There are 2 Kinds of CISOs — Which Kind Does Your Business Need?

If you’ve ever tuned in to The Virtual CISO Podcast, you know that at the end of every show host John Verry (Pivot Point Security’s CISO and Managing Partner) asks our guest to name a real personal or fictional character whom he or she thinks would make a great CISO or a terrible CISO, and why. It’s a fun “tradition,” but it also sets up some thought-provoking insights into the CISO role.

One of the coolest answers to date came from Andrew Van Der Stock, Executive Director of the OWASP Foundation and a leading expert on web application security.

Andrew says: “I think we’ll go with ‘horrible CISO,’ because it’s easier. I would nominate Frye from Futurama. Because he always says, ‘Here, take my money.’ You don’t want to be led that easily as a CISO. You need to have a philosophy, and a way of thinking about conceptual integrity. Not because someone’s yelling at you. Not because it’s fashionable. Not because a tool vendor took you to lunch.”

Or the guy whose security strategy is driven by the Gartner Magic Quadrant reports. ‘I got one of them, and I got one of them, and I got…’,” echoes John.

Andrew explains further: “So there are CISOs who are going to be basically just keeping the lights on. They need to have a steady hand, be the voice of calm, and just make sure all the basics are done. That’s fine. But if you’re the sort of CISO who’s being brought in for a transformation to enable secure business and take the organization to the next level, you are a different type of CISO, and you need to be proactive.”

“You need to have a bit of a vision about where you want to take it and how it can actually work,” Andrew continues. “You cannot say, ‘I’m going to implement such-and-such a banking solution from three years ago and call that transformation. You need to think about what it is the business really wants to achieve. There are CISOs that are good for that, and there are CISOs that have a very steady hand. I think there’s two different types.”

John recalls a parallel with podcast guest Dan Schroeder: “If you have a CIO who loves technology, that person might be able to keep the lights on. But if he loves the business, he can help you transform. So I think to your point it’s the same analogy. You need that CISO to love the business as much as he loves the technology.”

“Those sorts of people who can take you to the next level, can transform your business — when you find them, look after them,” Andrew advises.

“I think it’s also recognizing who you are as a business,” John clarifies. “That person who has that ability to solve security challenges of that nature that will help you transform a company… if you don’t need that skill set, and you just need a guy to keep the lights on, hire that. But if you need someone to transform you, don’t hire the guy who’s going to keep the lights on.”

If you’re concerned with web app development, don’t miss this podcast episode with thought leader Andrew Van Der Stock. Click here to listen in, and to check out our other podcast shows.

If you’re not an Apple Podcasts user, you can access all our episodes here.

We are a trusted source of simple, practical, and actionable information security guidance.