 

 Previous Next 

The CISO Role:

How to Design a
Security
Leadership Role
This blog post is part of a multi-part
series on designing an information
security program in alignment with
your most important business
objectives. You can also watch the
webinar/podcast which accompanies
each blog post for more ideas.

CISO Role (Part 1) | Security Org

Structure (Part 2) | Budgets (Part
3) | Business Cases (Part 4) | Build a
Team (Part 5)

Imagine hiring a carpenter to install

custom marble tile for your dream
kitchen. You would start your search
by finding carpenters in your area
that specialize in tile installation.
Then, you would narrow down the
search to carpenters that focus on
interior installation – and kitchens in
particular.

Finally, you would shortlist the

carpenters that specialize in custom
cut marble tile at a fair rate. It seems
obvious – hire someone who is an
expert based on your needs.

However, when it comes to hiring a

CISO most organizations do not
realize that CISOs are similarly
specialized and the role at each will
vary based on specific business
challenges.

For example, consider your own

company. What are your biggest
challenges? Compliance, regulations,
application security, security
questionnaires in the sales cycle? To
succeed, the CISO role must be
designed to align with the specific
needs of your organization.

In this post, we will provide a

framework to design a CISO role that
will support your most important
business objectives.

Designing a CISO Role That

is Right for Your
Organization
There is a large universe of potential
responsibilities a CISO may be asked
to fill. However, we must establish
upfront that no CISO can meet all of
them alone. Your organization likely
has a long list of “must-haves”, but it
is a fact that you will not be able to
find all these attributes in a single
person. Therefore, your organization
must prioritize those skills most
valued in their security executive
and design a job description to meet
those required skills.

To begin this process, we

recommend a three-step process:
identify your biggest business
problems, prioritize CISO roles and
responsibilities and build a CISO
RACI Diagram.

Identify Your Biggest Business

Problems

To start, the organization must

identify the “why” behind building a
security organization. I recommend
making a “top 10” list and ranking
each in order of priority. This will
inform the decision process of
designing the CISO role. Below is a
simple example:

Tip: If you are unsure about your

biggest business problems and their
link to information security, you may
want to consider a formal risk
assessment. Reference ISO 27005 or
NIST 800-30 as a starting point

Prioritize CISO Role and

Responsibilities

In the figure below is a list of

responsibilities often associated with
a CISO. This is only a partial list, but
as you can see the typical needs are
broad, and each requires a
significant depth of technical
knowledge and experience to
execute well.

As a rule, a CISO with 2080 hours in

a standard work year can handle a
primary and secondary responsibility
(two columns from the figure below).
Anything more is not feasible to be
executed well without significant
support.

As an exercise, we highlighted in
blue the areas that correspond to
the business problems identified
above. This helps make it clear that
the CISO will focus most of their time
on Governance and Compliance
related activities, which is in
alignment with the outlined business
problems.

CISO RACI Diagram

Now that we have a firm

understanding of the organization’s
business problems and the CISO’s
primary focus areas we need to be
able to communicate how the
remainder of the security universe
will be managed as a shared
responsibility. We can do this by
creating a RACI diagram across the
five identified focal areas.

This exercise makes clear that the

CISO will focus on Governance and
Compliance (highlighted in blue), but
will require support from leaders
across the organization. This is a
powerful tool to communicate
expectations to your CISO as well as
the rest of the team.

Tip: If you are designing a security

committee (we like to call it an
Information Risk Council) this exercise
also makes it easy to identify who will
likely need to be a member.

Common CISO Pro!les

After completing the exercises above
you will have a good understanding
of the type of CISO your organization
requires. You have likely landed on
one of three common CISO profiles.
We will provide a brief description of
each, as a helpful starting point in
designing your CISO job description
and keeping an eye out for the right
candidate.

CISO Type I: The Security-Focused

CISO

Typical Profile: The security-focused

CISO often has prior experience in
information technology or product.
They were often “doers” or “builders”
with an engineering background.

Strengths: Security-focused CISO’s

thrive in engineering-minded
organizations with technically
minded staff charged with building
secure systems. They are especially
effective when communicating with
software developers or system
architects.

Weaknesses: They typically

understand security at a deeper
technical level, but often struggle
with the bureaucracy that
accompanies compliance.

Support Needed: They will help the

organization thrive when paired with
GRC managers who can help run the
compliance side of the program.

From my experience, about 30% of

CISOs fall into this category.

CISO Type II: The Compliance-

Focused CISO

Typical Profile: The compliance-

focused CISO likely has prior public
accounting, auditing, and
governance experience.

Strengths: Compliance-focused
CISOs will thrive in highly regulated
environments with the ability to
follow a framework, achieve
certification, and collaborate with
auditors and regulators. They
typically understand how to interpret
and navigate audit, certification, and
regulatory frameworks. In addition,
compliance-oriented CISOs are
typically well trained to navigate
executive and board reporting.

