{"id":2066,"date":"2025-02-24T06:00:00","date_gmt":"2025-02-24T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2066"},"modified":"2025-02-24T06:00:00","modified_gmt":"2025-02-24T06:00:00","slug":"strategic-functional-tactical-which-type-of-ciso-are-you","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2066","title":{"rendered":"Strategic? Functional? Tactical? Which type of CISO are you?"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.<\/p>\n<p>The company instead hired a highly <a href=\"https:\/\/www.csoonline.com\/article\/573851\/why-ciso-roles-require-business-and-technology-savvy.html\">technical CISO<\/a>, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.<\/p>\n<p>The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO\/head of trust at MongoDB. The anecdote and Gerchow\u2019s observations highlight the idea that leaders \u2014 including business executives broadly and CISOs in particular \u2014 can be classified into different types.<\/p>\n<p>Proponents of this perspective say security executives should know the types of CISOs they are and which ones they aspire to be so they can match their talents to the tasks at hand, increasing the chances of success in their roles.<\/p>\n<p>\u201cYou have to put yourself in a position to succeed,\u201d Gerchow says.<\/p>\n<h2 class=\"wp-block-heading\">Just how many types of CISOs are there?<\/h2>\n<p>The <a href=\"\/Users\/agfly\/AppData\/Local\/Microsoft\/Windows\/INetCache\/Content.Outlook\/TP7MT0UN\/IANS%20Research%20and%20Artico%20Search%20Unveil%20The%20State%20of%20the%20CISO,%202025%20Report\">2025 State of the CISO report from IANS Research and Artico Search<\/a> offers three CISO types: strategic, functional, and tactical.<\/p>\n<p>Others have longer, more diverse lists of CISO types. Forrester Research, for example, has explored the concept of CISO types in multiple reports over the years. It issued its most recent update on the topic in a December 2024 best-practice Report titled \u201c<a href=\"https:\/\/www.forrester.com\/report\/the-future-of-the-ciso\/RES137136\">The Future of the CISO<\/a>.\u201d That report lists six:<\/p>\n<p><strong>Transformational<\/strong>, as in program-builders or turnaround agents.<\/p>\n<p><strong>Operational<\/strong>, often early-career CISOs who are closer to the technology and work at small-to-midsize companies where they still perform some technical duties.<\/p>\n<p><strong>Compliance<\/strong>, that is, risk experts typically found in highly regulated industries.<\/p>\n<p><strong>Steady-state<\/strong> CISOs, who \u2014 in opposition to the transformational type \u2014 keep everything on an even keel.<\/p>\n<p><strong>Customer-facing<\/strong> CISOs, usually found in technology vendors, cybersecurity companies and the B2B space where they need to talk about trust in the company\u2019s products; and<\/p>\n<p><strong>Post-breach<\/strong> CISOs, being the person who parachutes in after an event and leverages their history of post-incident experiences to help the organization weather the storm before moving on to another such assignment.<\/p>\n<h2 class=\"wp-block-heading\">Some CISOs can morph between types<\/h2>\n<p>Research shows that CISO positions have \u201cclear distinctions in terms of needed skill sets and experiences [which] really help shine a light on what [a company] wants in the role,\u201d says Forrester vice president, principal analyst, and report co-author Jeff Pollard.<\/p>\n<p>Pollard says these categories aren\u2019t necessarily rigid, as security execs often have traits from more than one. Moreover, he says they frequently morph between one dominate type to another as their positions evolve, their careers advance, and their personal requirements change.<\/p>\n<p>He cites the case of one CISO who had fallen into the transformational bucket throughout much of his career but later became a steady-state CISO for various reasons, including a personal desire to limit work-related travel.<\/p>\n<p>Others offer their own list of CISO identities.<\/p>\n<p>Jon France, CISO at ISC2, a nonprofit cybersecurity training and certification organization, is one, saying that \u201cthere are certainly different types of CISOs, just as there are different types of CEOs.\u201d He sees some who are more entrepreneurial and growth-oriented, generally leading them to work in startups and rapidly growing small companies.<\/p>\n<p>He describes others as steady-state CISOs, leading relatively mature security functions in organizations that have moderate levels of compliance needs. Still others he identifies as the \u201cright-of-the-bang\u201d CISO \u201cbrought in to fix something.\u201d<\/p>\n<p>He also talks about CISOs who are evangelists, \u201calways looking to the future,\u201d saying they\u2019re often in the consulting world, in emerging tech, and on the speaker circuit.<\/p>\n<p>France describes himself as partly a technologist type, having come up through the IT ranks, and as a visionary CISO, as he\u2019s expected to \u201chave a point of view of what, say, quantum will mean for our industry.\u201d<\/p>\n<h2 class=\"wp-block-heading\">As the needs of an enterprise vary, so must the CISO<\/h2>\n<p>When asked to consider his own type, Randy Gross, CISO at the nonprofit professional and IT certification association CompTIA comes up with \u201cpragmatic.\u201d \u201cMy job is to eliminate undue technology risk so [the business] can operate freely. I\u2019m crafting security solutions to allow the business to flourish,\u201d he explains.<\/p>\n<p>He also uses the term \u201ctechnical CISO,\u201d saying \u201cI have to know what the benefits are of different technologies we want to use.\u201d And he uses the label \u201cadvisory,\u201d noting that he must provide the business with \u201cHere\u2019s the risk, here\u2019s what I\u2019d recommend, here\u2019s how we can move forward.\u201d<\/p>\n<p>Furthermore, he notes his role\u2019s \u201ctransformative\u201d component, where he\u2019s moving the security department through crawl and walk to run mode.