There seems to be a lot of wrangling around this topic and various articles (1, 2, 3, 4) have been written about it over time. I personally reject the concept that you are either strategic or you are tactical. During the Persian Gulf Wars the US Military learned the concept of the strategic corporal. The strategic corporal is an expert at the use of arm, but also realizes the implications and how actions create political opportunities. Similarly, and contrary to the movies every general is strategic because they are tacticians. The general officer has the experience and understanding of tactics to cohesively employ them towards an overall goal and vision.
When you search for CISO jobs you can see in the requirements the principles of tactics and strategy clearly. The different industry segments from banking to software all have specific opportunities for the CISO. The larger the company the more likely you will find a strategic CISO. The traits of a strategic and tactical CISO can blur. There is not purely tactical or strategic security program. Some traits?
Strategic CISO
- Proactively sets vision based on business needs and future requirements
- Focus is on mission space and vision of future state of program
- Goals are based on business integration of security
- Describes security as holistic, enterprise, integrated, and uses frameworks to find gaps
- Manages purple team activities to create constant optimization
The concept of the strategic CISO is thought by some to be a “hands off” individual who doesn’t really know security. This is led by the number of non-domain experts that end up doing the role based on the perception of compliance is security. Lawyers, business executives, and others feel like they can manage anything so security would be no different to them.
Unlike a line of business where standard Drucker line of thinking would suggest this to be true but even Drucker knew there were specialties. The Chief Medical Officer of a hospital is going to be a medical doctor.
The conversation around security often devolves into “hire a hacker”. I must point out that is pretty simplistic. Also, the conversation around formal education versus learning on the job is pretty much a red herring. If you take security seriously you are going to want to hire defensively. If the CISO does not have appropriate industry credentials, the adversary in a lawsuit is going to imperil your company diligence in protecting information. Never mind talent, never mind skill, and any calls for “meritocracy” or utopian expectations should be set aside for simple pragmatism. Regardless of how you feel about skill. Do you want a brain surgeon with the same credentials as the janitor doing surgery on you or your loved one? Or do you want a doctor from the best surgery university?
A few jobs for CISOs say something to the effect of must be able to program a router, know Microsoft E5 (advanced protection license) and have AWS/GCP/AZURE experience. Often job descriptions are looking for 15-20 years’ experience in things like “cloud” which is pretty much impossible. Azure started in 2010, GCP started in 2008, and AWS was founded in 2006.
This speaks to the desire to find a candidate that is a domain expert for CISO. This is a worthy goal for an organization. Often these CISO candidates will have done extensive time in the information technology domain and they will have some significant expertise within the business side from successful delivery of information technology. The key being they have focused on tooling over time which will give them a good understanding of the capabilities. Some key attributes you will see in a tactical CISO include.
Tactical CISO
- Reactively sets vision based on technical drivers and current requirements
- Focus is on opportunities of the current program
- Goals are based on technical integration of security
- Describes security as assurance, tools, breach protection, fills gaps as they arise
- Works to understand the domain through red and blue teams
Emotions and ego drive a lot of conversations in the security discipline. People who get told they are tactical versus strategic often are offended. Even though American culture and cinema is filled with brilliant tacticians without a strategic bone in their body. From cowboys, to Rambo our fictional heroes look a lot more like Sylvester Stallone than Dwight Eisenhower. Often the tactical is CISO is a title without the actual executive role within the company. Practitioners will still shudder at the concept of the tactical CISO being reactive. That word “reactive” is like a curse word in the security discipline. Yet if you are responding to a breach event, have an active engagement against an adversary occurring, or are updating firewalls and detection systems with signatures. All important parts of the security domain. You are being reactive.
Incident response and the ability to lead an incident response activity to reduce damage, decrease risk, and eject an adversary is a reactive capability. This is a highly prized skill that requires significant experience. Having personally led innumerable incident responses across a variety of organizational types. The ability to do this effectively is not widespread.
This leads into the BONUS category of CISO that isn’t discussed very often.
The operational CISO
- Sets a vision to break down silos and integrate security as a business
- Focuses on preparation and continual testing of plans
- Goals are based on integrating security processes for scalability
- Describes security as auditable controls, non-audited controls, and data led
- Works to understand the domain through threat models and vulnerability analysis
For a business culture that has Chief Operations Officers and other hallmarks of operations as a key function within business the security discipline has been slow to recognize security as a business enabler. As much as I personally might pan business leaders taking on the security role there is significant room to adopt the principles of business within discipline of security.
The operational CISO is going to be viewing the security teams as a team of teams. This can be a shock to some teams as team roles are often defining cultural markers for the employees. The CISO in this role is also going to be moving towards continuous improvement which requires a data as metrics, and data will lead the linkages to strategy and tactics.
The operational CISO will often get additional roles of security applied to them. Physical security, executive security, data center and event security can often be under the role of the operational CISO. The title can often be Chief Security Officer, but the bread and butter will be the protection of information assets. It doesn’t take very long to realize that this role is nearly as integrating into the business as the ducts in the air-conditioning. As such this role is usually reporting into a CEO or COO role with peers of the CFO and HR.
The military will teach there is a hierarchy of tactics, operations strategy, and politics. In the world of enterprise security, the operational CISO sits nicely in the role that glues the tactics into the strategy of the corporation. Unlike the strategic CISO the operational CISO would stay out of the politics of the company as much as possible. A close corollary would be the CFO who is fielding a similar function that enables the business to make money and keeps the company on track. While not being in the middle of fights between sales and product.
Each of these types of CISOs of course are taxonomical failures. No actual human is going to fit into just one bucket or maybe even any bucket. They provide touch points without being exclusive or a rule. Further as the discipline continues to mature and the teams and leaders doing the job day in and day out the responsibility matrix will start to evolve. Currently most standards that talk about responsibility and authorities of a CISO role are just guidelines. Worse the regulatory and legal guidance is contrary at best when you look at it across national borders. The emergent CISO of the future is going to look a lot different than they do today and as cloud enabled applications and CIO functions transition the CISO will have to follow that trend. That will require significantly different skills from the legal and business realm in contracting. We can expect in the future that the CISO role is going to enter the orbit with the CIO/CFO/GC as a key enabler of the business.