If there is one enterprise role that’s very complex, it is the CISO’s role. The complexity is created by its newness, the way it gets created in an organization and the overlay it has with multiple other roles.
In most organizations, the head of security role is typically created within the CIO’s organization and focuses on technologies and standards. The transition to a full-fledged CISO role is often triggered by critical events, with 70% of enterprises facing a security breach leading to its creation.
Even after the CISO role is established, the journey for the role holder is challenging, involving defining the role and meeting expectations.
Coeus Age offers a holistic approach to CISO’s role development, focusing on individual awareness and the organizational context, tailored based on adult learning philosophy for personalized effectiveness.
CISO’s role is not one role. It is a composite of multiple aspects that the role needs to address. However, individuals depending on their personality traits, tend to focus more on certain aspects at the cost of some other. In this post, I intend to define the four role archetypes of a CISO’s role and how individuals may fall in either of these archetypes.
The first archetype is People’s Person.
In this the CISO is extremely sensitive to the needs of the teammates and often go an extra mile to meet those needs. A human centric approach requires a soft heart that may accommodate people’s personal demands. It is functional when it motivates people, develops them into capable workers, and enable them being productive. The dysfunctional side can be seen in impact on work and productivity.
The second archetype is Controlling Operator.
In this the archetype, the CISO tends to control people and processes by laying more emphasis on rules, procedures, policies, and techniques. Technology becomes a tool in this endeavor. The focus is on results, performance, and productivity, often at the cost of the human touch. At an extreme, the archetype treats the socio-technical system as a machine where sum of parts is always equal to the whole. When functional it produces results, when dysfunctional it demotivates people.
The third archetype is Business Champion.
In this archetype, the CISO supports business by continually engaging in development of secured systems, aligning with the demands of the business, and conveying security related aspects successfully. The focus is on making security a part of the development of applications and ensuring that business managers appreciate the need for security. On a functional side, it involves helping businesses without confronting but on a dysfunctional side, confrontations may thwart the dialogue.
The fourth archetype is Friendly Advocate.
In this archetype, the CISO continuously influences the top management on matters related to cyber security. This requires good level of communication and understanding of the threat landscape. Such CISOs can engage with the top management and board and convey complex and technical information in simple terms for the later to appreciate and align. On a functional side, they get the buy in from the top management and the board but on a dysfunctional side they may resort to inducing excessive fear in their minds to take security seriously.
The four archetypes discussed here are pure play categories and typical profiles, but no CISO is just one type. They may be extremely on one archetype but all four are present. Normally, all the four are required to play the role successfully, their proportion defined by the context and the personal aspirations of the CISO.
Do you know what is your role archetype mix? Which archetype dominates the others?
The need for development arises when a particular archetype is demanded by the context, but the CISO personality is not developed on that. How does a CISO gauge that gap and work towards building the competency to play that role is a journey that starts with SELF AWARENESS (Know Thyself) and the CONTEXTUAL AWARENESS (Know Thy Environment).
We shall continue this dialogue in the next posts.
