Armin Sestic - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the pros and cons of the different types of CISOs?

There can often be two types of CISOs: the builder and the stabilizer. Expert Mike O. Villegas discusses the pros and cons of each type and the roles they play.

I saw mention that there are two types of CISOs: Those who like to bounce from company to company to build security...

programs from the ground up and those who like to join an established security program after a data breach because they're likely to have more support. What are the pros and cons to each type?

Unlike the CIO, performance measures for the CISO are still evolving. CIOs are measured by service-level agreements, key performance indicators, cost savings and their ability to effectively communicate with executives. CISOs, on the other hand, are measured by quasi-quantitative and subjective metrics that can be understood by executive management. CISOs can be measured using key performance indicators or even management by objectives, but it is like forcing a square peg into a round hole. Because of this inability to objectively quantify a CISO's job performance, CISO terminations generally occur after a security breach when there are budget overruns, when there's a perceived lack of value added or when there's overall executive dissatisfaction.

Terminations may occur for many reasons, but the average CISO tenure is three to five years, and two types of CISOs seem to stand out when hiring replacements. One, which I will call the Builder, is the type that prefers to come into a badly managed environment to build it into an effective, well-oiled security program. This person will begin their employment by building a cybersecurity program and, once it is implemented and stabilized, will move on to another enterprise to do the same.

The second type of CISO, that I will call the Stabilizer -- who is typically hired after a major breach, reorganization or merger -- joins a well-established cybersecurity program to improve it, knowing that the management support and approval he needs will be available.

While there are pros and cons to these two types of CISOs, they do not represent the majority of tenured CISOs. Most CISOs or security directors manage the cybersecurity program well and, while there are no major incidents or breaches, their job is relatively safe. Once a breach occurs, however, unless the CISO has taken steps to minimize being collateral damage, it's time to replace him with one of the two types of CISOs.

The Builder is an entrepreneur, a motivator, a good communicator and an agent of change. He finds ways to build his staff's skills or, if they lack the aptitude, to replace them with staff who can handle the position. He has proven ideas and he approaches challenges as an opportunity to excel.

The Stabilizer typically has a good presence, demands respect, is a good negotiator and has proficient aplomb. He is able to use his predecessor's shortcomings to his advantage to attain resources to meet his goals, knowing full well that he has executive management's support. Much like the Builder, however, he will move on to another institution if offered a greater challenge or more compensation.

The character traits of the two types of CISOs are laudable, but unless the enterprise presents greater opportunities to succeed, they will both become bored with the CISO role and begin looking elsewhere.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out which certifications are the most important for CISOs

Discover ways for CISOs to get the most out of security conferences

Learn the best ways to assert security leadership

This was last published in December 2016

Dig Deeper on Information security program management