Some time ago I saw a comment about the distinction between acting like a “watchmaker” or a “gardener” when undertaking organization transformations. I misplaced the original reference so, unfortunately, I can’t credit appropriately. But, I’ve been thinking a lot about what this would mean in the context of security leadership. Specifically, should the CISO be a watchmaker or a gardener, or both?

The Watchmaker CISO: Precision and Control

Imagine a master watchmaker, meticulously crafting each tiny gear, spring, and lever. Every component is designed with a specific purpose, precisely adjusted, and perfectly integrated into a cohesive, functional whole. This is the essence of the Watchmaker CISO.

The Watchmaker CISO operates with a strong command-and-control philosophy. They believe in clearly defined processes, rigid standards, and an architecture where every security control is understood, documented, and precisely tuned. Their focus is on building a robust, predictable, and highly controlled security environment. They might invest heavily in detailed policies, comprehensive frameworks, and centralized tools that provide a granular view of every system and potential vulnerability. Change is often managed through strict change control processes, and deviation from the established norm is seen as a risk.

Strengths of the Watchmaker Approach:

• Predictability: A well-designed watch is highly predictable. Similarly, a Watchmaker CISO aims for a security program that operates with minimal surprises.

• Auditability: With everything meticulously documented and controlled, compliance and audit readiness are often high.

• Strong Foundation: This approach can build a very strong, fundamental security posture, especially in highly regulated industries.

Weaknesses of the Watchmaker Approach:

• Rigidity: The digital landscape is not a static mechanism. A rigid, command-and-control approach can struggle to adapt quickly to new threats, technologies, or business demands.

• Siloed Thinking: Focusing on individual components can sometimes lead to a lack of holistic understanding or collaboration across different teams.

• Burnout: The sheer effort required to meticulously control every aspect of a large, complex environment can lead to CISO and team burnout.

The Gardener CISO: Cultivation and Nurturing

Now, consider a skilled gardener. They don't control every leaf or dictate the exact growth pattern of each plant. Instead, they prepare the soil, provide the right nutrients, ensure adequate sunlight and water, and prune when necessary. They cultivate an environment where the garden can flourish organically.

The Gardener CISO adopts a more adaptive, holistic approach. They understand that security is not just about technology, but also about people, culture, and processes. Their focus is on building a resilient security ecosystem, empowering teams, and fostering a security-conscious culture. They might champion security education, embed security champions within development teams, and focus on establishing principles and guardrails rather than dictating every single control. They trust their teams to make sound security decisions within a well-defined framework and adapt as needed.

Strengths of the Gardener Approach:

• Adaptability: A thriving garden adapts to its environment. Similarly, a Gardener CISO's program can more readily adapt to new threats and business changes.

• Empowerment: By empowering teams, security becomes a shared responsibility rather than solely the CISO's burden, leading to broader ownership and innovation.

• Resilience: A diverse and healthy ecosystem is more resilient to unexpected shocks. This approach builds resilience through distributed security knowledge and capabilities.

Weaknesses of the Gardener Approach:

• Perceived Lack of Control: Some stakeholders might view this approach as less structured or "loose" if they are accustomed to a command-and-control model.

• Requires Trust: This approach heavily relies on trust in individuals and teams to make good security decisions, which might be a challenge in organizations with low trust levels.

• Initial Investment in Culture: Building a strong security culture takes time and consistent effort, and the results might not be immediately quantifiable.

Which Approach is Best? A Blended Future

So, which approach is best? The answer, like many things in cybersecurity, is nuanced. The modern CISO cannot afford to be only a Watchmaker or a Gardener.

A purely Watchmaker approach risks becoming too rigid and slow in the face of dynamic threats. A purely Gardener approach, without a strong foundational structure, risks a lack of consistent security posture.

The most effective CISO is, unsurprisingly, a hybrid. They possess the Watchmaker's ability to design robust, foundational controls and understand the intricate mechanics of their security systems. But they also embody the Gardener's wisdom to cultivate a strong security culture, empower their teams, and adapt to the ever-changing digital environment. They understand that while some elements require precise engineering, others need space to grow and evolve.

The CISO's craft is about striking a delicate balance building a security program that is both meticulously engineered and organically resilient. Above all, the CISO needs to know when and in what situations to be a Watchmaker and when to be a Gardener.