Fight Fire with Fire E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

About the Author

Acknowledgments

Contributors

Introduction

How Can We Be Effective CISOs?

Who This Book Is For

Note

PART ONE: People

How the CISO Role Is Evolving

Getting the Board on Board

Building a Culture of Security

Mitigating Today’s Threats

Addressing the Skills and Diversity Gaps

Notes

1 From Technologist to Strategist

A Path to CISO

Responsibilities of a CISO

CISO Archetypes

Evolution of the CISO Role

Technical Strengths Versus Security Officer Strengths

Notes

2 Communicating with the Board

The Board

Speak Their Language

Preparing for the Board Meeting

Keep It Direct, Crisp, and Simple

Working Directly for the Board:The Ultimate Case Study

The Power of One-on-One Meetings

Get to Know Your Board

3 Building a Culture of Security

The Building Blocks of the Journey

Program and Cultural Foundation

Program Build and Cultural Engagement

Target Maturity and Cultural Enlightenment

Reaching Trusted Advisor

Conclusion

Notes

4 Who Is Behind the Evolving Threat Landscape?

Cyberattacks: Who Is Behind External Threats?

Key Tactics

The Insider Threat

Conclusion

Notes

5 Addressing the Skills and Diversity Gap

Assessing the Skills Gap

Assessing the Diversity Gap

The Power of Diverse Teams

Bridging the Skills and Diversity Gaps

Advice for Those Starting a Career in Cybersecurity

To Move Up, Think Outside the Box

Conclusion

Notes

PART TWO: Process

Processes Bridge How People Use Technology

Cyber Risk Management

Blending NOC And SOC

Secure Application Development

Compliance

Supply Chain Risk

Note

6 Effective Cyber Risk Management Requires Broad Collaboration

Understanding Your Organization's Risk Appetite

Measuring Actual Risk Against Risk Appetite

How to Engage in Governance and Oversight of Cyber Risk

Thinking Strategically About Potential Risks

Reducing Risk by Sharing Information

Reducing Risk Through Cyber Insurance

In Closing

Notes

7 Blending NOC and SOC

The Vision

The Danger of Blending Superficially or Too Quickly

NOC and SOC Focus on Different Issues

Approaches to Blending NOC and SOC

Breaking Down Silos to Build Teams

Working with Executive Leadership

Processes for Integrating the NOC and SOC

Technology for Improved Incident Response

A Smooth but Slow Transition

8 Security by Design

What Is Secure Development? What Does It Encompass?

Skipping Ahead to Process and Technology—Wait, What?

People

Conclusion

Notes

9 From Enforcer to Strategic Partner

Information Governance Council: Oversight That Works

Automating Compliance

Delivering Value in a Changing Environment

Notes

10 Don't Let Cyber Supply Chain Security Be Your Weakest Link

What Does C-SCRM Encompass?

The Ultimate Moving Target

The Expansion of Software-Based Functionality

People: It Takes a Village

Process: It Takes a Framework

Technology: It Takes Automation

Features to Look for in a Modern C-SCRM Solution

Change Management: It Comes Back to the Village

Conclusion

Notes

PART THREE: Technology

Security in the Cloud

IoT and Edge Security

Security-Driven Networking

Achieving End-to-End Security

11 Cybersecurity in the Cloud

Complexity, Meet Vulnerability

More (Vendors & Connectivity) But Not Merrier

More Risk, Same Budget

Who Is Ultimately Responsible?

12 The Convergence of Cyber and Physical

Expanding IoT Leads to Expanding Risks

Moving Toward Solutions: Taking Stock

Conclusion

Notes

13 Security-Driven Networking

The Cloud Has Changed Everything About Security

Last-Generation Security Solutions Are Inadequate

How Security Products Should Adapt

Future-Proofing: How CISOs Should Adapt

Protecting Data: What, Where, Who, and How

Steps to Security-Driven Networking

What Does the Best Security-Driven Network Look Like?