<\/p>\n<p>Gross says that his mix of CISO types reflects how the typical CISO role is constantly evolving and expanding. \u201cIt\u2019s rare to see a CISO just in one category,\u201d he adds.<\/p>\n<p>That said, Gross stresses that even though the demands on CISOs can vary, the position from one organization to the next has more in common than not. All CISOs, regardless of how they may be labeled, need to have roughly the same foundational business acumen and technical knowledge to succeed as security chief.<\/p>\n<p>\u201cThat is similar to the other executive roles,\u201d he says. \u201cIf you don\u2019t understand the business, its goals, and trajectories, as an executive you\u2019re going to fail.\u201d<\/p>\n<p>In fact, those commonalities among CISO positions have some pushing back on the idea of CISO types.<\/p>\n<p>Tyson Kopczynski, co-founder and CISO in Resident of the <a href=\"https:\/\/theciso.org\/\">Professional Association of CISOs<\/a> (PAC), is a skeptic on the issue.<\/p>\n<p>\u201cIt\u2019s our opinion that at the PAC that the role actually needs to be standardized. Not the highly fragmented mess we see now. Instead, a CISO would need to meet a certain bar to be accredited. This is very much like a doctor or lawyer. While there might be specializations (kind of like a patent attorney), all CISOs should have the same base skill set unlike what we see today,\u201d he says.<\/p>\n<h2 class=\"wp-block-heading\">Matching CISO type to the role<\/h2>\n<p>Still, Pollard and others contend that there not only are CISO types but it\u2019s important for security chiefs to have a sense of which one they are.<\/p>\n<p>Pollard points to one security leader who is now a CISO at his fifth startup \u201cbecause he loves to build a program, he loves being around developers and solving problems. He knows he\u2019d be bored in other roles.\u201d<\/p>\n<p>He adds: \u201cIt\u2019s so important you know your type and the role you\u2019re going into is the thing you care about, it\u2019s what you\u2019re energized by.\u201d<\/p>\n<p>Longtime security leader Helen Patton shares similar views. \u201cCISOs are not one homogenous group. Within the title of \u2018CISO\u2019 there are many sub-types,\u201d she says in a post she <a href=\"https:\/\/www.linkedin.com\/posts\/helenpatton_cisos-are-not-one-homogenous-group-within-activity-7185636865390071809-oNbj?utm_source=share&amp;utm_medium=member_desktop&amp;rcm=ACoAAAAfcEQBko9hwIOSBwgg4GWgzM_oChJtPXs\">wrote on the topic<\/a>.<\/p>\n<p>Various factors influence what type of CISO a company may need, says Patton, a former CISO now working as a cybersecurity executive advisor at Cisco. A large, older company with a big, complicated tech stack will need someone with different skills, experience, and leadership qualities than a cloud-native startup that\u2019s rapidly growing and changing. A heavily regulated industry such as financial services, healthcare, or utilities needs someone steeped in how to navigate all the compliance requirements.<\/p>\n<p>Like others, she says the buckets are somewhat porous, allowing movement from one to another.<\/p>\n<p>Patton says she has moved from a traditional CISO role leading an enterprise security team to a role as a product CISO at Cisco with responsibility for the security in products, to now a field CISO, working with the company\u2019s sales organization to help its customers incorporate Cisco products into their technology stacks.<\/p>\n<h2 class=\"wp-block-heading\">How a CISO starts can guide their career path<\/h2>\n<p>The path professionals take to the CISO seat also influences what type or types of CISOs they tend to be, adds Matt Stamper, CEO, CISO, and executive advisor with Executive Advisors Group as well as a board member with the ISACA San Diego chapter.<\/p>\n<p>Different career paths forge different types of executives, he says. Those who advanced through technical roles typically retain a technology bent, while those who came up through governance and risk functions usually gravitate toward compliance-focused roles.<\/p>\n<p>All that said, Stamper, Patton, and others acknowledge that most CISOs don\u2019t readily label themselves. They\u2019re not identifying themselves as one type of CISO or another.<\/p>\n<p>Nor must they.<\/p>\n<p>Yet at the same time they say it\u2019s important for security professionals \u2014 like leaders in any other role \u2014 to think about their strengths, talents, and the like so they understand which roles best match what they offer.<\/p>\n<p>\u201cCISOs should and tend to lean into where they\u2019re gifted,\u201d says Jenai Marinkovic, vCISO and CTO with Tiro Security and a member of the Emerging Trends Working Group with the IT governance association ISACA.<\/p>\n<p>Marinkovic believes her \u201cgift is more in strategy infrastructure and understanding where the future is going to go, where the business is going to go, and then determining where the architecture needs to go.\u201d<\/p>\n<p>Like Gerchow, Steven Martano,<a href=\"https:\/\/silverjacket.mxspruce.com\/60da58dd67b70018824684dd\/l\/XGdefoU9u8lbpUyRb?rn=&amp;re=iQXZu5Cd0FmcwtWeyFWbARHdhJHcrlnch1mI&amp;sc=false\"><\/a> IANS faculty and a partner in the cybersecurity practice at Artico Search, has seen what happens when a CISO and a role are mismatched. He cites the case of one company with a tactical, steady-state CISO that saw itself get outpaced by competitors with agile security programs led by transformational-type CISOs.<\/p>\n<p>\u201cThat\u2019s why it\u2019s important for companies and CISOs to be honest with themselves of where they fit in with these roles,\u201d Martano says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers. The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2056,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2066","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2066"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2066"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2066\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2056"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}