Recently, Michael Piacente of Hitch Partners was a guest on Open Source Security podcast hosted by Josh Bressers and Kurt Seifried. Michael discussed the past, present, and future role of the CISO in the industry.
On occasion we have guest bloggers contribute on our site. Today, we have an excellent and educational piece from our friend, the talented Brian Castagna from Oracle Cloud’s Infrastructure Edge Services (formerly Dyn). In this piece, Brian has captured both the practitioner and executive search angles. Thank you to Brian for his time and contribution. We hope that you enjoy and share this piece with others in the community.
Brian Castagna, Director of Information Security, Oracle Cloud Infrastructure Edge Services
Wanted: A Purple Squirrel
Position: Director of Security Architecture and Engineering
Scripts in Python
Codes in Go
+10 Years in Cloud
Lots of Blockchain
DevSecOps (whatever that means)
Can run a 0 day vulnerability incident with 20 cross functional team members
Knows PCI DSS & FedRAMP
Ability to present to the Board of Directors
Can speak with customer CISOs
Pre-sales security support
Embrace company culture and mascot Rusty the Badger
Speak 3-5 languages, including Mandarin
Does this sound like your search for top information security talent? Finding, hiring, and retaining top tier information security talent is a challenging endeavor. As someone with a passion for building information security programs, I wanted to share my 10 tips for building high performing information security teams.
1. Information Security is a Function, Not a Person.
Sometimes when I look at an information security job posting, I feel like the employer expects a one man or woman band; someone that’s playing the guitar, harmonica, keyboard, and drums all at once. Too often, business and IT leadership view information security as a role for one person in the company.
Information Security is a function. I like to break up this function into three distinct buckets:
1. Risk, Controls, Compliance
2. Security Architecture and Engineering
3. Security Incident Response & Threat Intel
Each of these buckets have varying skill sets that work in tandem for a successful information security program, such as: attention to detail, people focus, technical focus, audit background, hunting, scripting, writing and speaking.
In larger security programs, these buckets can be expanded to functional areas like pen-test red teams, hunt teams, privacy, vulnerability monitoring, etc.
2. Build for Stability
Information security functions are inherently unstable due to the rapidly changing threat landscape, the complexity and velocity of technology changes, systematic under investment in information security programs, and the security talent deficient. How do you build stability for something that is inherently unstable? Here are some tips:
In-person matters. I vote human. Security teams function best with person to person interaction with stakeholders.
Hire local. You have two strong candidates. One of them lives 15 minutes from the office, and has been working at a local company for 8 years. The other candidates has lived in 3 cities in the past 2 years, has an hour commute to the office, and is asking to work from home 2 days a week. Hire the local candidate.
Build the security leadership team first. A CISO needs to have a core leadership team of at least 2-5 directors/managers with specialized functional information security competencies.
3. Fight for Your Stakeholders
Who is your favorite person at work? I can guarantee you it’s NOT the person that gives you the ‘not my job’ response all the time. The people we like to work with best, are those people that go out of their way to help YOU do your job. In that context, I think of information security teams as service providers, with internal and external stakeholders including employees, customers, auditors, law enforcement, investors, and the board of directors. Providing a high level of service to these stakeholders drives a positive perception from cross-functional teams at the company such as Marketing, Finance, Engineering, HR, and Executives. If people like your security team, and view the team as credible and helpful, it’s much easier to drive security improvements across the org.
4. Be a LinkedIn Stalker
LinkedIn provides a window to quickly identify candidates that have specialized skill sets. For example, when I was hiring for my risk and compliance team, I personally reached out to 40+ experienced risk assurance associates at the Big 4 accounting firms. With the volume of Linkedin recruiter messages, I have found that candidates are much more willing to respond to a practitioner. From that pool of candidates, I built my own pipeline of 6 or 7 candidates which I gave to my recruiter and started interviewing.
5. Complementary Hiring
That purple squirrel doesn’t exist in the wild, but with enough robotics experience, and a can of purple spray paint, you can create your own purple squirrel. On a serious note, by hiring information security professionals that bring complementary skill sets to the team you can create your own purple squirrel. For example, I need my Risk and Compliance Manager to be a highly organized and detailed focus ex-auditor to handle 400 documentation requests for a SOC 2 audit. Part of those audit requirements include monthly vulnerability scans that my Security Architecture and Engineering team needs to configure, triage, run, and work with engineers to patch systems. If my Incident Response Team detects a threat that is targeting a particular customer, they will work with my security engineering team to assess any outstanding vulnerabilities. An information security team that is highly complementary and integrated creates an information security program that is better than the sum of the parts.
6. Do you Speak Klingon?
The strongest Information Security team members can speak both ‘Engineer’ and ‘Business Person.’ Having engineers view your team as credible is critical for your security team. Credibility comes with speaking their language. Do I know how to code? Absolutely not. Can I get a room of engineers to support me when I talk about “ threat models of TCP fragmentation DOS vulnerabilities to the availability of a managed DNS platform.” Absolutely. At the same time, if I speak ‘Engineer’ to the VP of Business Operations, he will look at me sideways. I need to be able to articulate a risk in business terms – tied to customer operations and revenue.
