Two-year study explores the roles of information security leaders and how they are affected by organisational dynamics
LONDON, UK, Jan. 17, 2018—Synopsys, Inc. (Nasdaq: SNPS) today published the inaugural CISO Report, the result of a two-year data-driven study exploring the roles of information security leaders and the organisational dynamics that affect them. The Chief Information Security Officer (CISO) Report identifies four unique approaches to the CISO role called “tribes,” each with distinct characteristics. The study emphasises how the four tribes differ in executing a security plan and what the tribes can learn from one another, providing insight for leaders looking to improve their security programs and advance their careers.
“CISOs are humans too, and they sometimes worry about what they’re doing, why they’re doing it, and how they stack up against their peers,” said Dr. Gary McGraw, vice president of security technology at Synopsys. “Unsurprisingly, there is no universal blueprint for a CISO; but, there are common characteristics that we can use to classify and understand them in a meaningful way. We believe that when CISOs understand their own approaches with reference to others, they will be better informed about their own ways forward.”
Following a similar methodology as the Building Security In Maturity Model (BSIMM), the CISO Report represents an analysis of data gathered over the course of 2 years in a series of extended in-person interviews with 25 CISOs working for some of the largest companies in the world. The report identifies and describes the four tribes below using 18 discriminators to define tribe identification:
- Tribe 1: Security as Enabler
- Tribe 2: Security as Technology
- Tribe 3: Security as Compliance
- Tribe 4: Security as a Cost Center
“The CISO Report provides a simple but undeniably cogent framework to describe one of the most nuanced and challenging roles in the world,” said Jim Routh, CSO of Aetna and a participant in the study. “Rather than simply measuring the merits of the individual behind the title, this study thoughtfully describes the many internal and external factors that contribute to a CISO’s success. It is particularly useful for business leaders determining what type of CISO will best fit with the needs of the business at a specific point in time.”
Download a complimentary copy of the CISO Report.
The CISO Report was authored by Dr. Gary McGraw along with Sammy Migues, principal scientist at Synopsys, and Dr. Brian Chess, SVP of infrastructure and security at NetSuite. The participating firms that elected to be named include ADP, Aetna, Allergan, Bank of America, Cisco, Citizens Bank, Eli Lilly, Facebook, Fannie Mae, Goldman Sachs, HSBC, Human Longevity, JPMorgan Chase, LifeLock, Morningstar, Starbucks, and U.S. Bank. Collectively, the population represents just under 150 years of experience in the CISO role.