CISO Research Identifies 4 Distinct Approaches to the Role

Every chief information security officer (CISO) is unique. They each have varying modes of operation that are influenced by long and distinguished careers. To understand CISO strategies and approaches, we decided to conduct a study. We gathered data in a series of extended in-person interviews with 25 CISOs with the goal of describing how a CISO’s work is organized and executed.

CISO Report

Some participating firms in this study


  • ADP
  • Aetna
  • Allergan
  • Bank of America
  • Cisco
  • Citizens Bank

  • Eli Lilly
  • Facebook
  • Fannie Mae
  • Goldman Sachs
  • HSBC
  • Human Longevity

  • JPMorgan Chase
  • LifeLock
  • Morningstar
  • Starbucks
  • U.S. Bank

The 4 CISO tribes

We identified four distinct approaches to the CISO role, each with unique characteristics and discriminators. The names of these four “tribes” emphasize what separates one from another. Dividing CISOs into tribes leads to some insight into career development and progression. We believe that when CISOs understand their own approaches as compared to others, they’ll be better informed about their own ways forward.

Tribe 1

Security as Enabler

Tribe 2

Security as Technology

Tribe 3

Security as Compliance

Tribe 4

Security as a Cost Center

What's inside the report?


  • A thorough exploration of each of the four tribes to support the evolution, consistent improvement, and efficiencies of the CISO role
  • An overview of the discriminators used to differentiate the tribes
  • A coherent model representing a CISO population of just under 150 years of experience