These responsibilities can deviate for every company. From ensuring that ongoing employee security training is effective, to managing security teams and overseeing the company’s information security practices and policies, CISOs wear a variety of hats. In the business world we, therefore, see different kinds of CISO’s. The difference lies in their expertise.
We can distinguish three different types of CISOs:
- Technical-oriented CISO (aka TISO)
- Policy-oriented CISO (aka BISO)
- Strategically-oriented CISO (aka SISO)
The Technical Information Security Officer (TISO)
The TISO is specialized in managing the technical security issues. He works in the system development areas to ensure proper technology risk considerations are addressed at each phase and provide proactive solutions to correct exposures or mitigate risk. He will also interpret security standards, procedures, and guidelines for multiple platforms and diverse environments in designing solutions, recommending enhancements or defining mitigating controls to existing systems.
The technical CISO knows what the organization needs before they know what it needs. His job is to design a security program that only does one thing, support / enable the company’s objective. The most difficult task for this CISO is to get approval from the CEO for his recommendations and projects. Because the TISO is focused on the technical side of information security, it can be difficult to properly describe this to the management of the organization.
The Business Information Security Officer (BISO)
The BISO specializes in information security issues relevant to the business such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other business requirement. This individual also assists in the implementation and translation of enterprise security requirements, policies and procedures. Additionally, this individual should perform self-assessments or, at a minimum coordinate identified business related security issues. Ideally, a BISO should be embedded in each major business unit or division. BISOs should report to business management.
The Strategic Information Security Officer (SISO)
The SISO specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization’s mission, goals and objectives.
Which type of CISO does your company need?
Always check first if the type of CISO you have is what you require. You may infer that more than one CISO type might be needed for your organization – you may be correct. In fact, for many organizations, one CISO is not enough.
Lisanne Klein is an information security specialist with a great interest in CISO and GDPR. She is a valuable force in our team.