I have been having a lot of discussions recently about what is going on with the CISO profession, so I wanted to take a minute and share some insights from these conversations. We talk about the CISO role, but in reality, there are a diverse set of missions that define how the cybersecurity leader for an organization functions (note that I use ‘CISO’ and ‘senior cybersecurity leader’ interchangeably). That mission will determine where a CISO sits in the reporting hierarchy of the company and what resources they have access to.  Let’s explore the most common missions, where they sit in organizations, general categories or backgrounds of CISOs and emerging changes to the role.

In my experience, there are five common missions that a CISO could be hired to achieve:

1. Steady-state – Someone hired to maintain the current program as-is. They are not expected to grow or innovate, as the leadership is comfortable with the status quo.
2. Compliance – Someone is brought on to address a deficiency. This could be something like making the company PCI DSS-compliant, for example. They are expected to focus on building a program to meet the standards of the regulation.
3. Builder – Someone brought on to move the cybersecurity program to the next level. This is often the result of the board deciding they are not comfortable with the current level of risk/status quo or the result of an internal audit finding.    
4. Crisis – Someone brought on post-cybersecurity incident that can address the issues around the crisis and rebuild the program.
5. Customer-facing – This is someone who can be an evangelist for the company; this mission is typically found in security product companies (i.e., vendors).

The skills and temperament of a specific CISO often pull them toward roles that fit what they will be most successful in doing. So, generalized advice on what a CISO needs to develop is not always useful.

I see a few common categories of CISOs based on their backgrounds. First is the set that comes from a technical background and has typically grown up through the ranks of cybersecurity teams. This was most common in the first generation of CISOs and caused some issues as they tended to talk to the board like a technical advisor and report on things like security patching status rather than a business partner talking about risk to the business plan.  Next comes the set of leaders coming out of compliance/audit who tend to focus on compliance risk over material risk. More recently, we have a number of MBAs taking on the role based on the CEO’s desire to run the cybersecurity program more like a traditional functional area. There are, of course, a number of other types of cybersecurity leaders, but I think these are the most common, as each needs a different approach to work successfully.

Next, the title of CISO is typically an external title, with an internal HR job being called something like ‘Director of Security.’ There are some CISOs that are executive officers of the company, but most are not. A report by the SANS Institute estimated 65% of security leaders actually report to a technical function. That said, many of them are allowed to state publicly that they are the CISO. A great test of how important a role is for the company is who is listed on their corporate leadership website. A survey done by Brian Krebs showed only five of the Fortune 100 companies list the CISO on their leadership site (a number unchanged from 2018).

Let’s pause to review the difference between the roles of CISO versus Chief Security Officer (CSO) versus Chief Risk Officer (CRO). The CISO primarily focuses on cybersecurity risks related to information and digital assets. The CSO typically also has responsibility for additional areas like physical security. The CRO role is broader and includes operational, financial, compliance and strategic risks.  It is unusual for a company to have both CISO and CSO, but many large companies have both CISO and CRO.  CISOs often provide a risk assessment to the CRO and the CRO reports to the board.

The term “chief X officer” is also getting diluted. We get more ‘chief’ titles every year. Below are some examples of functions that have the title of “chief,” but many of these are not executive officers of the company that report to the board of directors.

• CEO/CFO (officers of the company)
• CIO/CTO/CMO/COO/CHRO (typical and could be officers of the company)
• Chief Data Officer, Chief Risk Officer, Chief Privacy Officer (these are less likely to report to the CEO)
• Chief Innovation Officer, Chief Diversity Officer, Chief Compliance Officer, Chief Customer Experience Officer… (The list of functional areas that have a CXO is long and often tied to the primary function of the company.)

Emerging developments for CISOs include shifts in legislation that are driving changes in the CISO’s level of responsibility. One example is that while the U.S. Securities and Exchange Commission (SEC) rolled back guidance on disclosure requirements regarding director cybersecurity expertise, they did require disclosure of incidents, cybersecurity risk strategy and governance.  Furthermore, they recently took unprecedented action by levying criminal charges against SolarWinds and their CISO for fraud and internal control failures related to known cybersecurity risks and vulnerabilities. This is raising the stakes for CISOs and holding them accountable as officers of the company.

Another area where we see emerging change is the fractional or virtual CISO. Companies that can not afford a full-time CISO can now contract with one part-time. This could allow a startup to leverage an individual’s cybersecurity expertise until they can afford to hire a full-time position.

So, as you use the term CISO, it is important to realize there are a range of distinct roles/missions that hold that title. Their ultimate goal of making sure the board understands the cybersecurity risk and preventing material impact to the company from cybersecurity threats are similar, but how they are positioned to do that varies greatly.