14 Achieving End-to-End Security

Yesterday's Solutions Don't Solve Today's Problems

Unified Threat Intelligence

Integrated Security Platforms Enable and Protect Digital Innovation

AI-Driven Security Operations

Adaptive Cloud Security

Conclusion

Glossary

Resources We Rely On

Relevant Sites for CISOs

Stay Informed of the Latest Threats

Communicate Effectively with the Business

Share Data from Annual Breach and Threat Reports

Risk and Compliance

Conferences to Attend

Increase Diversity and Inclusion

Training and Certifications

Promote Security Awareness

Cloud Security

Secure Development

IoT Security

Industry-Specific Resources

Fill the Future Skills Pipeline

Index

End User License Agreement

List of Illustrations

Chapter 3

Figure 3-1. The evolution of a culture of security awareness

Chapter 6

Figure 6-1. An organization chart for risk management

Chapter 10

Figure 10-1. Levels in CMMC offer an incremental approach to compliance

Figure 10-2. Cybersecurity domains and their abbreviations

Guide

Cover Page

Title Page

Copyright

Dedication

About the Author

Acknowledgments

Contributors

Introduction

Table of Contents

Begin Reading

Glossary

Resources We Rely On

Index

WILEY END USER LICENSE AGREEMENT

Pages

i

ii

iii

iv

v

vi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

21

22

23

24

25

26

27

29

30

31

32

33

34

35

36

37

38

39

40

41

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

91

92

93

94

95

96

97

98

99

100

101

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

161

162

163

164

165

166

169

170

171

172

173

174

175

176

177

178

181

182

183

184

185

186

187

188

189

190

191

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

Fight Fire with Fire

Proactive Cybersecurity Strategies for Today's Leaders

RENEE TARUN

Deputy CISO, Fortinet

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada.

ISBN: 978-1-119-85426-5 (hardcover), 978-1-119-85427-2 (ebook), 978-1-119-85433-3 (ebook)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021943299

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Illustrations: Chloe Mosbacher

Cover Image: © Adobe Stock/knssr

Cover Design: Wiley

To my family, Brett, Ryan, and Rebecca, for their continuous support and inspiration.

—Renee Tarun, Deputy CISO, Fortinet

About the Author

Renee Tarun is the deputy CISO at Fortinet. She has over twenty-five years of experience in information technology and cyber within the US Intelligence Community, Department of Defense, and law enforcement as well as private-sector entities around the world.

Renee has focused on enterprise security, compliance and governance, and product security at Fortinet. Prior to joining Fortinet, she served as Special Assistant to the Director of the National Security Agency (NSA) for Cyber and as Director of NSA’s Cyber Task Force, where she shaped agency strategy as well as national cyber policy for the White House.

In addition, Renee served in many other roles concentrating on development and engineering, cyber strategy, operations, resourcing, and relationship management for the NSA, the Department of Defense, and the US Secret Service.

Renee is a board member for the George Mason University Volgenau School of Engineering and is co-author of Cyber Safe, a book aimed at keeping children safe online.

Acknowledgments

This book has been a collaborative team effort involving many diverse cyber leaders and experts from across government and the private sector. It would not have been possible without their insightful contributions and thought leadership. Their dedication and energy continue to push boundaries and make our cyber world safer and more secure.

I would like to thank the entire Fortinet team for supporting me in the creation of this book, and for providing me with the opportunity to share insight and knowledge that will help guide technology leaders around the world.

Contributors

Sonia E. Arista

Marianne Bailey

Fatima Boolani

Beth-Anne Bygum

Laura Deaner

Lisa Donnan

Suzanne Hartin

Susan Koski

Jenny Menna

Mel T. Migriño

Sanju Misra

Terry Roberts

Maria S. Thompson

Anne Marie Zettlemoyer

Introduction

RENEE TARUN

Digital transformation and the ever-changing threat landscape have significantly altered the role of chief information security officers (CISOs) and security decision-makers.

