In one of my previous blog posts, I talked about where the CISO typically reports to today and presented the notion that organizations need to match the different CISO personality types with corporate security objectives. 

When you are introduced to a doctor, you would probably naturally ask “What type of doctor are you?”  The response will indicate the doctor’s specialty, skills, training and experience.   And, if you were looking for an attorney or accountant, the first question would be what type of attorney or accountant were they.

When introduced to a CISO, you can’t ask that question. We do not formally think of “types” of CISOs.  The question that tends to substitute is “where do you report?”  Whom you report to can be roughly translated into the types of duties that the CISO is performing.    A CISO who reports to Legal and Compliance is more likely not to have security operations responsibilities than one who reports to the Manager of Network Operations and Infrastructure.

CISO job descriptions further evidence different, diverse skill sets that organizations currently require from CISOs.   Relevant contextual factors which influence where the CISO reports include enterprise strategy, organizational culture, history with the CISO function, security incident experiences, and accepted practice industry and compliance requirements.

I suggest that different organizations require different types of CISOs at different times given the different factors described above.  Of course, these factors change over time and may require that the reporting structure of the CISO is changed.

In my next blog post, I’m going dissect this further and describe the three most common CISO types I’ve seen in my 25 years in industry.