There is a bigger difference between CISO and CISO than you think

Michelle Wols

“We target CISOs,” say many IT security businesses – either they say that or that the CISO doesn’t have enough decision power. At Beyond Products we have interviewed many CISOs (for Security Innovation Stories and client interviews), and the question always pops up in my head: are you sure that the CISO is the right audience?

Understanding the CISO landscape

No CISO was born equal. Beyond the job title, there are huge organizational differences. A municipality’s CISO differs entirely from a bank’s or a SaaS’s CISO. The differences extend far beyond just the organization type—they encompass team size, capabilities, budget allocation, and operational realities.

Of course, this idea of differences between CISOs isn’t new. Recently, I read Ross Haleliuk’s article about how “not every security leader works at a Fortune 500 company.” It was a good read, but I wondered: what do the numbers say?

That’s why I decided to investigate:

  • What types of companies have CISOs?
  • How are their security teams structured?
  • What operational capabilities do they have?
  • How many virtual/fractional CISOs are there?
  • Do lots of CISOs choose the ‘interim’ path?

The answers to these questions will be shared in this, and future articles.

Research methodology

This research is based on publicly available LinkedIn profile data of CISOs in the Netherlands. The dataset includes organizational information such as company size and industry, all sourced from public profiles. All data was anonymized to protect privacy, with personal identifiers removed during analysis. Important limitation: the analysis is limited to CISOs that have a LinkedIn account.

The current state of CISOs

LinkedIn counts 1138 CISOs in the Netherlands. Given the role’s strategic character, it’s no surprise that most work at larger organizations (57%). From the remaining 43%, a small portion (6%) work at IT security vendors – both products and services. In this last case, their role is generally combined with other job titles, which can vary from product owner to human resources and finance.

If we look at industries, only 16% work at what we traditionally consider enterprise-level companies. A few organizations (particularly banks) clouded my spreadsheet as they have entire CISO offices (these people all popped up in my list).

Enterprise and financial institution CISOs: The full-stack leaders

Enterprise CISOs operate with substantial budgets and executive support, leading large teams of security professionals including dedicated threat hunters, SOC analysts, and security architects. Their organizations face sophisticated threats and complex regulatory requirements, demanding comprehensive security programs across multiple domains.

These leaders spend more time on stakeholder management and strategic planning than hands-on security work. While they have resources for advanced solutions, they have incredibly complex procurement processes to deal with. Given the sheer investment in security products, they will opt to build their own solutions in some cases, opening the door to services companies rather than product companies. 

Government organization CISOs: The compliance jugglers

Government CISOs, particularly in municipalities, often operate with minimal teams or even solo, combining the roles of security leader, privacy officer, and compliance manager. They face the challenge of protecting highly sensitive citizen data, including social security numbers, while working with limited budgets and increasingly sophisticated threats.

The daily reality involves balancing overwhelming compliance requirements with practical security needs. These CISOs spend much of their time coordinating with auditors, documenting processes, and ensuring regulatory adherence, all while trying to maintain effective security controls.

Healthcare and education CISOs: The resource maximizers

Healthcare and education CISOs protect highly sensitive data with chronically underfunded security programs. Education faces additional pressure from declining student numbers, leading to budget cuts that directly impact security teams. Working with small teams, they must combine security with general IT duties while facing strict regulatory requirements.

These CISOs must be increasingly creative in maintaining security with shrinking resources, often acting as both strategist and practitioner. Their teams can’t support complex security tools or 24/7 monitoring, instead focusing on essential controls while trying to preserve basic security capabilities amid budget reductions.

SME CISOs: The multi-hat wearers

SME CISOs operate in environments where security is viewed as a necessary cost rather than strategic investment. With minimal or no dedicated security staff, they handle hands-on security tasks alongside other IT responsibilities, focusing on basic controls and cloud security features while working with unpredictable, minimal budgets.

Their role combines strategic planning with hands-on implementation, requiring broad technical knowledge and strong communication skills. Success depends on effectively leveraging cloud services and managed security providers to achieve maximum impact with minimal resources.

Virtual and interim CISOs: The flexible advisors

Virtual CISOs serve as external security leaders for organizations that can’t justify a full-time CISO. They establish security programs, meet compliance requirements, and guide security investments across multiple clients, bringing strategic expertise on a part-time or project basis. These security leaders must adapt their approach to each client’s unique constraints, focusing on establishing foundational controls and developing security policies while acting as trusted advisors during incidents or major technology investments.

When I started this research, I expected to find a significant number of virtual CISOs – given all the discussions about this model and their active presence on LinkedIn. The data revealed a surprising reality: virtual CISOs are far fewer than anticipated. Even after combining virtual and interim CISOs to get a meaningful sample size, the numbers remained remarkably low. Their high visibility on social media, driven by the need to network and attract clients, creates a perception of abundance that doesn’t match reality.

Implications for security vendors 

Understanding these differences have important implications for security vendors: 

  1. Organizational differences will result in other priority lists. A manufacturing plant with a lot of IoT risks is not the same as a high-end bank developing its own security technology. 
  2. Match solution complexity to the team’s capabilities. 
  3. Understand the organization’s security maturity level. 

An important question is always the amount of service you’ll deliver with the product. A smaller organization will require more “doing it for them,” than larger organizations. 

Moving forward

While too much information for one article, several important questions remain:

  • How do CISOs actually prefer to interact with vendors?
  • What is the real balance between audit and operational security roles?
  • Which other roles influence security purchasing decisions?

Michelle Wols

Michelle is an expert in understanding target audiences in security and IT, and transforming the product positioning of complex products into sharp, compelling marketing strategies that hit the mark.