Traditional CISO responsibilities such as patch management and incident response are as critical as ever, but today's CISOs must also concern themselves with supply chain risks, myriad privacy regulations, and 5G. In addition to fighting traditional and emerging threats, CISOs also face the stress of the skills gap: not having enough people to do the job.

These challenges interwoven with network security are forcing CISOs to take a more holistic approach to balancing risk, security, and strategic business enablement.

Technology is not the only approach to solving the quagmire of security challenges we face. Security leaders must address people, processes, and technology, synthesizing them to create security solutions that manage risk while advancing business objectives at the speed of today's economy.

As CISOs, we must become fluent in the language of the business. We must influence others to change their mindsets, habits, and approaches to technology and behave in ways that maintain security. We need a cultural shift that enables everyone to adopt effective, ongoing processes to keep our organizations safe. Security must be embedded into vendor selection, employee onboarding, and product development. Security awareness training must be continuous to match the cadence of the threats we face.

We need security leaders who understand the value of the latest technology, but even more importantly who have the skills to develop relationships that bring people together and the discipline to create repeatable processes.

How Can We Be Effective CISOs?

Today's security leaders face considerable stress. The CISO role has a high turnover rate, with an average tenure of just twenty-six months. Fundamental changes are needed to empower us to lead effectively, attain a better work-life balance, and manage the inevitable stress of our roles. The answer is not working longer hours; 95% of CISOs are working an average of ten hours more a week than their contracts stipulate.1

We need shortcuts to success, like learning from mentors and peers. The challenge, of course, is finding the time for that learning. That's why my colleagues and I wrote this book: to share our knowledge and, more importantly, our experience, something that you will not find in a textbook or on a certification exam. We have come together to share our perspectives as security leaders from across industries and sectors, offering our best thinking as well as sharing important lessons learned. Harnessing this insight and utilizing the strategies in this book can help leaders and organizations improve their culture and security posture.

Who This Book Is For

With the ongoing evolution in security challenges and the pressing need for a cultural shift, this book identifies steps that we as leaders need to be thinking about. This book is for anyone working in cybersecurity and IT leadership who seeks a better grasp of the continually changing nature of security threats and who is interested in effective approaches to address them.

We also hope this book will inspire a more diverse group of people to consider a career in cybersecurity leadership. As we discuss in Chapter 5, there are both a skills gap and a diversity gap to fill in the world of cybersecurity.

By the time you finish this book, you will be evolving into a next-generation CISO. You will better understand how to adopt best practices and processes to encourage your people to make effective, safe use of technology. You will know how to serve as a business strategist, helping your organization reframe security as a business enabler. You will also learn how to improve security 24/7, up and down your supply chain, from the edge to the cloud, and from frontline workers up to your board. Finally, you will gain strategies to attract and promote the next generation of diverse talent.

Let's get started.

Note

1

. 

https://nominetcyber.com/nominet-ciso-stress-report-one-year-on/

PART ONEPeople

Cybersecurity is no longer only the domain of I.T. and security teams. From the loading dock to the C-suite, everyone must be security minded.

Within your organization, a well-trained staff can be your best line of cyber defense. But people can also be your worst enemies. You can buy top-of-the-line security technology and implement best practices, but if your people won’t follow good security practices and policies or use that technology properly, your organization remains at risk. You must also get buy-in from your board of directors to create a culture of security.

How the CISO Role Is Evolving

What’s the most important skill set for being a CISO? Current knowledge of the latest threats? Deep understanding of cybersecurity technology to mitigate security risks? Familiarity with the latest tools, tactics, procedures, and activities of well-funded hacking collectives?

Tech knowledge is not the most important characteristic of a CISO today.

Increasingly, CISOs are being elevated to the C-suite and becoming trusted business advisors. This requires soft skills, with the ability to communicate in terms that everyone understands. The CISO must be a business enabler and a strategic advisor who explains risk in business terms. Chapter 1 discusses the evolution of this critical role so you can focus your efforts on becoming a strong security leader.

