Where does software security fit into your firm? We conducted a study to find out. Learn how a CISO’s tribe affects software security at their organization.
Where does software security really fit into your firm? We conducted a study to find out. Gathering data in a series of in-person interviews with 25 chief information security officers (CISOs), our aim was to understand their strategies and approaches. The 2018 CISO Report presents the research findings.
From the findings, we also identified four tribes based on how a CISO’s work is organized and executed.
This tribe makes up 20% of the participating CISOs. With a business-focused approach and a balanced staff, this CISO tribe tends to evolve from compliance to commitment.
This tribe makes up the largest segment, comprised of 32% of participating CISOs. Those in this tribe tend to overemphasize the technical aspects of security challenges, while also portraying a solid security stance that goes beyond compliance. This tribe also often suffers from superman syndrome as they prefer getting down into the weeds of issues rather than delegating their resolution.
This tribe makes up 28% of the participating CISO population. They implement the bare minimum standard based on compliance obligations. While they may not be deep technologists, they’re also be suffering from underinvestment by the organization.
Making up 20% of our participating CISOs, Tribe 4 exhibits an overwhelmed and underresourced security approach, consuming but not driving budget.
Whether a CISO and their corresponding tribe are in the early stages of maturity, or they’re driving a healthy information security organization, there’s always room for improvement and evolution within the CISO role. That brings us to the questions: Can CISOs change their stripes?