The great thing about the security industry is it’s made up of a variety of roles and people from many backgrounds, disciplines, skill sets and lived experiences. Let’s take a look at some of these - with a bit of humor.
Remember, for the most part, everyone is doing a great job and even if they’re seemingly not then that is often a function of their context or environment which you might not even be aware of. Yes I’m poking fun here (including at myself), so take it that way.
[Note: The GenAI images are derived from prompts from the text itself].
1.Self Appointed Thought Leader
Spends a lot of time carefully curating their LinkedIn profile to represent the perfect summary of titles based on what they see as the current de rigueur of thought leadership. Carefully includes at least the CISO title even though they have never been one (or have been a CISO of their own 1 person company), mentions they are a Board director (of a not-for-profit or professional association) and lists their education as Harvard (from their last 1 week on-line non-examined executive course).
Says things like: “It’s incredible that all CISOs don’t report directly to the CEO or the Board, that’s the only way security can be ever effective.”
2.Cryptographer turned Security Guru
Having spent many years writing books and publishing papers espousing cryptography as the main way to achieve security they suddenly realize it’s a bit more complicated than that. So they switch to reveal to the world their apparently unique insight that security is actually about people, process and technology - something working information security professionals had known for a long time.
Says things like: “If only people more than just me realized that security processes are important we’d be in a much better place.”
Isn’t happy until they invent a product category name they can call their own, even if it makes little sense to anyone else and it’s really just an amalgam of other product categories. Devotes their life to putting things into 2 x 2 grids. Has been known to invite you to speak at their company’s supposedly prestigious conference but only if you also pay a sponsorship fee.
Says things like: “Your product can’t be any good as it doesn’t fit into the CRPR, BOLX or BDSM categories and it hasn’t even traversed the peak of inflated expectations.”
4.Vendor Security Product Manager
Feels very uncomfortable when no-one really knows what a “user journey” is, or has a feeling that even when people say they do, they really don’t. Gets anxious when product / market fit is discussed for security products that most security teams don’t really want and most IT teams have never heard of.
Says things like: “Does my PRD adequately convey enough agility as shown on the business model canvas in the DEEP backlog?”
5.Think Tank Policy Wonk
Loves to write 30 page documents that make general calls to action and policy pronouncements without much reference to whether prior similar calls to action have even been vaguely effective. Invites corporations to join initiatives to develop their latest report and then spends months trying to hammer the square peg of reality into the round hole of the preconceived ideas they’ve always wanted to write about.
Says things like: “Would you like to devote 100’s of hours of your time to partner on our latest research and give us $200,000 of research funding for the privilege of doing so?”
6.Corporate Generalist Manager Turned CISO
After a long career on the executive fast-track moving from department to department in a major conglomerate, without making it to the top of any of them, is appointed by the CEO to the CISO role to finally “fix” security. This is after many years of IT or career security people being in the CISO role - who failed largely due to lack of support or investment. But, now, the corporate generalist manager is going to turn their 6-sigma black belt to the task and is supremely confident they will achieve all that is required while wearing their lack of understanding of security or technology as a badge of honor.
Says things like: "Security is simply a business problem not at all a technology problem.”
7.Cloud / SaaS CISO
After a long career upgrading security in place across a ton of legacy systems finally gets religion about “The Cloud” by implementing a few big projects. Now, with a faded recollection of the trials that actually involved, espouses that everyone should move to the cloud.
Says things like: “Secure digital transformation is vital to find the synergies between IT productivity and security risk reduction.”
8.Digital Native CISO
Hired as the security engineer as part of the first 10 engineers the company had. Built the whole security pipeline from scratch natively in the cloud with no legacy in sight. Despite this they still managed to create risk concentration by putting all their identity eggs in the one basket of a regularly troubled SaaS IdP. They came to work last month to be told by the CEO they’re now officially the CISO and have to spend all their time working with customers, auditors and regulators. They’ve now started spending a lot more time on CISO Slack channels looking for the next start-up to ply their engineering trade.