7. Cyber Security Therapist
Often, I feel like I’m a therapist. At least once a month, I get pulled into a conference room because an engineer wants to share a security issue that’s been gnawing at their soul. Here is an excerpt of a confessional from an engineer, Jackie:
“Brian, I was performing my peer code review, prior to accepting Pradeep’s pull request, and I found a hard coded password...”.
Then I said, “It’s ok, go on”.
She continued in a whisper “The password...it’s...banana”
If you build trust with your stakeholders, they are willing to share security risks with you. After they share a risk, they walk out of that conference room a new man or woman freed of their security sins.
8. All Work and No Play Makes Jack a Stressed Information Security Professional
Information Security is stressful. The pressures of cyber security attacks, customer security requirements, never enough resources, fragmented security tooling and technology market, and complexity of implementing security requirements all adds up to a large pot of stress. It’s important to recognize that too much stress and anxiety can have adverse effects on team morale, the health of your employees, and their performance. To help break the cycle of Information Security fatigue, I have a quarterly ‘Team Day’ that typically includes an activity, food and drink. Additionally, I’ll fly in remote employees for the week to be there for team day. The cost of these events is insignificant compared to the cost of losing a team member from burn out, and having to replace them. Successful past team days:
FedRAMP Chicken Wing Party Bus: We completed FedRAMP, and can now sell the federal government cloud services! What better way to celebrate than having a party bus drive around Boston with all of the contributors, 250 chicken wings, and coolers full of beer and spirits.
Two hour kayaking trip in Boston Harbor, followed by lobsters and crab legs.
10 am brunch, then a game of ‘Escape the Room’ – promoting teamwork on a belly full of bacon and waffles.
9. Replace Chaos with Order
The volume and complexity of information security and compliance requirements can be chaotic. One day your Nessus scan spits out 200 vulnerabilities, the next day you have 300 pieces of evidence to gather for an audit and there is a security incident for an encore.
I have put together my teams using an Agile Kanban methodology to track and manage our work queue in ticketing system. Additionally, that’s fronted by custom ticketing system workflows where other teams can make requests; security architecture review, customer compliance question, vulnerability disclosure, etc…
10. Stay Positive
Most security teams feel undervalued, underfunded, overworked and under loved. They are typically fighting for something – budget, management buy-in, product management prioritization, headcount, or escalation of a security incident. During the fight, it’s critical that you use the momentum built to channel positive energy. Play up the underdog role. Talk about how even with the challenges and headwinds faced within the organization we are making progress, reducing risk, serving our customers, and building a great program.
About the Author:
Brian Castagna is Director of Information Security for Oracle Cloud Infrastructure Edge Services. He has over 14 years experience in technology auditing and building information security programs and early stage technology companies including Jumptap, Acquia, Dyn (acquired by Oracle). He has expertise in Data Privacy, Security Incident Response, Threat Intelligence, Security Architecture, Security Engineering, Risk, Controls, and Compliance leading successful security audits across multiple verticals including FedRAMP, HIPAA, ISO 27001, SOC 2, SOC 1 and PCI DSS.
Brian holds various information security certifications including CISSP, CISM & CISA. He holds an MS in Accounting Information Systems and a BS in Computer Information Systems from Bentley University.
In our last blog post, we discussed the diversity gap within Security leadership positions. Though this is a hot topic in our industry, the question of how we, as a community, solve this problem is unclear.
If we work to help balance the scales, we will see improved and innovative problem-solving, greater empathy, stronger emotional intelligence, and better-managed organizations across the board. We need everyone’s help to promote, recruit, drive, and support more women into Security leadership positions.
Below, we have put together a list of pioneering organizations and groups who are enabling a movement of change in the Security leadership space. We support their messages and applaud their efforts. We apologize for any unintentional exclusions from this list.
The OURSA conference was born in 2018 after an uproar regarding the April 2018 RSA Conference. The RSA organizers received backlash after scheduling only one woman on their speaker panel out of 21 scheduled speakers and moderators. OURSA is a “unique security conference” where 26 of its 29 speakers are women. OURSA was started by Facebook’s Chief Security Officer, Alex Stamos, and Google’s “Security Princess” and, more recently, Engineering Director, Parisa Tabriz. We hope to see the OURSA conference return in 2019!
You can stay connected with the group via Twitter @OURSAConference.
The WiCyS initiative was launched in 2013 with support from a National Science Foundation grant. Their mission is to raise awareness about the importance and nature of cybersecurity career. WiCyS focuses on recruiting, retaining, and advancing women in cybersecurity. They bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry to share knowledge/experience, network and mentor.
WISP is a national nonprofit organization founded in 2014 that promotes the development, advancement, and inclusion of women in Security and Privacy. They have a strong and defined set of objectives from education, to fostering community, supporting career advancement, creating thought leadership opportunities, and conducting research for recruitment, retention, and advancement.
