I Hack Fortune 500s for a Living. These Are the CISOs I’m Afraid of.
As someone who is regularly hired to hack Fortune-500 organizations to find their weaknesses before nefarious groups do, I’ve had the opportunity to work alongside — and go up against — many different types of security leaders.
Some are technical, while others thrive on adrenaline. Some dig deep into the weeds, and others prefer the overhead view of the C-suite. Each brings something unique to the table, but I’ve found that one type is consistently more formidable than the others and has the capacity to drive change — not just in security but across the entire business. Here are the most common types of CISOs I encounter.
First, there’s the firefighter CISO. Adrenaline junkies who thrive on quick wins and like to move fast, these security leaders are typically hired after a major breach. They drop in, assess the situation and move quickly to put out fires and install security basics. They last about 18 months — whether that’s because they get bored when the fires die down or are not equipped to take the security program to the next level. But in most cases, they leave on their own accord to fight the next fire.
Then you have the technocrat CISO. This person is great at operating a network and managing a security team. They often come up through the ranks and have longevity at an organization. They love the technical challenges, learn by doing and are adept at locking in more budget. Yet, despite their tenure, these CISOs struggle to drive process changes at the business level and often focus on reporting operational metrics such as number of patches deployed, tools implemented, alerts received and investigations conducted. Their teams love them, but they are often left out of the C-suite. So they continue to deploy more tools to try and create a more secure program.
The final type, and often the most successful, is the risk management CISO. These individuals are business leaders first, security leaders second. They ground their decisions in business objectives and are fluent in the language of business. Often more comfortable making PowerPoints than writing YARA rules, they sometimes have a technical background but often don’t. Focused on resiliency and risk reduction, they’re not finding and fixing bugs; they’re measuring and reporting on risk, quantifying it in dollars saved whenever possible. They are highly skilled at getting institutional buy-in and driving change across the entire business.
I’ve worked with all three types. At my core, I’m an offensive security guy, who’s building a platform that automates red-teaming, and below I’ll outline the attributes of the toughest CISOs I’ve ever gone up against.
Security Isn’t the End Goal
The best CISOs I’ve worked with are those who recognize that security is not an end, it’s a process. Security is not a destination; rather, it’s a service that enables the business to keep going. You’d be surprised how many CISOs don’t recognize this distinction.
This CISO knows their primary objective is keeping the business running, not stopping clever attacks. They recognize that security serves a greater goal — the company’s primary purpose — and that every decision must be made through this lens. Sometimes, that means less “security” may be the best answer.
A company’s “primary purpose” could be ensuring that a rig keeps producing, trades continue to be placed, or an airplane arrives safely. Almost never is security the overarching mission. With this mindset, the risk management CISO uses technology to service the organization so it keeps on running.
Identify What’s Most Important to Protect — and Its Exact Value
One way to identify a truly great CISO is to ask them what they are protecting. Again, you’d be shocked at how many security leaders don’t have a good answer. Great CISOs can tell you in an instant not just what they protect, but how valuable the asset is to the business and the consequences of failure. (And no, “everything” is not an answer.)
They know what matters most to the business and build their programs around protecting those assets first. They don't ask what’s most vulnerable or ask outside consultants to identify what to patch. They know the cost of downtime, a reputational hit or regulatory fines. They quantify the cost of security, seek outside expertise to assess likelihood and then make a risk-based business decision. They understand the consequences of failure — and what level of failure is acceptable.
Protecting what matters most makes my life as an adversary harder. I may be able to quickly gain initial access, but getting to anything of value undetected is going to be a more difficult task when this CISO is in charge. This CISO knows there are things not worth “fixing” because it’s too expensive, but I know that anything important is likely locked down and highly monitored. In fact, they might be well aware of a bug that needs patching, but know that the impact won’t justify addressing because it’s too expensive to patch, and if I hack it, it really doesn’t matter. Instead, they might put up another control or segment something which would create less friction in the workplace.
The Only Language Is Business
Most importantly, a risk management CISO has the ability to successfully communicate with the business arm of an organization. They speak the language of business and know how to frame problems in ways the C-suite will receive — by outlining the implications and cost of a security problem.
They start with potential impact, and then dig into the details and outline solutions. For example, if the CISO wants to mitigate the risk of something bad happening and knows it’s too expensive for the business to turn it off, he or she might opt to deploy network segmentation or add new firewall policies. In other words, they set up other controls that are less expensive to the business, yet they curb the risk of me getting in.
This CISO is always optimizing for business value, trading off security and cost for the best possible outcome. They understand the business’ goals and prioritize control, effort and spend in accordance with the needs of the business. There are a lot of passionate and smart people in security, and most security leaders I work with know what needs to be done. But it takes more than will to make my life as an adversary harder — it takes institutional change.
The CISOs who truly move the needle are those who recognize the role of security in the business, understand deeply what they are entrusted to protect and use that understanding to communicate objectives for security the business can understand and support.
It’s this type of leader that organizations should seek out and that those who aspire to leadership roles should look to emulate — because I’m going to get inside some way or another. The only question that matters is: Who is going to make me work the hardest to get there?