Friday, August 4, 2023

Top 3 CISO Personality Types You Need To Know

 


Let’s admit it, one of the toughest jobs in Cybersecurity today has to be that of being a CISO.  To formally define, this is a role in which the designated person is hired on as full time, with a huge salary as well as a fat bonus package.  Btu behind all of this glitz and  glamor, the CISO is in a position where he or she is damned if they do  and damned if they don’t. 

There is no thanking or praise in this position.  The CISO is faced with a double-edged sword:  Not only do they have to keep in pace with the other members of the C-Suite, but they are in the perfect firing rage  in front of their Board  of  Directors. 

They literally have to do everything in their power to please them, because after all, their budget is literally in their hands.

The second part of the sword is in dealing with the members of the IT Security team with whom he or she is charged with leading.  Not only do they have to keep them motivated, but they have to listen, or at least make an attempt to do so.  In fact this is one of the areas that CISOs are blamed on. 

Many people feel, even outside of the IT Security team, that CISOs do a very poor job of both listening and  communicating.

While it is up to the CISO to change their personality traits, you can take some steps to help them listen to you better.  It all comes down to understanding the language they can understand and speak.  So, this is where you sort of have to figure out what kind of communication personalities they have.  Psychological research has shown that there are three distinct types,  which are as follows:

1)     The Business Minded One:

For this kind of CISO, all that matters to them (and rather unfortunately so) is the dollars and cents.  While they realize they have to maintain a strong security posture, they want to do it at the cheapest price possible.  While they make look good to their Board of Directors with this kind of personality, it often comes with a price:  Poor security.  Remember that old proverb, “You get what you pay for”?  Well, that certainly applies to this kind of situation.  Every recommendation or idea that you come up with and present will be countered with the question:  “How does this affect the bottom line”? 

2)     The Data Compliance Minded One:

There is no doubt that Data Privacy has become a huge concern today.  To make sure that businesses are compliant to protect their datasets, laws such as the GDPR and the CCPA have been created as a result.  If the right controls are not in place, there are very sharp financial penalties that can be imposed.  There are both civil and criminal  penalties that can also be imposed.  Because of this, the CISO has every right to be afraid.  After all, if there are any problems with auditors, it will be their heads that will roll.  Because of this, many CISOs have been now to take their fear to the extreme, and become totally obsessed by this.  Whie in a way this is good, because you will at least know your business will be compliant, it is also bad because the CISO will quickly lose sight of the other things that they are responsible for.  So in one end you will have some higher levels of protection, but on the other, your company could become more prone to security breaches because the CISO has not been able to keep up with the latest happenings in the Cyber Threat Landscape.

3)     The Technical Minded One:

These are the CISOs that have been brought up in the world of Geekdom.  All they have ever held were pure technical roles, and nothing else.  While you want a CISO that can understand and speak the techie side of things, this can also be a dangerous proposition if this is all they think about.  As a result, they cannot understand very easily the people side of things, and when they do communicate with other employees or their Board of Directors, it is often at a level that nobody can really understand.  Also, they will have a hard time communicating any kind of business to their higher ups, especially when it comes to getting an increased budget.  This kind of CISO personality also exhibits a very micro view of looking at things, because they want  to know about all of the moving parts that are happening.  Because of this, they can lose sight of the big picture very quickly.

My Thoughts On This:

Keep in mind that this is not an all-inclusive list.  There are other personality types that could potentially exist, but these are the three main ones that research has proven.  In an ideal world, you will want your CISO to speak through all three of these personalities.  But it is very difficult to find a person that can understand both the technical and business side of the Cyber world.

For this reason and  many others, many CISOs of today simply do not last long in their roles.  The average tenure these days is at best 1.5 years.  For this, as well as the current economic situation, many companies are now doing away with hiring full time, direct hire CISOs. 

Instead, they are opting much more favorably to what is known as the vCISO, where you hire a former CISO on a contract basis, for a fraction of the cost. 

But whatever route you go, keep in mind that the CISO or even vCISO is the ultimate reporting authority for the IT Security team.  If you want your ideas to be heard and even implemented, it is important to make some good efforts and try to understand not only if they fit in with any of the above-mentioned personality traits, but to try to speak their language as well. 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...