WSC is a fantastic national organization that was founded in 2012 as a Northern Virginia-based 501(c)3 non-profit organization. WSC’s mission is to advance women in cybersecurity careers by providing programs and partnerships that promote networking, education, training, mentoring, resource-sharing and other professional opportunities. They also have a strong and defined set of objectives including workshops, training, networking events, mentorship, board and volunteer opportunities.
Technology Diversified is a non-profit, 501(c)(3) organization dedicated to providing education and resources that promote employment, peer-support, diversity, and inclusion in technology. I wanted to give a big shout out to their Hacking Diversity event in Las Vegas this past week. Admittedly, I did not attend but the value and mission are right on message. Congratulations on a great event!
Beyond Salons is the brainchild of our friend Jodi Jefferson at Riviera Partners. While not focused specifically in the Security space yet, this unique and fantastic group is about accelerating and connecting female executive leaders in Engineering and Product Management. Women leaders are encouraged to share ideas and stories and pass along advice and best practices between multiple generations of women in tech. Their principles and messaging is spot on.
You can get involved and join an event in the New York area by filling out their “join us” form on their website.
We need your help! Are you aware of other groups, organizations, regular meetups, and get-togethers, or forum doing this work on a national or regional level that we have missed? We want to recognize them! Send an email to Michael Piacente (firstname.lastname@example.org) to give them a shout out!
Security is prime for a female revolution to rectify the persistent gender gap in leadership positions. According to a global study done by the Executive Women’s Forum, men are four times more likely to hold C- and executive-level positions and nine times more likely to hold managerial positions than women. The industry is centered around making one tough decision after another while translating tech speak into true business value. Having more female influence would benefit both the overall security and business communities.
In 1995, when I started in the IT space, there was an overwhelming imbalance between male and female IT leaders. In fact, it was quite challenging to find more than a handful of women CIOs within the space. Today, only 11 percent of females are represented globally in the cybersecurity profession. I was fortunate to join the workforce during a time of great change in not only technology, but also in social and moral focus.
Over the past two decades, IT leadership has blossomed into a more balanced and healthier environment though things are still not where we want to see them. Though IT is a career where highly technical skill sets are valued and desired, over time the need for communicating the value of IT solutions across an organization has given way to a more balanced need between technical excellence and focused influence. Women IT leaders grew up in precisely that space and were amazing at explaining the value of IT solutions as a business need. These women actually came from the business side of IT and truly understood how the inner workings of the company and its data flowed.
Cross-functional, business driven careers such as program management, compliance, and business applications spawned a new brand of women IT leaders that ultimately grew into the first true wave of Woman CIOs. I believe that this positive influx of fresh thought leaders changed how IT was viewed, teams were built, and the business of IT was managed. Today, women CIOs unfortunately still hold a significantly smaller percentage of the overall CIO positions. Women make up 9 percent of IT leaders globally and 10 percent in larger organizations according to a study done by Harvey Nash/KPMG. However, they have created a positive mark in the space and possibly a blueprint for other highly technical skill sets (such as CISOs) to undergo similar transitions toward greater balance.
For the Security space, we expect to see a greater selection of career trajectories leading to the path of the woman CISO. We may not see the vast majority move from Sec Eng/DevOps into CISO/CSOs. Perhaps they will arrive to the CISO position through another path such as Compliance, Security PMO, or Engineering Program leadership. But we are not there yet. As I write this, I am aware that there are less than 20 female senior Security leaders (i.e. CSO, Heads of Security) in the San Francisco Bay Area, which is arguably the largest and most mature modern CISO market in the US.
However, the news is not all bad; there are several solid programs working to strike a greater balance. In particular, the National Security Forums and events have been making a strong effort in recent years. For instance, BlackHat has a growing balance of female leaders on both their board and within their upcoming sessions. Parisa Tabriz, a true Sec Ops/SecEng leader, will be kicking off the event as the Keynote. (Yes!!!)
In a follow up piece, we will go over a few ideas for what we and others can be doing in the community to help bridge the gender gap and change this incredibly important space. In the meantime, we would love to hear from others witnessing the lack of diversity in the Security space. What challenges and improvements are you seeing? Please reach out to email@example.com with your thoughts.
In the world of executive recruiting, clients often gauge your value as a search partner based on experience, network, and domain expertise. However, there are other unique skills that a search partner can provide. These skills can make the difference in the success of the search.
One such skill is the ability to effectively play translator between candidate and client. We are often asked to translate the true meaning behind a candidate’s broad and sometimes bold statements during the interview process. For instance, when a candidate tells a recruiter and/or client that they “are open to exploring new opportunities” it can mean a lot of things. It could mean that they are truly evaluating options, just testing the waters, or actively looking and involved in other interview processes. This can make clients wonder if it’s worth the time to invest in the candidate.
While we don’t have magic pixie dust (not all the time, at least :) ), we do build strong relationships with each potential candidate that allow us to ask deeper questions and gauge the proper next steps. We ensure that the client’s message about their position’s scope, value, and growth is exactly in line with the candidate’s claim for what’s next in their career.
