Which CISO Tribe Do You Belong To?

New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

If youre a CISO or another level of security manager, new research predicts you will fall squarely into one of four tribes depending on the nature of your role and how the overall organization approaches cybersecurity. Each tribe has a different approach to serving as a CISO.
This is the crux of the inaugural CISO Report published today by Synopsys. The research spanned two years and involved 25 interviews with CISOs at companies including ADP, Bank of America, Cisco, Facebook, Goldman Sachs, JPMorgan Chase, Starbucks, and US Bank.
The driving idea was to learn how individual CISOs perform compared with one another, what CISOs actually do all day, and how their work is organized and executed.
The coolest thing was that CISOs were so eager to find out what we were going to find out, says Gary McGraw, vice president of security technology at Synopsys. Most CISOs stay within their organizations and lack data to measure performance. This study aimed to collect data that would help CISOs learn where they stand and how they can improve.
There is no universal blueprint for the CISO but there are common factors researchers used as a basis for comparison among CISOs they interviewed. These included workforce (organization structure, management, staff), governance (metrics, budget, projects), and controls (framework, vulnerability management, vendors). The three domains helped organize results.
Based on the data collected, researchers identified four groups of CISOs. These include:
Tribe 1: Security as an Enabler
Tribe 2: Security as Technology
Tribe 3: Security as Compliance
Tribe 4: Security as a Cost Center
The tribe is an assignment thats not just for an individual, McGraw notes. It applies both to the CISO and the firm theyre in. A CISOs tribe is determined by 18 discriminators, or factors used to tease CISOs apart. These include CISO-board relations and program management.
Whats your tribe?
Tribe 1 is, in a sense, the goal tribe, says McGraw. The board understands security, the firm as a whole knows security is important. Every business unit is aligned properly with security, because security is part of the way the firm does business.
In these firms, the CISO is the highest-level executive under the CEO. Security is business-centric; every division thinks about computer security and security is part of everybodys job. The enterprise focus and CISO role as a senior executive set this group apart, McGraw says.
Tribe 2, which treats security as technology, is similar in the sense they have advanced security practices. These are firms that have moved well past compliance, McGraw explains. The firms in tribe 2 have great CISOs and are doing a great job with security.
However, CISOs in tribe 2 lack the senior executive gravitas of CISOs in tribe 1. Theyre senior people, they have a lot of power and influence, but theyre not the alpha in the room, he says. In a software firm or another tech-focused company, tier 2 CISOs dont need to aspire to move up because the business is already focused on tech and they dont need the executive pull.
Tribe 3 CISOs struggle because theyre often strong leaders who know how to get things done - but their companies prioritize compliance above all else. McGraw says this often happens if a business has a data breach or gets in legal trouble. Further, historical underinvestment in cybersecurity means these firms continue to underinvest despite compliance requirements.
Often compliance is the goal and they cant get their firm to move past that goal, he explains. Compliance is a bare minimum; its a low bar. You have to get over that bar, for sure.
Tribe 4 CISOs are often overwhelmed and under-resourced, McGraw says. They dont really create budgets, and sometimes they dont request budgets. They just get given budgets.
These are often middle-management professionals who are not called CISOs but perhaps director of IT security or a similar title. Their firms are relatively new to cybersecurity and havent yet begun to prioritize it. McGraw anticipates tribe 4 is the largest group overall, taking all businesses outside this study into consideration.
Improving the CISOs Stance
Knowing your tribe can help change your tribe, a process that requires a shift in business strategy and leadership. The CISO Project report emphasizes the importance of identifying and managing risk, developing and retaining the right talent, and establishing middle management to serve as a gateway from entry-level security roles up to the C-Suite.
Troy Hunt, information security author and instructor at Pluralsight, explains how CISOs can create a security-focused culture within the enterprise. The objectives of security are often not consistent with the objectives of the business and development teams, he says. Many people want to know how they can make security concepts more pervasive.
One of his recommendations is to help different departments on the same page. If a business has separate security and development teams, theres often tension between the two.
Ive seen a lot of trouble with security and dev teams just getting along and speaking the same language, Hunt says. Theres often a lot of friction when developers think the security team is there to get in their way and stop things from getting done.
Skill development is another key component, he says, echoing the CISO Project report. Hunt recommends finding and focusing on security champions, or people who are particularly motivated to learn more about security. Find this talent and send them to workshops and conferences, he says, then have them come back and teach other people.
Theres so much in the industry and so much changing that if you can find those people, thats a really valuable thing, he says.
Related Content:
In Security & Life, Busy Is Not a Badge of Honor
Responding to the Rise of Fileless Attacks
How to Attract More Women Into Cybersecurity – Now
Mental Models & Security: Thinking Like a Hacker

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps