The Types of CISO

The 3 Types of CISO: Know Which You Need

In “What’s the CEO Equivalent of The Peter Principle?” I posited that there are 3 kinds of CEO:

  1. Those good at starting a company;
  2. Those good at building start-ups to the point they can go public, or be acquired; and
  3. Those good at leading a company for the long-haul.

…with the theory being that unless the CEO knows which s/he is, s/he’ll eventually run a company into the ground. No CEO is really good at more than one, and I’ve met too many who aren’t good at any of them.

The CISO role is no different, and if you’re looking for one, you had better ask the right questions of your candidates. However, if you are a CISO or want to be one, then you must know which kind you are or you’re setting yourself up for failure.

What Are The 3 Types of CISO?


  1. The Planner: – The p-CISO comes in at the beginning of an engagement, before an organisation even knows what it actually needs. Their job is to design a security program that does the only thing it’s supposed to; support / enable the company’s business goals. The p-CISO must also write the Governance Charter, get the CEO to sign it, then implement the Governance Committee. 99% of all security programs fail at this stage, so this is perhaps the most difficult task of all.
    Of the 3 types, this is the most creative, but also the least detailed oriented, which is why they probably should not try to run the program long-term.
  2. The Executor: e-CISOs get things done. They take the hand-off from the p-CISO and put the agreed plan into action. While this may seem more like project management, there is a lot more to it than that. Putting a security program in place takes a shift in an organisation’s entire culture. Installing a firewall is easy, getting the CEO to accept full accountability for the ISMS is a Herculean task.
    This type has the rare ability to focus on enormous amounts of detail, but is political enough to bring the people components together.
  3. The Optimiser: o-CISOs are in it for the long-haul. These are the folks that take the still raw security program, and make sure it get fully instilled in the company culture and business as usual processes. They will also likely Chair or Co-Chair the Governance committee.
    The most political of the 3 types, and it is the o-CISO’s incredibly difficult task to ensure that IT, IT Security, AND the business side all do their part. The depth and breadth of the position makes it one of the most difficult jobs imaginable.

Ignorance of these 3 types certainly goes a long way to explain why CISOs last less than 2 years on average. Organisations ask the wrong questions, and prospective CISOs have little concept of their own limitations.

I’m not saying that there is no overlap in these roles, there is. I’m also not saying that a single individual can’t be fairly good at more than one, they can. What I am saying is that, in practice, the skill-set required to be REALLY good at these roles is mutually exclusive. e.g. I have never met someone who thrives on creating something from scratch (p-CISO), have any interest whatsoever in baby-sitting something for the long-haul (o-CISO).

And that’s OK, you don’t just have one kind of doctor, or lawyer, why should a CISO be any different?

Unfortunately, too often the CISO role is seen as the ultimate goal in the career of a cybersecurity expert. But the fact remains that this role suits very few people long-term. Both p- and eCISOs are senior level consultants, only the o-CISO is a long-term employee.

And let’s not forget; Make the CSO Role a Board Appointment, or Don’t Bother Having One, the CISO is no different.

I’d be very interested to hear what actual CISOs think of this theory?

[If you liked this article, please share! Want more like it, subscribe!]

3 thoughts on “The 3 Types of CISO: Know Which You Need

  1. Dear David,

    I very much enjoyed reading your article on the different types of CISOs, since I am currently researching the same topic.
    I was therefore wondering if you have any additional sources on the different types, because the classification you used made a lot of sense to me.

    Thanks a lot in advance.

    Best regards,

  2. Hello David,

    Thank you very much for a great thought provoking article! The pendilum of acute specialization vs. holistic approach to a subject at hand has a very wide swing. Taking your reference to medical specialties to an extreme, I think none of us would ever want to find oneself with a ready-to-go appendicitis, while facing a team of expert “left ear surgeons.” I can also use the IS profession’s frequent emphasis on “reasonable” and “sufficient” to argue that lack of 7-mile-deep understanding of certain relatively obscure specifics does not necesarily translate into performance-affecting lack of proficiency. Finally, I might suggest that a wholistic approach, one that covers and is fully accountable for all phases of the IS leadership you described, might be beneficial for the organization in the same way that having one lead architect is beneficial to building a cathedral.

    Thank you for the inspiration!


If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.