February 19th, 2020
Adam Stone, VP, Consulting Services
Not all security leaders are alike. Though this statement is obvious to most, many folks in this industry have a difficult time articulating exactly what makes one security leader stand out from others. Does s/he exhibit technical acumen? Business savvy? Strong financial instincts? Skillful sales and marketing reflexes? Effective organizational skills? Could it be the case that security leaders maintain certain aspects of all these traits (and more)? According to a trio of researchers affiliated with the Building Security in Maturity Model (BSIMM), information security leaders tend to fall into four “tribes” with differing approaches to security management. In a whitepaper entitled, “Four CISO Tribes and Where to Find Them,” authors Gary McGraw, Sammy Migues and Brian Chess assert that security leaders exhibit character traits that skilled observers can both identify and measure. In descending order from strategic to tactical, each “tribe” of security leaders carries its own strengths and weaknesses. Ultimately, the authors suggest that the security leaders who can appreciate and learn from the differences between the tribes are those best situated to creatively lead organizations into the next iteration of information security management. Secure Digital Solutions (SDS) agrees with this conclusion. We observe that, in general, these tribes describe individuals with increasing levels of information security process maturity, where Tribe 4 is the least mature and Tribe 1 the most (see image below).
Using tribes as the organizational foundation of their study, the authors interviewed over two dozen Chief Information Security Officers (CISOs) working for large corporations. During the interviews, the researchers used a set of three security “domains” with eighteen “discriminators,” or approaches to addressing information security topics. For each discriminator, the researchers translated each CISO’s survey responses into statements that best approximate his/her management philosophy. Using this approach, CISOs can identify their tribe and use this information to determine what steps are necessary to elevate oneself to the next level (for instance, transitioning from Tribe Four to Tribe Three, and so on).
The researchers’ method to establish “tribal membership” among CISOs is similar to the method SDS developed for the TrustMAPP® Performance Management System. Instead of narrowly assessing the qualities and character traits of the security leader separately from the function, TrustMAPP enables organizations to use process maturity as the baseline metric describing the effectiveness of the entire information security function (which includes people, processes and technology). The goal of both methods is the same: use quantitative and qualitative data to identify current state, while leveraging this knowledge by taking steps to reach the next level. In place of “discriminators” however, the TrustMAPP System evaluates process maturity across six maturity “attributes,” as illustrated below.
Prior to conducting a TrustMAPP assessment information security leaders set a maturity goal for their organization, typically on a scale of 1-5 (see maturity levels defined below). After completing a TrustMAPP assessment, an organization can quickly identify which business processes fall short of the maturity goal. Using this data, information security managers can communicate a meaningful message to executives and develop plans to improve. After nearly five years of capturing data from the TrustMAPP system, we observe that security leaders and their functional area transition slowly and methodically from one level of process maturity to another in manner not unlike the different tribes defined by the authors of “Four CISO Tribes and Where to Find Them.” In other words, security leaders (like business processes) fall along a continuum of maturity – where one learns from and builds off the previous level.
How can you leverage the power of understanding your tribal membership and information security program maturity relative to your maturity goals? The TrustMAPP Platform makes the process simple and efficient. Information security leaders can use the ideas advanced by the McGraw and team in combination with one or more industry-accepted frameworks to build an assessment that captures both dimensions. We designed TrustMAPP to make the assessment process nearly painless. In four steps, you will benefit from TrustMAPP’s reporting metrics to plan for process improvements.
If you are interested in elevating your professional maturity and improving your organization’s information security program, contact Secure Digital Solutions today at 952-544-0234 from 9am-5pm Central Time, or email us at email@example.com.