Getting the Board on Board

Corporate boards are becoming more focused on cybersecurity than they have been in the past. Board members are beginning to understand that a security threat is not just a problem for the security team but a risk to the entire business.

Inadequate cybersecurity can expose employee and client data and put your organization at risk of failing to comply with privacy regulations. Weak security can also expose proprietary business information. In factories, weak cybersecurity can lead to injuries and even deaths. Poor cybersecurity can lead to lost revenue, lost reputation, lawsuits, and fines. When a breach happens in an organization, the fallout impacts revenue, operations, shareholders, and the entire business.

Increasingly, CISOs are requested to brief board members and answer questions regarding cybersecurity. If CISOs are fortunate, cybersecurity even helps drive board-level business decisions.

When speaking to the board, CISOs must learn to transition from tech talk to business strategy and risk and from troubleshooting tactical problems to looking at the big picture. Your team has to give board members the information they need to make decisions about cybersecurity and drive company direction, framed in a business context. So what should you know about speaking to the board? Chapter 2 covers this important topic.

Building a Culture of Security

Security is not a separate aspect of your business. As we’ll see, security must be thought of and included in every process. Humans can often be the weakest link in cyber defenses. They usually want to do the right thing, but they need to fully understand their responsibilities with regard to cybersecurity.

A comprehensive all-in approach to security is needed across the business to drive security into your organizational DNA. It starts with the board but should also incorporate key ambassadors across business units to create a culture of security. These ambassadors bring specificity to the culture as it applies to each business area, offering examples for following good practices and policies.

Although security is a serious issue, security training doesn’t have to be. Look to utilize initiatives that are fun and interactive to engage the workforce: think gamification. Rather than an annual approach to security training, awareness should be continuous throughout the year.

As more people work remotely, the need is growing for cybersecurity training that addresses multiple work environments. Employees need security awareness training to address a number of potential issues that arise both in traditional office environments as well as in home offices.

Building a strong security culture has a lasting impact on your organization. But your security culture must not stop with your internal processes; it should permeate your dealings with customers and business partners. It should be built into the products, services, and solutions that you provide to others.

How can you promote a culture where cybersecurity becomes everyone’s responsibility? Chapter 3 offers strategies for building a culture of security, a culture that will be strengthened by processes in Part II and technology in Part III.

Mitigating Today’s Threats

Today’s threats have greatly evolved, and the nature of the adversary has evolved as well. Lone hackers, hackers for hire, and small collectives still exist, their numbers growing as online materials enable almost anyone to become a hacker. Exploits are bought and sold as a commodity on the dark web and are readily available to any of these adversaries. Today, however, these attackers are joined by well-funded adversaries from organized crime rings around the world as well as government-supported hacking groups from particular nation-states.

Your security posture must be strong enough to prevent a wide variety of outsiders from gaining access to your private and proprietary data, your processes, and your machines.

Unfortunately not all of your malicious adversaries are outside your enterprise. Sadly, some threat actors have inside access to your systems, including disgruntled or unethical current and former employees misusing access and data for personal gain or simply to cause trouble. Other potential insider threats include suppliers, partners, board members, and anyone else who has access to your systems and data.

There are other internal threats. We call them accidental insiders. You might call them humans. Accidental insiders expose the organization unintentionally because they are untrained, overworked, or unmotivated. These folks become threats when they respond to phishing attempts, use weak or default passwords, share passwords, leave devices unpatched or unlocked, and work over unsecured Wi-Fi networks.

Your organization is up against well-funded adversaries as well as people who might just press the wrong key. You’ll learn about the many players behind today’s evolving threats in Chapter 4.

