leaders are referred to as VPs or directors at Fortune 500 companies.
Of that 13% of CISOs, most are on their third or fourth CISO job, said Pollard. This indicates that they were experienced enough to advocate for that seat at the C-suite table.
The CISOs that overcome the challenges of the role — accidental appointment, overwhelming responsibility, and limitations of authority — should "fire themselves," said Pollard. Pollard wants CISOs to rid themselves of activities they don't need to do. "You'll feel like you're losing valuable stuff, but it sets you free."
Flavor of the week
There are six types of CISOs depending on the type of organization they work and their personality type, according to Forrester:
Transformational: Often "energized" to dive into a three- to five-year transformational initiative, said Pollard. These individuals tend to enjoy turn-around projects and watching business outcomes unfold.
Post-breach: Thrive in turbulence; they take on rebuilding a company's security organization while mitigation and PR crises play out in the background. These CISOs don't mind the possibility of becoming "the punching bag" for vendor presentations in the future, said Pollard.
Compliance guru: Typically work in highly regulated industries and are fluent in regulatory bodies and acronyms: HIPAA, CCPA, FDA, etc.
Tactical/operational: Action-oriented and can sift through technical complications.
Steady state: One of Pollard's favorite types because they usually serve at companies that don't need immediate transformation. "Maybe the company is OK right now," he said.
Customer-facing/evangelist: Unafraid, and rather enjoys being their company's spokesperson for cybersecurity. Tech companies often have this kind of CISO because they can appeal to customers with their charisma.
All CISOs face burnout because they might be in an imperfect match with their company.
A transformational CISO will not thrive in a steady state company, and the disconnect will lead to a poor security culture. But that's not to say CISO types can perform in different kinds of companies.
Post-breach CISOs typically leave after three years of cleanup. By this point, the breached company will want a steady state or tactical CISO to carry on security duties.
"It's interesting, after a breach, one of the major changes organizations will implement is a change to the CISO role," said Stephanie Balaouras, VP and group director at Forrester, in the comment section of the livestreamed session.
Post-breach companies will either hire "a dedicated CISO if they didn't have one, [moving] the reporting relationship to higher in the organization, even outside IT and into the CEO," said Balaouras. The reporting structure for CISOs might also shape their next career move.
"We had a CISO tell us they were in a board meeting. They asked the CIO to leave the room while the CISO met with the board so there was no conflict," said Pollard. If a current CISO doesn't see eye to eye with their CIO, they can eventually become one.