CISO Role <> Evolution Map
CISO is one leadership role, which has gone through more changes on competence, skills and maturity curve than any other leadership role in enterprises.
The "Needs & Expectations" from a CISO have changed almost every two years during the last one decade. That is a rate of upgrade, which beats down even the smart phone market. It is a tough and arduous road for people, who are either in role or aspiring to get onto that road.
Combine this with another fact of businesses across industry sectors. Companies in most of the industry sectors, started becoming serious to CISO and equivalent positions only during the last decade. This change in companies stance to CISO role, came into a reality only after, treating cyber security only as compliance devil for more than two decades.
That meant, organizations pushed mid level management, into CISO roles, because of two factors, one lack of requisite budgets and two lack of real significance placed on role. This led to a situation, where quite many CISOs didn't have the time and opportunity, to gather right exposure, at strategic level. And, still had to fill in positions which demanded strategic capabilities combined with complex operational capabilities, in tough, challenging & risky circumstances.
The Origin of the Role
When one looks at the origin of Cyber Security function in companies, and, what all it was expected to accomplish and deliver, in early days, that explains the limitations and also the stance of many of the CISOs, even today.
Cyber Security started out mostly as a hygiene factor, and, then grew further through a push by standards bodies, governmental requirements, into compliance activities. For a long time security remained focused on hygiene modeled security operational activities.
An Evolution Framework for CISO Role
Here is a reference framework for CISO role evolution !
This is a typical journey of CISO role in most of the companies, as it evolves from being a role to ensure certain hygiene factors of security to a strategic enabler.
First Generation - "The Checklisters"
Our first generation CISOs mostly came with both the background and mindset of preparing, maintaining & updating docs which were around hygiene and best practices, as mandated by external bodies, communities & regulation authorities.
This generation was mostly focused on repeated attempts at creating processes for checks & controls of the configurations, security processes, and, documentations as mandated by their industry, industry associations, and, compliance frameworks. This generation of CISOs did a good job, till CySec needed activities which were limited to secure configurations, host and, network hardening and backups.
Over a period of time some of people (CISOs) who were indoctrinated into cyber security, with dimension of "Checklists", found a new reality, which they had to to deal with as part of their role. This realist was need of latest security products and technologies which were needed to be acquired, to bolster org's capabilities beyond hygiene factor modeled security.
First Generation Quadrant Placement
This generation CISOs will have most of their focus on risk management, mostly from audit & compliance point of view. While these CISOs will have lesser or lower focus on threats & a security approach modeled around threat landscape, their org's will also be on lower side, on "Respond Capability" in the face of a real threat, which has knocked at their door.
Most of first gen CISOs, will have their team cultures built around, "demands of auditors".
Transition into Protective Stance
One of the first set of security technologies, which got beyond host access & network access controls and basic monitoring, were mandated by need of a protective stance taken by orgs.
A multitude of products which worked on the premise of blocking threat/bad actors & traffic came into being, and, changed the world of CISOs.
Second Generation - "Lock and Latch"
A generation of CISOs grew in an environment, which focused on acquiring products, which can protect servers/hosts, data, & network perimeter with a range of incremental protective measures using restrictive models.
This generation suddenly found marginal availability of budgets, which company board was willing to spare, if the products were suggested by CISO , and, they gave a comfort factor to board. Second generation of CISOs were mostly product buyers, who would be spending a lot of time, evaluating technologies, mostly around protection, to lock and latch their assets from the prying eyes.
Second Generation Quadrant Placement
This generation will largely be product buyers and mostly for protection. This will have low focus on risk management & this generation will also be low on threat understanding. Since their attention is on acquiring technologies, which promise to protect.
Protection is "Not Enough"
Next major transition in world of Cyber Security was introduced, when continuous and innovative evolution of threats & communities made it apparent, that best of the protection will not stand a change, in the face of a committed adversary. People realized that, their security has to go beyond protecting digital assets, through blocking, limiting access & simple signature based security measures.
Third Generation - "Detection & Response"
This generation shaped up, when locking and protecting the assets was not good enough and identifying, what is happening in an enterprise setup, taking measures to detect the potential adversary, and, stopping them in their tracks became critical.