During the interview process, candidates and clients are politely playing the professional dance when answering one another’s questions. Our job is to translate for both parties. When the meaning is not obvious, it can lead to interpretation and assumptions which cause trouble for the search.
Here are a few examples of a candidate’s potential response to the question “Why are you looking to explore a new position?” and our translations:
“I’m looking for a cultural change”
Translation: Their current culture may be toxic; there may be decisions being made that they do not agree with; their specialty may not be seen as a key instrument for growth in the company and/or not a strategy focus (despite the company saying it is); or there may be little room for advancement.
“I’m looking to be closer to the business or the product”
Translation: They are not seeing the executive sponsorship that would allow them to be closer to the business or working directly to impact the product roadmap. In a CISO’s case, they have a very unique view of the company’s coveted assets; code and data. Because of their view of how things flow, they are looking to add more value to the business in their next challenge.
“I’m looking for the ability to grow and/or mentor a team”
Translation: They are ready to build/manage a team and/or this was promised in their current role, but it stalled or didn’t happen. This could be an up-and-comer who has not been offered the opportunity to manage a team but feels that they are ready or it could be a more tenured candidate who acquired a team (instead of building one) or had a more substantial team in the past and is now a high-paid individual contributor.
“I’m looking for the ability to drive a full strategy/program”
Translation: They were brought in for some specific technical skill or architecture purpose but have not had the opportunity to build the company’s overall security strategy and/or program. They may have been involved in a small portion, but got a taste of running the full program and want this in their next position.
Please let us know if we can help translate for you.
The onsite candidate interview is one of the most important steps in finding the right senior technology leader. Delaying hiring, or hiring the wrong person, can cause many problems for a company including a lack of direction, lowered morale, underperforming financials and missed sales opportunities.
Our data shows many companies are not investing the time necessary to ensure that a thorough, effective and rigorous candidate interviewing process is followed. We believe each hire should be viewed as a formal project and therefore have a project leader to drive the processes necessary to ensure a positive outcome. One critical element of the process is a coordinated candidate interviewing experience.
Here are few tips to help your company improve their onsite candidate interviews.
1. Clearly define your interviewers’ roles and what questions they will ask
Assign each member of the interview committee a clear and meaningful role. Interviewers should focus on a mission-critical attribute that leverages their area of expertise. In addition, having interviewers ask the same question to each candidate reduces uncertainty and increases objectivity. If we can identify and guide interviewers at the beginning of the process then we can add value by driving successful habits along the way.
2. Ask strategic questions with no repeats or “dead ends”
Each interviewer should ask materially different questions that help move the committee towards a decision on the candidate. When questions are repeated or do not lead to follow-ups, it sends a message of incompetence to your candidate and makes them doubt the company’s preparation.
3. Ensure each Interviewer is spending time selling the position and the company
During the interview process, there is plenty of time for candidate evaluation, however, each interviewer must spend time selling the candidate on the company vision and the high impact of the position within the corporate vision. Regardless of whether the candidate turns out to be someone the interviewer believes should be hired, it should be the goal of the interviewer to have each candidate walk away from the meeting thinking positive thoughts about the company and culture.
Unfortunately, we typically see the opposite behavior practiced. Often there is only one member of the interview team tasked with selling. Regardless of how strong their brand is, if a company cannot consistently and clearly sell the value of the position during the interview, they will see poor results.
4. Constantly calibrate
We have seen clients list a set of ideal / desired requirements on paper that << insert your most successful CEO here >> would not be qualified and certainly not interested at this point in their career. It’s important to balance optimism as well as pragmatism as it relates to the criteria for each hire.
We suggest investing time each week to create a feedback loop to discuss the interview process, review everyone’s roles and questions being asked, and calibrate on everyone’s desires around skill set requirements versus the candidates that have shown enough interest to come onsite for interviews.
Companies should constantly evaluate the level of candidates that can be attracted versus the desired requirements for the role. It is important to not only provide candidates with rapid interview feedback but also get their input in terms of the process and interest level in the role. As the process goes along, the candidate profile will become more clear and expectations may need to be adjusted.
In part one, I discussed how GDPR could positively impact both a CSO’s company and his or her career development.
In part two, I’ll offer a few more suggestions on how CSOs can use GDPR to boost their careers while bringing their team members together.
Know where your Security Program relates to GDPR
For those who have struggled with creating buy-in for compliance issues, you now have a law that provides an excellent teaching moment, but you need an action plan. You can utilize this opportunity to establish, enhance, and/or lock down your security program. With the exception of a few company vertical types, such as those deep in the financial services space, most CSOs have never had anything like GDPR to use as a platform for securing their security program.
Now is the time! You have everyone’s attention and they should be listening. Laws that have penalties large enough to threaten revenue will affect annual margins and in turn affect personal bonuses - which tends to get people’s attention. You will a streamlined plan and one that is ready to execute especially when dealing with compliance-focused projects. If you are an incoming CSO, starting with a new company, you should have the framework of your GDPR compliance training ready to go on Day 1.
