Product Development & the CISO

By Adam Montville, Chief Product Architect, CIS

The theories

Have you ever wondered how CIS decides which products to develop? Rather than reinvent the wheel, we look to others for ideas and insights. Specifically, we are leveraging ideas from:

  • Marty Cagan’s book Inspired
  • Strategyzer’s Business Model© and Value Proposition© canvases
  • Anthyony Ulwick’s Jobs To Be Done concept

The Jobs To Be Done concept is not new, and it’s an integral part of designing a good value proposition. The Jobs To Be Done concept is also behind Strategyzer’s Value Proposition Canvas (VPC), which looks like this:


There are two sides to the VPC. The right, circular side is intended to model a specific customer segment. In this case, the customer segment is a set of non-industry-specific CISOs. (Why? CISOs are one group of people that use CIS’ products and services.) There are CISO jobs to be done, pains the CISO experiences, and gains he or she would like to realize. The left, square side is intended to model a company’s products and services, and how those relieve pain and create gains. By modeling the right and left side of this canvas, an organization can determine how well their products and services fit with the given customer segment and literally design awesome value propositions.

Putting it into practice

Earlier this year, the CIS product management team met in Austin, TX, and brainstormed a CISO’s “jobs to be done.” We tried to look at all types of jobs – not just functional jobs, but those “jobs” that may be personally important to a given CISO. For example, getting a good night’s sleep and increasing her pay are two “jobs” in which a CISO might be interested.

What became clear is that we seem to know far more about the functional jobs of a CISO than we do about the personal jobs of a CISO – this is an area for our ongoing improvement as we grow our product development discipline at CIS. Some of the jobs we came up with included:

  • Establishing enterprise policy
  • Providing thought leadership
  • Assessing compliance
  • Assessing enterprise risk

The results

We came out of Austin, TX, with a more-or-less complete right side of a VPC – in other words, we believed we had a good representation of a CISO’s jobs to be done, their pains, and their gains. Then we validated these jobs with real-world CISOs, including our own Sean Atkinson. We asked CISOs to categorize the jobs according to high, medium, and low priority, and then to rank order the jobs in each category. The results are depicted below.



What we found most interesting about this categorization validated what we suspected all along: The CISO is setting policy and direction in a way that cares about risk management and communication. Others in the organization’s security or risk management program are likely to take on technical security tasks and support functions.

Put another way, we might be inclined to say that continuous risk management and communication are the highest priorities for a CISO. The medium priority starts to get into the more process-focused aspects of a security program, and the low priority appears to be the more procedural things. A clear takeaway for us is that as we develop products with an eye toward serving CISOs, we’re going to want to focus on various aspects of risk management and communication.

As we grow our product development discipline, CIS is interested in continuous validation of our discoveries. We would love to hear from you with regard to these CISO jobs to be done – especially if you are a CISO or the equivalent for your enterprise organization.

What are your CISO “jobs to be done”? How does your team develop a VPC? Take the survey and let us know.