Software and silicon design company Synopsys has just published an interesting report that classifies chief information security officers (CISOs) into four archetypes or what it calls “tribes”.
Through in-person interviews with 25 CISOs from some of the world’s largest firms, such as Facebook, Goldman Sachs, Cisco and Starbucks, Synopsys grouped CISOs into different tribes based on whether their organisations viewed security as enablers, technology, compliance or cost centres.
Each tribe demonstrates specific characteristics or “discriminators” that fall into three domains: workforce, governance or controls – equivalent to the clichéd phrase, people, process and technology.
In Synopsys’ model, membership in one tribe is mutually exclusive with membership in other tribes. Each of the 25 CISOs fits into one of the four tribes, although he or she may share common discriminators with those in another tribe.
Tribe 1: Security as enabler
Organisations in this tribe are the most mature of the lot in their approach to security. Far from being a cost centre or a compliance checkbox, security in Tribe 1 is seen as a pathway to good business. They take a business-focused approach towards security, which isn’t seen as just a technical issue. Compliance is viewed as a planned effect. CISOs in this tribe also get in front of the problem by influencing the standards by which they will be judged.
Tribe 2: Security as technology
CISOs in this group typically begin their careers as technologists and tend to turn to technology to solve every security problem. They also try to understand the business, but have not reached the “senior executive gravitas” of Tribe 1. Their penchant for problem-solving also leads them to take on the toughest business challenges on their own rather than delegating tasks.
Tribe 3: Security as compliance
Although compliance requirements can get organisations to do something about security, they have a tendency to foster a checklist mentality, where security is viewed as yet another box to be ticked. It has been proven that compliance is not a panacea to every security problem, and it certainly can’t keep out determined hackers. Yet, organisations in this tribe continue to under invest in security in spite of compliance requirements.
Tribe 4: Security as cost centre
Organisations in this tribe may not even have CISOs. Their security leadership may exist down the pecking order or in middle management. Because security is seen as a cost centre, it “never drives budget creation and in some sense has a thick glass ceiling imposed on it”. It’s a tough job for security professionals in organisations that belong to this tribe where security is viewed in the same vein as the IT helpdesk.
In its report, Synopsys did not reveal the number of CISOs in each tribe, but it fears that “Tribe 4 may be very large, meaning there’s plenty of room for security improvement in the world”.
What type of CISO are you? Tell us more in the comments!