Synopsys has published the inaugural CISO Report, the result of a two-year data-driven study exploring the roles of information security leaders and the organisational dynamics that affect them. The Chief Information Security Officer (CISO) Report identifies four unique approaches to the CISO role called “tribes,” each with distinct characteristics. The study emphasises how the four tribes differ in executing a security plan and what the tribes can learn from one another, providing insight for leaders looking to improve their security programs and advance their careers. “CISOs are humans too, and they sometimes worry about what they’re doing, why they’re doing it, and how they stack up against their peers,” said Dr. Gary McGraw, vice president of security technology at Synopsys. “Unsurprisingly, there is no universal blueprint for a CISO; but, there are common characteristics that we can use to classify and understand them in a meaningful way. We believe that when CISOs understand their own approaches with reference to others, they will be better informed about their own ways forward.”
Following a similar methodology as the Building Security In Maturity Model (BSIMM), the CISO Report represents an analysis of data gathered over the course of 2 years in a series of extended in-person interviews with 25 CISOs working for some of the largest companies in the world. The report identifies and describes the four tribes below using 18 discriminators to define tribe identification: - Tribe 1: Security as Enabler
- Tribe 2: Security as Technology
- Tribe 3: Security as Compliance
- Tribe 4: Security as a Cost Center
“The CISO Report provides a simple but undeniably cogent framework to describe one of the most nuanced and challenging roles in the world,” said Jim Routh, CSO of Aetna and a participant in the study. “Rather than simply measuring the merits of the individual behind the title, this study thoughtfully describes the many internal and external factors that contribute to a CISO’s success. It is particularly useful for business leaders determining what type of CISO will best fit with the needs of the business at a specific point in time.”