Addressing the Skills and Diversity Gaps

The gap between the number of cybersecurity workers we have and the number we need is widening. As of 2021, more than 3 million cybersecurity workers are needed globally, according to the (ISC)2 Cybersecurity Workforce Study.1 More than 65% of all organizations struggle to recruit, hire, and retain cybersecurity talent, according to a Fortinet report, “CISO Ascends from Technologist to Strategic Business Enabler,” which explores the skills gap.2

Addressing this gap requires a multi-pronged approach. Security knowledge needs to be more widely disseminated across the organization. Security and IT should be integrated, with cross-training between IT and security personnel. IT should also not be the only recruitment area for the security team: look across business units to identify potential candidates who bring experience of all types, from risk to finance to customer care to build out the security workforce.

To close the skills gap, we need to create a culture where people want to engage in the security business. To make the field more attractive, from frontline security workers to leaders, we need to increase the visibility of and influence of the CISO. They need to be considered an integral part of the C-suite and central to business success, not a cyber janitor to clean up problems or take the fall when a breach happens.

Although technical skills remain important, soft skills such as leadership, communications, planning, risk management, and strategy are just as vital. Such skills are especially critical for those in the CISO role who are leading security teams and communicating with the board.

We also need to make the field more diverse by recruiting more women as well as people of all backgrounds including race, ethnicity, orientation, and disability status. Further, we need to expand hiring efforts to recruit veterans, whose backgrounds position them as valued and committed employees.

Women are finally making some inroads in cybersecurity. In 2013, women held 11% of cybersecurity jobs; now women make up 24% of the cybersecurity workforce. While this improvement is positive news, more progress needs to be made, particularly since women make up half of the entire workforce.

Closing the diversity gap is not just a feel-good measure. Closing the diversity gap drives business success and change. To lower cyber risk, we need to lower the level of group think. Teams with diverse backgrounds and experiences can uncover new, creative solutions to problems. Women bring unique traits to leadership, problem-solving, and security. For example, female CISOs scored higher than their male counterparts in critical soft skills, including 46% higher in leadership and 150% higher in analytical skills.3 These are important traits as we work to ensure that people and processes make effective, safe use of technology.

Finally, we need to generate excitement within the security field by creating programs that effectively promote the security field including mentoring, internships, and engagement with schools from college down to K–12.

CISOs can’t lead without a knowledgeable staff. Chapter 5 outlines the extent of the skills and diversity gaps. It gives you strategies for attracting the resources you need, including ways to upskill people in your organization who, after all, already know your business.

Since this is the people section of this book, let’s start with you, and equip you with context about what it means to be a CISO in the face of today’s threats.

Notes

1

. 

https://www.isc2.org/Research/Workforce-Study

2

. 

https://www.fortinet.com/resources-campaign/ciso/the-ciso-ascends-from-technologist-to-strategic-business-enabler-2

3

. 

https://www.fortinet.com/resources-campaign/ciso/the-ciso-ascends-from-technologist-to-strategic-business-enabler-2

1From Technologist to Strategist

SANJU MISRA

I am glad that this book is broken into three sections: people, process, and technology. There is so much we need to do in each area to have a successful information security program. I hope to engage you to reflect on your career in information security.

In this chapter, I will share my experience and observations on making the leap from technologist to CISO. This evolution wasn't easy at times, and I often met with challenges, but it has also been very rewarding.

The CISO is a trusted strategist who has a seat at the table, both internally, speaking to business leaders about risk and what keeps them up at night, as well as externally, speaking to the board of directors.

In these contexts, it's not important that you display your technical acumen. It is assumed you have weighed the technical considerations as part of your viewpoint. Rather, your ability to transcend technical explanations and frame issues in terms of business risk is what allows you to be heard, to be understood, and to be successful in protecting the enterprise at a level appropriate for the risk tolerance of the company.

A Path to CISO

If you asked a hundred information security and risk leaders how they got involved in the field, I'm sure you'd hear some interesting stories.