Your program will only be successful if everyone knows what is going on, your narrative is clear, and scenarios are tested and practiced. Work closely with your non-technical counterparts and compliance teams to lay out and test your plans. Continuously perform application assessments and identify your gaps. Be ready to share your data mapping and inventory practices. Create real-time scenarios that can answer the questions and prepare everyone for responding to inquiries. Consistently practice and enhance your data breach and incident response plans. Be prepared and ready to execute on your program. Many of these procedures should be commonplace in your world, but perhaps not to the average user of the data.
Know what you have under the hood
Simply relying on your tech stack may not go well. Your privacy strategy and technology may be flawed as it relates to GPDR.
For instance, one of the big GDPR misconceptions is that some companies feel that they have a loophole to avoiding regulations because they can anonymize the data. No such luck. This loophole was considered when the terms were crafted and is covered in the “identifier” portion. Even if you have data sets that the regulators cannot see, the data can still lead to someone’s identity. Bits of information can be pieced together which could identify a person and voila! You have yourself an infraction. Of course, this growing area of anonymization and encryption technology using AI/ML is one of the areas where the regulators will likely focus and test companies.
Another area to consider is how you deliver your service. If delivered purely in the Cloud, on-prem, or a hybrid, you will be under the scope. In GDPR, there is not a huge difference. If you are billing customers, collecting data and creating telemetry then you are under the obligations. It may even start at the code level if you are a SaaS company. That is why it is critical to work closely with your Engineering and Product teams to create better visibility and enhance their awareness of policies and best practices. (see Privacy by Design as a reference).
Don’t forget about your third-party vendor relationships and related obligations. This is the likely chink in the armor for most companies and an area that the GDPR regulators will surely focus on. You may be in a situation where you need to drive revisions or even replacements for your User Agreements, 3rd Party Data requirements.
Know how GDPR can position you to help drive Sales enablement
As highlighted in previous blogs, the sales enablement function of the modern CSO is becoming one of the larger scoped components and a key metric of success. This is also another area where GDPR provides a unique opportunity to get closer to the business side of things.
You will need to pay close attention to the following things:
- How your marketing and sales departments are using data
- How your User Agreements are written
- What policies are listed in your customer contracts
- What do your 3rd Party Agreement look like
In any scenario where data is collected, mapped, stored, and otherwise used, there is an opportunity to teach the user community the best practices moving forward. Use your skill set and knowledge of the collective to become an advocate of privacy rights. If you see intentional or unintentional infractions for how personal data is used, accessed, and stored – speak up!
There is no certification for GDPR; it is law. Some of the new language discussing the basic rights such as ‘the right to be forgotten” is broad and can be open to interpretation. Learn the law and how to apply it and you can be the company’s great mind in this space.
GDPR is on everyone’s minds and in everyone’s inboxes right now. But what does it have to do with today’s CSO and his or her career track?
GDPR provides a rare opportunity for a CSO to place his or her fingerprints on the company’s data privacy approach and practices. CSOs are in a unique position to both help guide their companies through a difficult process and benefit from career development and exposure. GDPR is a compliance forcing function at a scale that we haven’t seen in nearly 20 years (i.e. SOX). If a CSO is able to bring together the many pieces, he or she will lead their company and ultimately their career to success.
As of May 25, 2018, GDPR became enforceable. The challenge for CSOs is to consider how prepared they are to drive this initiative and lead their companies to success. Most security and compliance regulations require a cultural change within the ranks to take hold, but many think that GDPR is the big one that will govern us all or at the very least will set the tone. Though the EU took the lead on data privacy, this law affects all companies.
In this two part series, I’ll share a few suggestions for CSOs who want to use GDPR’s arrival as an opportunity to further their company’s success as well as their own.
Know your role as it relates to GDPR
As the CSO, it will be your responsibility to rally around the cause of data privacy and use this opportunity to bring everyone in your company (and its many third party relationships) along for the journey. It sounds difficult, but the good news is that you already know where and how the data flows throughout the company and how the specific people functions intertwine with that data.
In many ways, you (and your teams) are the true data source providers and keepers. Whether ceremoniously or officially, you are the Data Protection Officer. The knowledge from being in this position provides a unique opportunity for you. You are one of the executive leaders within your company that can appropriately drive collaboration and guidance and help mentor those directly affected by GDPR. Do not let this opportunity pass you by.
Your first step is to identify who, in the company, fits into the two main roles under GDPR; Data Controllers called “Controllers” and Data Processors called “Processors”. If your company is processing personal data in any way then both roles exist within your company. Your knowledge of the subject can be used to reach out, bring people together, and build a strong training program that will bring your company into compliance.
Weaving together the many parts of your company to ensure that data privacy is handled correctly is no easy task. You may be hamstrung by the complexity of your own proprietary technology. You may have hundreds of groups all contributing, in different data sets, to the data collective. Bringing these disparate teams together may be challenging as each group may come to the table with a different data collection and dispersal approach.
