Ah, CISOs. Such magnificent and noble creatures. There’s such a wide variety in the wild that you might have a hard time believing they are all part of the same species. Let’s take a short field expedition to familiarize ourselves with a few common varieties. And wipe all that sunscreen off your face, you won’t need that where we’re going!
Shhh! Approach this one very carefully, we don’t want him to see us. This is a “Pontifisaurus,” and we want to avoid being cornered by him and subjected to an endless stream of anecdotes or a rehashed version of the outdated slide presentation he’s been using for 25 years. The Pontifisaurus probably knew his stuff at one time, and may still know quite a bit, but now he’s too busy writing blogs, giving presentations, and the like. Often, Pontifisauri were head of something security-related at some massive corporation or a branch of the military 10 or 30 years ago and had a team of direct reports who did all the actual work. The Pontifisaurus looks great on the Leadership page of the website, but small start-ups who hire one are often disappointed. You won’t find him doing the actual work of implementing a security program—it’s hard work and doesn’t net nearly enough frequent flyer points. All CISOs who stay in the job long enough and manage to retain some sanity end up becoming Pontifisauri. It’s a fitting reward for a career of constant stress and lack of appreciation.
See that one over there, with the wide eyes and stunned expression? She has the classic signs of a newly minted CISO, or “Convert.” She was probably a competent network engineer or system administrator who did too good a job too many times, so she was put in charge of security. Why not? She figured everything out so far, despite having no formal training or mentoring, so she should be smart enough to figure out security, right? The abrupt career change causes that distant stare you often see in Converts’ eyes, as their brains try to process how they got to this point in their life, and why they keep having to clean up other people’s messes. Some Converts figure it out and become fine CISOs. Others find themselves thrown under the bus the first time something bad happens. And some—once they get a look behind the scenes and realize how fragile the infrastructure and applications really are and how impossible the job is when they can’t even get people to stop writing their passwords down on sticky notes, much less anything else—will start drinking heavily and/or leave to open up a website focused on equipping doomsday preppers.
Quick! See that CISO getting into the Porsche SUV with those two men in suits? That’s a “Venderia Lackini,” probably on his way to lunch or an afternoon game in a vendor’s skybox. Venderia Lackinis are some of the finest dressed of the CISO species, but their verbal range is quite limited. Ask one how to deal with the latest denial-of-service attacks and you’ll probably hear, “Vendor X has a solution for that.” Penetration testing? “Vendor X.” Application Security? “Vendor X.” Company already has good firewalls? “Ah, but Vendor X has new and improved ones that are must-buys.” Have an idea for homegrown security awareness training? “No,” coos this CISO, “Vendor X has people we can bring in for that.” Venderia Lackinis can be very expensive for an organization to maintain but, on the plus side, they do get great tickets to the game and occasionally share them.
We probably won’t see one today, as they are usually hunched over their keyboards or often working from home. They’re known as “CHOs,” or “Chief Hacking Officers.” CHOs really want to be blackhat hackers, but don’t like the idea of going to jail, so they have stayed legit. Hackers are great to have on a security team, but if your CISO is really a CHO, the company’s approach to security is going to be a bit, we’ll just say, unbalanced. If you find yourself with a CHO masquerading as a CISO, make sure you have other people on the team who want to do all the boring, uncool stuff like writing policies, training staff, working with auditors, etc.
If it’s a stormy day, we’ll likely spot a “Dr. No” today. These CISO are quite formidable opponents. They believe the best way to secure the organization is to lock things down to the point where business is all but impossible to conduct. Remote employees can’t access resources. Customers aren’t allowed to access any critical information. Partners? You must be joking, we couldn’t possibly allow third parties to have access to our network or data! Dr. No is the master of understanding and discussing risk, but not so much the mitigation side of things. So, everything is too risky, and the safest way of handling the latest request from engineering, product management, sales, or customer support is to simply say “No.” This is often the cheapest way, as well, so Dr. No is often quite popular with CEO and executive teams.
Finally, we’re on our way to have coffee with a Chameleon. Like the name implies, Chameleon CISOs are capable of blending in to their surroundings and becoming one with almost any team. They work with engineers and help them find ways to make an application more secure rather than just point out all the ways it’s dangerous and generally sucks. They work with the IT team and help them get funding for needed infrastructure upgrades. They work with the sales teams to help generate material they can use to answer RFPs. Through it all, they’re focused on improving security, and they do it by empowering rather than restricting. Chameleon CISOs are gold, and if you encounter one, you should immediately lure them to work for your company, resorting to forceful capture and relocation, if necessary. (Don’t even think about recruiting this one, though. She’s mine!)