I never thought about an information security career early on. I was a biology major with an interest in what computers could do for the field, but not in programming. I helped fellow students with their essays and term papers by typing up their final presentations … yup, on a trusty Smith-Corona.

A friend suggested I use the computer lab and try WordPerfect as a word processor to complete the final . Boy, it sure was easier to make updates and changes to documents compared to the typewriter.

When there was an opening to work part-time in the computer lab, I took it. The job made me learn more about how computers work by troubleshooting student questions about printing, using spreadsheets, and saving documents.

It wasn't until I had spent ten years after college at various IT jobs—including administering databases, providing end-user services, pulling network cables, upgrading and rebuilding PCs, and simple scripting—that I took my first role in information security.

I found out about a security engineer role when a large health insurer was looking to build out their consumer internet presence. A friend said I should meet the CISO and apply.

Eight years later, I left that company to take on the security leader role for the world's largest corporate treasury department in a Fortune 100 company.

Another eight years later (do you see a pattern to my tenure?), a recruiter from a large industrial gas company was looking for their first CISO after elevating the role internally. I had been with the company for six years before we merged with another large industrial gas company.

Okay, enough about my career path—let's talk about what CISOs do1 in general terms. Our role shapes how we approach technical problems, our analytical skills, and the lens we use to view the cybersecurity world.

Almost a quarter of CISOs come from an IT background, with 56% having a Bachelor of Science degree. Of those who secured a graduate degree, 18% studied for an MBA. Top CISOs interviewed have stated the two most critical skill sets are information security and leadership. The backgrounds of the sixty-five (only 13%!) female CISOs2 within the Fortune 500 are similar. They come from the same backgrounds and typically have spent more years in the same industry than their male counterparts. (See Chapter 5 for more information on the skills and diversity gap.)

Responsibilities of a CISO

While many join the information security field from IT, others come from audit, legal, risk, engineering, or business functions. Each area brings a valuable view to the risk picture. No matter which of these areas you come from, as long as you don't make decisions based entirely on your own experience, you will bring a more holistic view about what to prioritize. Stereotypically, a background in audit focuses on previous audit findings and compliance, whereas the business function may view security from a business enabler or cost avoidance perspective. All of these views are important to consider as you develop your security risk program.

There is an expectation that CISOs and their leadership teams have a wide range of IT experience to understand and speak the lingo with IT employees and make informed decisions. Having deep knowledge about information security alone is not enough to be a CISO. Strong leadership and communication skills are even more valuable. You must understand the organization's vision and strategy and create a security risk program aligned with business strategy. You will be expected to drive appropriate measures to ensure that information assets and technologies are safeguarded appropriately, depending on the type of data and exposure the system has. Resiliency is essential to discuss when creating a security program because inevitably incidents will happen and affect the business. Successful leaders help their businesses recover with limited business impact.

CISO Archetypes

The other day I was texting with a few CISO colleagues, and we started a video call, a scenario all too familiar in the days of the 2020 pandemic. We were talking about the fact that although there are many different personalities in our field, they are all able to succeed.

CISOs tend to fall into one of three buckets or archetypes, according to SecurityRoundtable.org:3

The techie turned executive

The enterprise security risk-focused thinker

The “connect the dots” leader

So which one is the “correct” archetype? Actually, it doesn't matter whether you're a techie, a risk-focused thinker, or a politically and threat-savvy “connect the dots” leader. The fit of the particular archetype to the organization determines whether the company, the security organization, and, by extension, the CISO are successful. Each archetype brings their own strengths and approach.

The techie turned executive tends to work with or for the CIO, as more than half of all CISOs do today. A techie's strength is the ability to understand the technology and how it can best help reduce risk. The techie turned executive needs to broaden their approach and look beyond technology when working with business leaders to articulate risk.

