There are two types of Chief Information Security Officers (CISOs): those that are brought in to develop and implement a new Information Security Program (greenfield approach) and those that are brought in to create a transformation and turn the security of an organization around (brownfield). Which type of CISO are you? If you're not sure, don't worry - in this blog post we will discuss the differences between greenfield and brownfield CISOs, so you can figure out which one best describes your experience.
Think about it: Companies are created or evolve to a point that security now needs to be an issue. Let’s say there has never been a security program in place before, then a company experiences a breach or develops a contractual obligation which requires a security program. These companies have no precedent of cybersecurity leadership. They have no cybersecurity strategy, no information security program, no GRC program, no incident response plan, no data governance, and no policies to support these. In theses cases, the CISO is faced with challenges of lack of momentum, and they are responsible for creating the change in the organization that it needed to create a culture of security. This is the greenfield CISO.
On the other hand, brownfield CISOs are brought in when there is already an existing security program that is failing. In this case, the CISO has to come in and figure out what's wrong and how to turn it around. In companies that have a pre-existing security program, a new CISO is walking into an established system. It may have gaping holes and flaws, but it may also be overly restrictive and creates a lot of tension between teams. The CISO may be walking into a company where all teams circumvent cybersecurity at all costs because the processes are so painful that they want nothing to do with implementing the organization’s controls. It can be challenging to work against those preconceptions and make positive change, especially when the previous CISO was wildly different or left impression on the organization.
Regardless, the CISO has to build relationships and partnerships within the organization. Any changes, for both CISOs, require planning and methodical change so that the organization is on board. The ideas need buy in from all levels of the organization. The CISO's job is to work, and educate, the Board of Directors, the Executive Team, and all layers of the company, across departments, to build a culture of change, identify and mitigate risks to the organization, and influence change and implement better information security solutions, plans, policies, and procedures.