Every entity that works with data is under the same obligations for data privacy. Though the initial projections are that the bark of GDPR will be smaller than the bite, the threat of 4% of top-line revenue will hopefully motivate the correct behavior.
In part two, I’ll be discussing knowing where your security program relates to GDPR and how GDPR can help position you to help drive Sales enablement.
**I am not a CSO practitioner nor a GDPR expert. I am however a zealot and advocate for the CSO’s career development and the promotion of their increasing impact within today’s organizations.
What do you call a technologist who is one part Engineering leader, one part Change Architect, one part Business Strategist, and one part Sales/Community Enablement leader?
In the past, a leader who possessed all of these skills would have been the stuff of legend, but today these are the new expectations for a Security CTO.
In the last 18 months, we’ve seen an increased need for this unique leader. We believe the modern CISO-CTO hybrid, with a Product Engineering slant, will be a new consideration for any company building security products or creating an internal arsenal of security services.
Our clients are realizing that they need a special blend of skills to perform in this role; a role that has seemingly become critical to the success of a company’s security posture and narrative. The role requires dedication and a ninja-like discipline to each function. The combined result from a massive proliferation of promising security technologies; the need for organizations to see a return on their substantial security investments; and a desire to collaborate on security approaches within the community (for sales or advancing the company’s security exposure) are all driving this position to the top of the critical hire list.
Let’s break down the makeup of this exciting up-and-coming technology executive.
Driving a clear vision for Security products and services
CTOs are responsible for setting the direction and tone of the company, driving a clear vision of what the company wants, and architecting change for both the company and the community. The challenge for a Security CTO is that the product or service is more difficult to nail down because the Cyber world moves so quickly. Security CTOs need to perform consistently under grace and ensure that their constituents are informed and prepared for the next wave of threats.
Leading Business Strategy in and around Security
This is a new and often vastly different experience for most CTOs. They are tasked to create, develop, and navigate the company through a comprehensive roadmap while executing on a vision. It is assuredly a departure from their traditional function of being the technical SME or primary Architect leading a defined product or development function. Today the Security CTO role is about looking across the organization, recognizing and understanding the project investments that are in flight, and constantly working to ensure that these investments are being validated against the company’s overall strategy. This also means that the Security CTO has to balance defining their impact and creating innovation while being careful not to destabilize the existing bread and butter of the company.
Balancing technical depth with team structure
The Security CTO needs to rely heavily on their own recent hands-on experiences as well as their team of architects, analysts, and data scientists to see beyond the current technology stack and solutions. Navigating a suite of complex converged technologies takes a village. Given the plethora of open source and vendor ecosystem options, the Security CTO needs to possess a broad and deep understanding of the technology evolution that options can offer or limit. He or she is also tasked with the challenge of arranging an effective team of rock stars.
Sales Enablement and Community Outreach
One of the biggest challenges of the Security CTO role is translating the direction of the company’s security posture into a palatable, easy-to-understand narrative for the internal, external, and client community. Many CISOs and CTOs are excellent at some of the skills mentioned above, but it’s rare that one is a true internal and external adviser.
This new breed of CTO needs to see their company’s road ahead and speak confidently with all clients. They need to match their roadmap with the technology evolution around them then take it one step further by listening intently to the community and offering insights. This last part is especially important because it is often the external community that determines the direction of a product path for consumption. If the community feels that the company is not building the right product, or does not have a clear vision of what the market wants, it could spell disaster for the CTO and the company.
We look forward to carefully observing and engaging in the Security CTO evolution. It is these hybrid roles that we as executive search professional enjoy learning about and performing on.
We are often asked what makes a great CSO? While every company is looking for something slightly different and every leader’s role consists of different parts, we tend to see a few traits that separate top CSOs from the pack.
Protecting the data collective
The first and most common trait of great CSOs is the ability to be the ultimate guardian of the data collective. Traditionally, the CSO position has centered around being fully aware of incoming risks and up to speed on the latest threat landscape. It goes without saying that this is a tough skill to master, in part because the span and level of knowledge around security across a company is varied. Not too long ago, if you didn’t know your IT leader it was because everything was working properly, but things are different today. The modern CSO knows everyone in the company in one way or another.
Knowing how to protect the data collective is about choosing the right controls and tools to implement. The policies, reporting, defensive and offensive tools/resources are all under the purview of the CSO’s toolbox. Having a broad and deep understanding of the policies enables the CSO to report, monitor, defend, and anticipate what threats are coming.
Building effective teams and leadership
As investments in Security programs and CSO organizations become more complex and business-focused, we are starting to see a trend for CSOs to have ample evidence of team building and mentoring/leadership skills. Team structures are becoming more diverse as security organizations continue to become more complex. The CSO is now equal parts; technical expert, functional business process aligner, executive level guide, internal subject ambassador, and outwardly facing posture leader. What a scope! Hence the ability for a CSO to adequately build and lead teams is very much in the spotlight.
