Strategic? Functional? Tactical? Which type of CISO are you?

When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.

The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.

The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO/head of trust at MongoDB. The anecdote and Gerchow’s observations highlight the idea that leaders — including business executives broadly and CISOs in particular — can be classified into different types.

Proponents of this perspective say security executives should know the types of CISOs they are and which ones they aspire to be so they can match their talents to the tasks at hand, increasing the chances of success in their roles.

“You have to put yourself in a position to succeed,” Gerchow says.

Just how many types of CISOs are there?

The 2025 State of the CISO report from IANS Research and Artico Search offers three CISO types: strategic, functional, and tactical.

Others have longer, more diverse lists of CISO types. Forrester Research, for example, has explored the concept of CISO types in multiple reports over the years. It issued its most recent update on the topic in a December 2024 best-practice Report titled “The Future of the CISO.” That report lists six:

• Transformational, as in program-builders or turnaround agents.
• Operational, often early-career CISOs who are closer to the technology and work at small-to-midsize companies where they still perform some technical duties.
• Compliance, that is, risk experts typically found in highly regulated industries.
• Steady-state CISOs, who — in opposition to the transformational type — keep everything on an even keel.
• Customer-facing CISOs, usually found in technology vendors, cybersecurity companies and the B2B space where they need to talk about trust in the company’s products; and
• Post-breach CISOs, being the person who parachutes in after an event and leverages their history of post-incident experiences to help the organization weather the storm before moving on to another such assignment.

Some CISOs can morph between types

Research shows that CISO positions have “clear distinctions in terms of needed skill sets and experiences [which] really help shine a light on what [a company] wants in the role,” says Forrester vice president, principal analyst, and report co-author Jeff Pollard.

Pollard says these categories aren’t necessarily rigid, as security execs often have traits from more than one. Moreover, he says they frequently morph between one dominate type to another as their positions evolve, their careers advance, and their personal requirements change.

He cites the case of one CISO who had fallen into the transformational bucket throughout much of his career but later became a steady-state CISO for various reasons, including a personal desire to limit work-related travel.

Others offer their own list of CISO identities.

Jon France, CISO at ISC2, a nonprofit cybersecurity training and certification organization, is one, saying that “there are certainly different types of CISOs, just as there are different types of CEOs.” He sees some who are more entrepreneurial and growth-oriented, generally leading them to work in startups and rapidly growing small companies.

He describes others as steady-state CISOs, leading relatively mature security functions in organizations that have moderate levels of compliance needs. Still others he identifies as the “right-of-the-bang” CISO “brought in to fix something.”

He also talks about CISOs who are evangelists, “always looking to the future,” saying they’re often in the consulting world, in emerging tech, and on the speaker circuit.

France describes himself as partly a technologist type, having come up through the IT ranks, and as a visionary CISO, as he’s expected to “have a point of view of what, say, quantum will mean for our industry.”

As the needs of an enterprise vary, so must the CISO

When asked to consider his own type, Randy Gross, CISO at the nonprofit professional and IT certification association CompTIA comes up with “pragmatic.” “My job is to eliminate undue technology risk so [the business] can operate freely. I’m crafting security solutions to allow the business to flourish,” he explains.

He also uses the term “technical CISO,” saying “I have to know what the benefits are of different technologies we want to use.” And he uses the label “advisory,” noting that he must provide the business with “Here’s the risk, here’s what I’d recommend, here’s how we can move forward.”

Furthermore, he notes his role’s “transformative” component, where he’s moving the security department through crawl and walk to run mode.

Gross says that his mix of CISO types reflects how the typical CISO role is constantly evolving and expanding. “It’s rare to see a CISO just in one category,” he adds.

That said, Gross stresses that even though the demands on CISOs can vary, the position from one organization to the next has more in common than not. All CISOs, regardless of how they may be labeled, need to have roughly the same foundational business acumen and technical knowledge to succeed as security chief.

“That is similar to the other executive roles,” he says. “If you don’t understand the business, its goals, and trajectories, as an executive you’re going to fail.”

In fact, those commonalities among CISO positions have some pushing back on the idea of CISO types.

Tyson Kopczynski, co-founder and CISO in Resident of the Professional Association of CISOs (PAC), is a skeptic on the issue.

“It’s our opinion that at the PAC that the role actually needs to be standardized. Not the highly fragmented mess we see now. Instead, a CISO would need to meet a certain bar to be accredited. This is very much like a doctor or lawyer. While there might be specializations (kind of like a patent attorney), all CISOs should have the same base skill set unlike what we see today,” he says.

Matching CISO type to the role

Still, Pollard and others contend that there not only are CISO types but it’s important for security chiefs to have a sense of which one they are.

Pollard points to one security leader who is now a CISO at his fifth startup “because he loves to build a program, he loves being around developers and solving problems. He knows he’d be bored in other roles.”

He adds: “It’s so important you know your type and the role you’re going into is the thing you care about, it’s what you’re energized by.”

Longtime security leader Helen Patton shares similar views. “CISOs are not one homogenous group. Within the title of ‘CISO’ there are many sub-types,” she says in a post she wrote on the topic.

Various factors influence what type of CISO a company may need, says Patton, a former CISO now working as a cybersecurity executive advisor at Cisco. A large, older company with a big, complicated tech stack will need someone with different skills, experience, and leadership qualities than a cloud-native startup that’s rapidly growing and changing. A heavily regulated industry such as financial services, healthcare, or utilities needs someone steeped in how to navigate all the compliance requirements.

Like others, she says the buckets are somewhat porous, allowing movement from one to another.

Patton says she has moved from a traditional CISO role leading an enterprise security team to a role as a product CISO at Cisco with responsibility for the security in products, to now a field CISO, working with the company’s sales organization to help its customers incorporate Cisco products into their technology stacks.

How a CISO starts can guide their career path

The path professionals take to the CISO seat also influences what type or types of CISOs they tend to be, adds Matt Stamper, CEO, CISO, and executive advisor with Executive Advisors Group as well as a board member with the ISACA San Diego chapter.

Different career paths forge different types of executives, he says. Those who advanced through technical roles typically retain a technology bent, while those who came up through governance and risk functions usually gravitate toward compliance-focused roles.

All that said, Stamper, Patton, and others acknowledge that most CISOs don’t readily label themselves. They’re not identifying themselves as one type of CISO or another.

Nor must they.

Yet at the same time they say it’s important for security professionals — like leaders in any other role — to think about their strengths, talents, and the like so they understand which roles best match what they offer.

“CISOs should and tend to lean into where they’re gifted,” says Jenai Marinkovic, vCISO and CTO with Tiro Security and a member of the Emerging Trends Working Group with the IT governance association ISACA.

Marinkovic believes her “gift is more in strategy infrastructure and understanding where the future is going to go, where the business is going to go, and then determining where the architecture needs to go.”

Like Gerchow, Steven Martano, IANS faculty and a partner in the cybersecurity practice at Artico Search, has seen what happens when a CISO and a role are mismatched. He cites the case of one company with a tactical, steady-state CISO that saw itself get outpaced by competitors with agile security programs led by transformational-type CISOs.

“That’s why it’s important for companies and CISOs to be honest with themselves of where they fit in with these roles,” Martano says.