The role of Chief Information Security Officer (CISO) is not an easy one. While there exists plenty of advice and strategies for CISOs, the role can be a challenge even at the best of times — especially if the CISO is lacking in skills that may not be immediately apparent. 

Here, Security magazine talks with Bryan Marlatt, Chief Regional Officer (North America) at CyXcel, about different types of CISOs based on their skillsets. 

Security magazine: Tell us about your background and career.

Marlatt: I have spent over 30 years in IT and cybersecurity. Throughout that time, I’ve worked in the DOD, both as a civilian and in uniform, built and managing networks, delivered technologies and services with a value added reseller (VAR), led a team of sales engineers at a security technology company, consulted analysts and board members with a Big 4 consulting firm, been an established CISO with multiple companies in different industries, and now lead the US practice at a global legal and cyber pre-incident/post-incident consulting firm (CyXcel).

Security: Can you explain the various types of CISOs and how they differ from each other?

Marlatt: Over my years in the cyber, I’ve been able to recognize three types of CISOs. 

The first type is the Security Engineer CISO. This is a person that has grown up in cybersecurity and was overpromoted into the role of CISO. This CISO has blinders to only see and understand the technical aspects of the cybersecurity program.

The second type of CISO is the Business CISO. This type of CISO has never touched a technology and often has grown up in other areas of the business, such as sales, project management, or the like. This CISO has the blinders turned in the other direction, only being able to understand the needs of the business, but doesn’t know how to translate them into security capabilities to meet those needs of the business. 

And finally, we have the Fully Functioning CISO. This CISO has grown up in areas or roles that helped them understand that the needs of the business drive the needs of IT and cybersecurity. This CISO has the blinders off and can understand the role of the analyst and can translate the risks to the business at the board level. 

Unfortunately, there are many more of the first two types of CISOs than the last.

Security: If only one type of CISO is in an organization, does this leave the institution open to security gaps?

Marlatt: Absolutely. If an organization has one of the first two types of CISO, they will greatly rely on their team members to fill the gaps. If it’s the Security Engineer CISO, it’s much harder as most organizations don’t have a role that will help the CISO interpret the needs of the business. It’s only larger organizations that have Security Architects or Program Management to help drive clear understanding of the business needs. If the organization has the Business CISO, they can generally rely on the technologists of the team to understand the technology requirements and help develop them into plans. 

Both the Security Engineer CISO and the Business CISO fall short the help lead the business in overall strategy. And with these two types of CISOs, they generally don’t teach their teams the importance of learning the business or having a broad skills set in cybersecurity knowledge, which leads to replication of the same types of future CISOs.

Security: How can organizations ensure they have a multi-disciplinary CISO? As for CISOs, how can they seek to broaden their skillsets and become multi-disciplinary?

Marlatt: The best way to identify a strong CISO that can meet the requirements of both technical and business understanding is in the interview process. 

See what the CISO already knows about your business. See what kinds of questions they ask related to the business. But also have a technical portion of the interview. It can’t be a "stump-the-chump" exercise, but understand what they know about the key capability requirements needed for any security program. Understand what tools were used in their previous roles and why they selected them. If you hear that they didn't help select the technologies or they ran a status quo environment, they may not be the right CISO. Understand what types of transformational work they completed and what business problems they were trying to solve for. Understand if they have been through a cybersecurity incident and what role they played. Did they work hand-in-hand with the business, or were they focused on how the threat actor got in? And finally, ask them what their business peers and employees would say about them if asked. This will tell you a lot.

You might think that some of the CISO certifications out there are the answer, but unfortunately, they are not. Finding a CISO with a broad range of experiences and/or the right education is key. Someone who has been in many different types of cybersecurity roles across different industries will show a breadth of understanding of regulatory compliance. It’s always great to see a CISO with technical experience and an MBA, showing they had the foresight to expand their knowledge and better understand the business aspects. Sometimes you find an outlier that was just made for the CISO role, no matter their background and education. 

No matter what, finding the right CISO is critical to any organization given the current impact cybersecurity incidents bring to organizations.

Security: Is there anything we haven’t discussed that you’d like to add?

Marlatt: With current regulations and impacts that have come to CISOs in the past few years (e.g., Joe Sullivan at Uber and Tim Sullivan with SolarWinds), taking on the CISO role isn’t for the faint of heart. 

As I watch open CISO roles float across the screen on LinkedIn, some with very low salaries, it’s clear that some companies don’t know what they are asking for. Just because your insurance carrier has a box for CISO in their multi-page questionnaire doesn’t mean you have to assign that title to an unqualified individual. 

Not only do companies need to choose the right type of CISO, CISOs need to make sure they can meet the requirements of the role they are being asked to fill. Read the job description to know if what that company wants is a CISO, or just someone sitting in the seat with a title. If is the latter, you may find a seat next to Joe, Tim and the other CISOs out there just waiting for prosecution.