A host of new models of security were developed around detection capabilities & then equal amount of technologies and tools were adopted for the same.
For further progression, to deal with next gen threat landscape, CISOs needed to transition from their tools buying mindset to "Real Time Detection Program" based security.
Third Generation Quadrant Placement
This generation, will be mostly working on real time detection, and, hence will have both operational focus and technology focus on being proactive.
This generation CISO will be high on both threat focus and threat understanding. They will also be high on response capabilities. Though, even here, overall defense capability will not be very high.
Threats Evolve Everyday, So Should Security
Another major shift in industry, was caused by realizations that, stopping threats in tracks, using advanced detection models & response mechanisms was not good enough.
Cyber Security needed to be more real time than tracking who already has and/or is trying to barge in. Intelligence and dynamic capabilities were two pivots, which defined this new era of security.
Fourth Generation - "Predictive and Preemptive"
CISOs faced a need to shift their entire thought model & corresponding strategy and tactical measures.
- Hiring skilled people on technologies and products was not good enough
- Operating best of the protection technologies and detection frameworks was not enough for organizations to maintain their security posture
- CISOs needed to think beyond "Truths" from their internal apparatus and internal data
This led to an army of tools, frameworks & programs, which focused on threat intel & cyber security competence as primary levers to move beyond detection, and, be preemptive.
Fourth Generation Quadrant Placement
This generation CISO will have high focus on threats being detected in real time, through set of intelligence consumption by their security apparatus & framework. It will also have focus on
- Real time response capabilities
- High on defense capabilities (through intelligence and proactive frameworks)
- and will also be in a position to redefine risk framework of the company
This generation CISOs is difficult to groom and even more difficult to find !
Generational Mismatch
Quite a many times, CISOs or people who have been on that path, have found themselves, in a generational gap, of both skills and mindset.
We still see, first gen CISO, struggling with fourth gen requirements in many enterprise. Or, sometimes even worst, first gen CISO struggling within a fourth gen organization. This gen mismatch is because of rooted beliefs in what works and/or what great security is.
We find that, a first gen CISO is still mostly centered around "Checklist", while, second or third generation related concerns have been delegated to layer/s below.
This generational mismatch is quite simply a misfit of the person into a role.
Lack of Skills Upgrade
Some CISOs or people on that path, have made the shift, at least in their heads.
But their respective organizations have been shy of investing in their capabilities, to support and supplement their mindset shifts, with new gen models & even more, new gen operating frameworks. Lack of attention and lack of budgets to enhance the skills of CISOs across the sectors, has been a major reason, for CISOs inability to transition org's security stance, and, also transition their own perspective.
The quadrant model at the top of this article is a simple but effective tool to assess, which generation a CISO belongs to & what could be an evolution path for one, who is not yet in fourth quadrant.
In today's threat landscape, every CISO needs to be in the fourth quadrant.
Without a measured look at, where a CISO is, and, what are the gaps, boards will not really do the justice to demands of cyber security of, today.
It does not have to be a linear progression, from one quadrant to another one. An org and a CISO can make a road-map to transition an org, and, himself, from second quadrant to fourth quadrant. But, that can be done only when 3 critical things are in place ...
- Realization of current state and need of transition
- Organizational and board buy-in for such transformative leap
- Resolve to work hard, and, will to deal with rapid skill/expectation changes
What will be a disaster, in coming days, is a first gen CISO operating, in a second gen setup & perpetuating third gen thoughts/models, while employees reading, aspiring and expecting, fourth gen CISO !
INSEAD | IIT | CISO | Business transformation | Operations | Strategy
4yRajeev Shukla If the CISOs do not have a business understanding and do not collaborate with the commercial side of an organization it does not matter in which quadrant they are placed. They will be "unsuccessful" sooner or later as no amount of tech adoption or defense mechanisms are implemented they will still hinder (in most cases unknowingly due to lack of knowledge) the business. This also goes the other way around if the Management thinks of them just as a support group instead of collaborators.