Says things like: “I’m a West Coast CISO not an East Coast CISO”.
A former CISO who wants to keep the CISO title without feeling the need to be called at 3am ever again. They might even be a management consultant who has never actually been a CISO but thinks it would be cool to have that title and give advice to CISOs who are, well, just actually “living the dream” every day.
Says things like: “I will be around to support you, assuming you keep buying our products.”
10.Small Business IT Staff
The only person running IT, security, auditing, administration for cloud, SaaS, on-premise, IT, OT and everything including the firmware updates for the Nespresso machine. Loves, just loves, all the hundreds of pages of guides they have no time or inclination to read, written by lots of government agencies, not-for-profits and vendors who’ve never worked in or run a small business in their life.
Says things like: “Yubi what?”
The eyes and ears, and stomach ulcer, of the Board Audit Committee. Spends their time writing audit findings and observations whether there are any material issues or not and then occasionally having borderline personality breaks from having to parse the constant appeals from IT and security that no matter what the findings are they have no resources to fix the issues anyway.
Says things like: “No, I can't adjust that audit finding resolution deadline for the 5th time.”
12.CISO Turned Chief Risk Officer
Senior security leader who decides it might be interesting to bring some rigor to a world of High, Medium and Low risk charts with an occasional Red, Yellow, Green for even more accuracy. Took a quantitative risk analysis class, has read the book “How to Measure Anything” and can spell Bayesian. Their first year is full of hope and the vigorous use of any quant tool they can get their hands on so they’ll be the first person to finally crack the code of cyber-risk quantification. After their first Board Risk Committee meeting watching eyes glaze over they go back to showing issues as High, Medium, Low and are immediately applauded as Risk Manager of the Year.
Says things like: “My Bayesian network didn’t work out as the Monte-Carlo got held up on the 1 server IT could allocate to us out of the 100,000 servers otherwise devoted to credit and market risk calculations.”
13.Law Enforcement/Military/Intelligence Pro Turned CISO
After a long and distinguished career in vital public service they come into the private sector after a careful selection process (1 interview by a Board member from a direct Executive Search pitch). The corporate environment is a strange place with no staff to carry your bag, drive your car, or turn your hopes and dreams into overly complicated slides. Not that you could ever deal with it before anyway with that 10 versions out of date tool in your favorite GovCloud.
Says things like: “We should classify all our documents with mandatory access control labels, how hard could that be?”
14.Tech CISO turned Corporate CISO
Comes into a traditional Fortune 500 company from the cutting edge of technology and does a rigorous analysis of what could be kept on-premise or even repatriated from the cloud. Is then puzzled by the reaction of the 1 data center technician that’s still around after years of migration to the cloud. Is also shocked by the total disinterest of business executives to save 20% of their cloud bill by spending 550% of that bill rebuilding data centers and rehiring a bunch of high-end IT staff that would never actually dream of relocating to Nowheresville.
Says things like: “Surely it won’t be difficult to bring the Kubernetes cluster back from the cloud into the new hosting facility offered at a huge discount by that really good and totally trustworthy Chinese data center provider?”
Isn’t always totally sure of what CISOs want or what the security challenges of enterprise IT departments actually are. But, they can create a CISO Advisory Board to have CISOs and their teams spend several days a year providing a free perspective in return for a dinner and a Board advisory role carrying the hope of a 1 in 100 lottery ticket result from one of the portfolio companies.
Says things like: “We’re aiming to create a unique advisory Board experience and introduce you to as many former heads of Unit 8200 that you can handle.”
16.Cyber Savvy Board Member
The director that turned up at the Board meeting to be surprisingly told that they’re now the designated cyber expert per the new guidelines. When asked how they got this plum assignment they are told by the Board Secretary that on their resume it shows that at one point in their career they had IT reporting to them. Also, apparently they serve on another Board of a company that’s had so many breaches that it’s given them vital experience for this role.
Says things like: “I’m now a cyber expert. I once met an NSA person at a cocktail party.”