The second archetype, the risk-focused thinker, aligns information security with business strategy. This leader understands the big picture and the business, as well as its risks. Because of the business and risk focus, these CISOs are increasingly reporting to the chief risk officer (CRO). According to consulting firm Korn Ferry, this shift is marked in the financial services sector because of increasing regulatory requirements around data privacy.4

The last archetype often comes from a government background and takes in the latest threats and geopolitical trends. Because of their experience and connections, they have a very broad view informed by the latest threats — as well as the threat actors behind them. Financial services and healthcare organizations are hiring more of these CISOs; in addition to their strong security background, they are savvy about regulatory issues.

What makes the archetype fit so challenging is that companies often don't know what they want from their CISOs, and CISOs aren't always clear about the kind of leaders they want to be. Because CISO responsibilities and concerns aren't the same from company to company and industry to industry, there is room to shape the role to best fit the strategic focus of the business. As a result, companies often look to the CISO to help define the role5 as well as their security posture and program.

An incompatibility between cybersecurity executives and their organizations leads to burnout and contributes to high CISO turnover. According to research from the Enterprise Strategy Group, the average CISO lasts just two to four years.6 If there's a mismatch, you'll see unhappy and unmotivated leaders who are prone to leaving the company sooner.

When a business is unsure of what they need, they may find out their current or recruited CISO is not a good fit for the company culture and risk profile. This scenario becomes crystal clear as you review CISO job descriptions. Such job descriptions often include technical duties like “create firewall rules,” governance-focused elements like “create and maintain KPIs,” and everything in between. CISO job descriptions are very different across industries as well as across organizations of different sizes and maturity levels.

There are some important red flags to look out for when you're looking a new role, according to CSO Online.7

For example, think hard before taking a role as a company's first CISO. Many first-time CISOs last only one year because the C-suite expects too much too soon, no matter how long the organization (and its infrastructure) has been around.

At the same time, as a new CISO, you might expect to have a healthy budget to work with, but the C-suite might not be ready to invest what you think they need to in order to address pre-existing issues. Anticipate possible conflicts around how secure you think the organization should be versus what the organization is willing to spend (see Chapter 6 to learn more about determining and framing issues relative to your organization's risk appetite).

On the positive side, being a company's first CISO can allow you to take the initiative and develop and influence the security risk program for an organization with the proper support. It could be the best role you've ever taken in your career!

The reporting structure is another issue. Today most CISOs report to the CIO, but not every CIO is a strong leader. If a CISO reports to a CIO who is not a strong leader, the CIO may look for an excuse to replace the CISO. If you see this dynamic, it could be time to look for another job or at least consider ways to strengthen your partnership with the CIO gradually.

Look out for organizations that want a CISO mainly for window-dressing. These companies want a CISO to assure the board and their customers that all is well with their data and compliance. In fact, they aren't willing to make necessary changes. These companies can't keep a CISO around, so you'll see many job openings at these organizations. Their CISOs leave out of sheer frustration. They often feel they are just checking the box on compliance requirements, and their ideas for a strong cybersecurity program are always stalled because the budget or resources are never available. In such roles, you will never be running a sound cybersecurity program.

Rock-star CISOs are a tough act to follow because the organization really wanted to keep their existing CISO. Expect comparisons with the previous CISO. This can be very frustrating, because every CISO has a unique brand and identity—yet their identity may never be recognized because of constant comparison with the prior CISO.

If you decide to take such a role, keep the prior CISO's programs in place. Over time, you can slowly modify and change the cybersecurity program by bringing your own personality and security philosophy to the enterprise.

Evolution of the CISO Role

As mentioned, the majority of CISOs report to the CIO. Forming a strong, collaborative relationship with the CIO whether you're a subordinate of the CIO or outside IT in the risk, legal, or audit group is key. I'll be bold and say you won't be successful if you can't influence the IT function. Without sincere respect and alignment between the CIO and the CISO, organizations may devolve into a tech turf war that creates roadblocks to success.

With the increasing demand to embed security into all digital transformation processes and a move to more decentralized structures and business unit autonomy, the information security function is evolving to meet shifts in the business climate.