As a side note for those of you looking to conduct a new CSO search; this is one of those traits that candidates may not fully possess your search candidate slate. Clients who expect a CSO to enter with the full arsenal of polished executive leadership skills will need to adjust their expectations. Most up and coming CSOs are still growing their leadership skills and may not have been exposed to many management scenarios. To put it in perspective, this is a small, specialized group of technical leaders that deal with the reactive nature of every threat thrown their way. We feel that it is the client’s responsibility to invest in a CSO’s leadership training and mentorship.
The X Factor: Seeing around the corner
Though there are many other traits I could mention, there is one more that I consider critical. A CSO must be able to align the company’s security narrative back with the business and financial goals. The CSOs who can truly distinguish themselves are clearly and consistently tying their project investments and results back to the underlying business. The most effective CSOs we know have an equal blend of technical expertise and business-readiness skills that enable them to scale their communication up or down in a fast growing/moving organization. They can gracefully explain complex technical challenges to anyone.
This of course is not as easy as it sounds. The tough security decisions (process, tools, org structure decisions) meant to protect the company’s assets can sometimes be counterproductive to the ultimate business goals. The visionary CSOs can turn the narrative into an effective roadmap then take the company’s products, services, Board, and all other elements on a journey. These Security leaders have a unique capability to “look around the corner”. They are able to see things from a technical, architectural, and business operations perspective and use that vision to better the company’s security posture.
Thank you to our partner Jason for the inspiration.
In the past, we covered how important a strong position description is to setting the company’s expectations for the CISO role. The same can be said for a CISO candidate’s resume or CV when looking for a position. The resume is still the best two-dimensional introduction to the candidate’s security narrative and career trajectory.
If you’re applying for a CISO role, your resume should accomplish three primary goals:
1: Take the reader on your journey
The reader needs to see how you have become a consistent performing leader and how and where you have grown. Make sure to include where you were promoted; how you transformed your position; and how you gained the confidence of the business and other like-minded past executives in past positions.
Tell the reader about the companies you have worked for. How large are they? What market do they operate in? What is their scale? Do not assume that the reader knows. Even if you are working for a well-known company, take the time to explain the group that you are with. For example, if you are with a SaaS company, talk about the scale of the delivery infrastructure, the number and market size of the products, and anything else that allows the reader to evaluate scale. The scale at which your current company operates in is a critical part of the evaluation for an onlooking executive.
2: Clearly define your successes
Share your wins and accomplishments. This is probably the most consistently underperforming part of the CISO resumes that I review. A CISO’s role is very difficult and this is your time to shine. Show what you have accomplished in each of your positions. We like to see facts - specific business results, their impact on the business and how those accomplishments came about. Include specific samples of your security program scale, scope and successes that you and your team were able to accomplish during your tenure. Ask yourself: How did you drive the security programs and strategy? How did you drive security DNA and discipline into the creation of the company’s products and services? What evidence do you have on tying security successes back to the business strategy?
You can answer these and other questions by offering samples of project wins, specific before and after examples, and bullet points that focus on the high-level business impact that occurred as a result of your efforts. When explaining these successes be sure to air on the side of more detail around the scale and scope of the project or program you completed. How you specifically achieved these successes should be discussed during the interview process.
3: Show how you are a sales and business enabler
The need for today’s CISO to be a true sales enabler has never been more important in the evaluation of a CISO candidate. Take the time to explain how you (and don’t forget your team) helped strengthen the company’s product, compliance story, or overall security posture in the community. In addition to proving how you work regularly on both the internal and external sales enablement effort, it is also important to show evidence of your outward facing skills in contributing to the security community. Be sure to highlight specific content you have created, discussions you have led, and panels you have participated on as ways you are working to impact the greater community.
Being able to achieve these goals during the creation and revision of your resume will likely weigh heavy on your evaluators.
A few more quick tips to consider when creating your CISO resume:
LinkedIn versus Resume
We are often asked, “How much detail should you have on LinkedIn versus your resume?” Our suggestion is that the resume and LinkedIn profile mirror one another with the resume including more information and samples of projects or work. We see LinkedIn used by executives to get a quick view of the candidate while the resume is given more time and consideration. Be sure to fully describe anything you list in the summary section of your resume in the appropriate tenure section.
The old ‘two page’ rule
We still receive a lot of questions about this rule. While it is important to stay concise, it is not important to limit yourself to two pages. Add the necessary data and detail to get the point across. If it takes three pages to do that, so be it.
Use facts and figures
This is an important one and something we are constantly reminding senior leaders about. If you cannot quantify your accomplishments than that is a problem. In a resume (or on LinkedIn) you need to specify figures, monetary savings/or spend, and percentages to quantify your work.
A company searching for a CISO/Head of Security must decide not only where the new hire will report, but also what the scope and expectations of the role will be. These complex decisions are crucial to the company’s success. With so much at stake, how does a company ensure that all of their interviewers and influencers are on the same page?
