6 Types of CISO, Habits of Highly Effective CISOs, 10 Key Security Projects – BSW #189

There are six types of CISOs depending on the type of organization they work and their personality type, according to Forrester: 1. Transformational: Often "energized" to dive into a three- to five-year transformational initiative, said Pollard. These individuals tend to enjoy turn-around projects and watching business outcomes unfold. 2. Post-breach: Thrive in turbulence; they take on rebuilding a company's security organization while mitigation and PR crises play out in the background. These CISOs don't mind the possibility of becoming "the punching bag" for vendor presentations in the future, said Pollard. 3. Compliance guru: Typically work in highly regulated industries and are fluent in regulatory bodies and acronyms: HIPAA, CCPA, FDA, etc. 4. Tactical/operational: Action-oriented and can sift through technical complications. 5. Steady state: One of Pollard's favorite types because they usually serve at companies that don't need immediate transformation. "Maybe the company is OK right now," he said. 6. Customer-facing/evangelist: Unafraid, and rather enjoys being their company's spokesperson for cybersecurity. Tech companies often have this kind of CISO because they can appeal to customers with their charisma.

Most effective CISOs constantly initiate discussions on evolving cyber security norms to stay ahead of threats; prioritise keeping their organisation’s decision-makers aware of current and future risks; proactively engage in seeking out and security emerging security technology; implement formal and actionable success plans; and define their organisation’s risk appetite through collaboration with decision-makers.

Why we don’t talk about cyber security: 1. We don’t understand fully 2. We can’t see it 3. It's terrifying

Based on behavioral and decision science research and years of application experience, we have identified seven simple strategies for more effective group decision making: 1. Keep the group small when you need to make an important decision. 2. Choose a heterogenous group over a homogenous one (most of the time). 3. Appoint a strategic dissenter (or even two). 4. Collect opinions independently. 5. Provide a safe space to speak up. 6. Don’t over-rely on experts. 7. Share collective responsibility.

If there's time and resources for more projects, here are Gartner's top security projects through 2021: 1. Securing the remote workforce 2. Risk-based vulnerability management 3. Platform approach to detection and response 4. Cloud security posture management 5. Simplify cloud access controls 6. DMARC 7. Passwordless authentication 8. Data classification and protection 9. Workforce competencies assessment 10. Security risk assessment automation

If employees don't engage with security red flags, the agreement fails to address the underlying issue: an application outside of a company's risk appetite.