Software Integrity Blog


What do the 4 CISO tribes say about software security in your firm?

Where does software security fit into your firm? We recently conducted a study to find out. See our latest infographic to learn about the 4 CISO tribes.

Where does software security really fit into your firm? We recently decided to conduct a study to find out. Gathering data in a series of in-person interviews with 25 chief information security officers (CISOs), our aim was to understand their strategies and approaches. The 2018 CISO Report presents the research findings.

From the findings, we also identified four tribes based on how a CISO’s work is organized and executed.

Infographic: What do the 4 CISO tribes say about software security in your firm?

Tribe 1: Security as Enabler

This tribe makes up 20% of the participating CISOs. With a business-focused approach and a balanced staff, this CISO tribe tends to evolve from compliance to commitment.

Tribe 2: Security as Technology

This tribe makes up the largest segment, comprised of 32% of participating CISOs. Those in this tribe tend to overemphasize the technical aspects of security challenges, while also portraying a solid security stance that goes beyond compliance. This tribe also often suffers from superman syndrome as they prefer getting down into the weeds of issues rather than delegating their resolution.

Tribe 3: Security as Compliance

This tribe makes up 28% of the participating CISO population. They implement the bare minimum standard based on compliance obligations. While they may not be deep technologists, they’re also be suffering from underinvestment by the organization.

Tribe 4: Security as a Cost Center

Making up 20% of our participating CISOs, Tribe 4 exhibits an overwhelmed and underresourced security approach, consuming but not driving budget.

Whether a CISO and their corresponding tribe are in the early stages of maturity, or they’re driving a healthy information security organization, there’s always room for improvement and evolution within the CISO role. That brings us to the questions: Can CISOs change their stripes?

What kind of CISO are you? Get the report


More by this author