Weaknesses: Compliance focused

CISOs often lack deep technical
acumen or engineering experience.
As a result, they may not have
hands-on experience using security
tools or building software. Because
of this, they may not empathize as
deeply with those tasked with
carrying out security functions.

Support Needed: Compliance

focused CISOs will be well paired
with technical subject matter experts
that are comfortable executing
technical “hands-on” job
requirements.

From my experience, about 50% of

CISOs fall into this category.

CISO Type III: The Successful

Executive With a CISO Title

Typical Profile: The Non-CISO CISO is

an executive (typically a former COO
or CTO) that somehow found
themselves with the responsibility of
running the security organization.

Strengths: They are often great

cross-functional leaders that can get
things done. They are naturally
attached to the priorities of the
business and run security
accordingly. They also typically
empathize with those outside the
security organization and as a result
can collaborate effectively.

Weaknesses: Probably lack the

technical skills or compliance
experience typically associated with
the CISO title.

Support Needed: Non-CISO CISOs

will need to be supported by a
strong team of non-executive subject
matter experts at the management
level. There should also be an
enhanced focus on reporting on key
performance indicators that clearly
communicate the health of the
program to the non-traditional CISO.
Further, the non-traditional CISO
should be well respected by the
organization at large and be candid
about their lack of technical acumen.
Otherwise, posturing may erode
their credibility.

From my experience, about 20% of

CISOs fall into this category.

Honorable Mention: The I.T. Leader

with Security Responsibilities

Typical Profile: An I.T. Leader who

has informally adopted security
responsibilities.

Strengths: They have the best

understanding of the technical
components of various systems that
support the organization.

Weaknesses: Since I.T. builds and

supports the systems in question
they may have blind spots when it
comes to assessing their security
posture. Further, there is a natural
conflict of interest as the I.T. leader
may be apprehensive to point out
security weaknesses in the systems
they built. Finally, there is simply too
much to do – the I.T. leader will not
have the time to oversee all of I.T.
and security effectively.

Support Needed: While the I.T.

leader may be required to support
security as a matter of necessity (due
to resource or budget constraints), it
is not a long-term solution for most
organizations at scale. Therefore, the
I.T. leader will require a security
manager or analyst as soon as is
feasible.

While this position is common, it is

not a CISO role and it is not
effective/fair to hold this individual
accountable to security activities
without appropriate support,
resources and budget).

We have Designed the CISO

Role, Now What?
Now that you have designed the
CISO role, your organization should
be well-positioned to hire a CISO
candidate that is customized to the
needs of your organization. Your
organization will also be able to
effectively communicate
expectations and accountability.
Clarity will help eliminate uncertainty
and help align the security program
with your most important business
initiatives.

If you found this post helpful, watch

out for part 2 where we will continue
the series and discuss how to design
a clear and effective security
program organizational structure
that supports your organization’s
strategy.

Check out the webinar here

By Christian Hyatt | August 11th, 2020 | CISO

Discussions | 0 Comments

Share This Story, Choose

Your Platform!
       


About the Author:

Christian Hyatt

Christian is the CEO and

Co-founder of risk3sixty.
Christian is responsible for
setting the vision for the team,
ensuring the leadership team is
“rowing in the same direction,”
creating purpose and alignment
across the firm, and nurturing
company culture. Christian has 15
years of experience advising
technology companies to build and
improve their cybersecurity
programs. Christian works hard to
partner with executives to help
ensure they have the strategy and
tactics to align cybersecurity and
business objectives. Under
Christian’s leadership, risk3sixty has
been named Consulting Magazine’s
Best Firms to Work For, Atlanta’s
Fastest Growing companies, Atlanta’s
Best Places to Work, HireVets
Platinum Honoree, and more.
Outside risk3sixty, Christian advises
technology start-ups on business
and growth challenges is an author
and, keynote speaker, and Vistage
member. Christian has an M.B.A.
from Georgia Tech and a B.B.A. from
the University of Georgia. Christian is
a Georgia Tech Technology and
Management (T&M) corporate
partner and Advisory Board Member
for UGA’s Management Information
System Advisory Board.

Related Posts

 

VCISO: How We How to Recruit,

Help “Fix It” the
risk3sixty Way
November 9th, 2021 |
0 Comments
Develop, and Keep
Top Cybersecurity
Talent (Part 5)
October 5th, 2020 | 0
Comments

Leave A Comment

Comment...

Name (required)

Email (required)

Website

Save my name, email, and

website in this browser for the next
time I comment.

Notify me of follow-up
comments by email.

Notify me of new posts by

email.

Post Comment

Categories

 CISO Discussions (28)

 Culture (20)

 Cyber Risk Management (60)

 Cyber Security Law (1)

 HITRUST (15)

 ISO 27001 Compliance (22)

 IT Audit and Compliance (38)

 News (1)

 News and Events (25)

 NIST 800 Series (3)

Privacy - Terms