We’ve developed a unique spin on the discovery process called “Interviewing the Interviewers” or ITI. Our team spends a day or two onsite, meeting with the interviewers and influencers and getting a sense of their perceived evaluation criteria and thoughts on the process. We ask a custom set of questions that relate to the originally spec’d position we were offered (if it exists) and/or what we were told by the hiring leader. The entire ITI process is meant to be swift, personal and intrusive.
After the interviews, we present our findings to the executive sponsor of the search with the goal of establishing a common language and understanding. In the security space, we hear a variety of terms that ultimately describe the same concepts. AppSec and Security Operations are two great examples; we’ve seen at least five different definitions of these terms from client to client and function to function. Our findings eventually become the basis of a thoughtfully constructed position description.
We’ve found that the ITI method is an effective way to discover the true meaning of the client’s target and the best cultural match. Here’s why:
Face-to-face time with interviewers and influencers helps us become familiar with everyone’s roles, motivations, and styles while allowing the team to get to know us. While many executives have worked with search firms, most have not worked side-by-side with a search partner. Understanding our value improves the search.
Interviewers and influencers get a chance to have their voices, thoughts and perspectives heard. We are able to get each individual’s definition of the role and the evaluation criteria/priorities without influence from others. This is the key element to getting buy-in and calibration.
We learn about the client’s environment using an internal lens which allows us to see the client in their natural habitat. We are able to observe the office environment and culture and make it part of the story. We ask questions to get a sense of the vibe, employee interaction, client organization, and meeting structure.
We hear the company’s pitch from a number of people who will interview our candidates. Since most of our candidates are gainfully employed, our clients need to make their pitch crisp and enticing. If the individual, or company as a whole, is not a strong pitcher than we want to identify this upfront. From there, we evaluate who should be pitching to the candidates and when he or she should appear in the process.
Most importantly, the ITI method gives us data to present to the hiring sponsor(s) to determine whether they can overcome obstacles or beliefs that may challenge the success of the search process. In the end, it is all about executive sponsorship. If we do not have the necessary air cover and ability to influence mindset then the search is likely to be unsuccessful. We could run the risk of simply finding and presenting a collection of candidates without much advising. When this (rarely) occurs, as an esteemed search legend says, we “Fetch versus Search”. And the results can be drastically different.
Whether it is the ITI method or something different, a strong discovery process from a search partner or internal recruiting function is an absolute. This process sets the stage for how the company will act when faced with difficult alignment questions, scope definitions, evaluation expectations, and overall qualification priorities and ultimately determines the success of the CISO/Head of Security role.
Technology has become an essential component for most modern businesses. Because of that, technology leadership requires a place in the org structure that enables it to impact and improve the whole company. If a CISO/Head of Security is placed into the wrong structure, the results can be poor or possibly detrimental.
The ever-evolving CISO/Head of Security role is still searching for a permanent home within many organizations. The discussion around where this key position will reside has been front-of-mind for most of our clients and a hot topic within our community.
To provide some relevant data we can break down our current project portfolio. Today in our current portfolio of CISO/Head of Security search projects, there are almost as many different reporting structures as there are searches. We have 7 open search projects, and 6 different C-level leaders that the hire would be reporting to, ranging from CEO, COO, CFO, CPO, CIO to CTO/SVP Engineering.
So, where does this strategic and critical position belong in your company's structure? We’ve seen that opinions tend to vary based on the answers to these five questions:
- What does the company’s historical security structure look like, and how successful has it been?
- What level of impact will the Head of Security be expected to have within the company?
- What is the maturity level of the security program and compliance efforts within the company?
- How does the company build, deliver, and sell their product or service?
- What are the external optics of the company’s product/services security posture? What will clients need to see and say about the structure the company deploys for their Head of Security function?
Let’s use an upstart SaaS cloud-first product company as an example. The company starts with security being an important component of the engineering or PD organization because they began building everything in AWS, Azure or GCP. When the company’s attack surface becomes large and complex enough to warrant hiring their first Head of Security, they could go a few directions. They might decide to expand the existing Sec Eng/Ops function, or they might create a separate security function and pull SecOps out of Engineering altogether.
But let’s say that the company is coming from a more traditional shrink-wrapped software delivery model with professional services. They have a functioning and more traditional IT structure, which might warrant the Head of Security sitting within the CIO’s organization. Simple enough, right?
Then what happens when that same company migrates their entire product suite to a cloud delivery model using public cloud infrastructure? At that point, the security function might split in two (InfoSec/Compliance + SecOps/DevOps) or DevOps might be rolled under Security Ops. Another possibility is that the GC takes Compliance and everything else security related falls under Product or Eng. The point is - there are a dozen different, completely justified, ways to go.
All said this is a transformative and exciting time to be a leader in the Security space. For CISO/Head of Security candidates out there, it will take patience and diligent discovery to determine if the roles being presented to you will enable your growth and impact in your next company. For companies looking to make this important hire, it will take patience, lots of data, and perhaps several tough conversations within your company to get it right. You might even choose to listen to your search partner. ☺
Especially on a topic with so many different opinions, we’d love to hear yours. What do you and your company think the right structure should be? Please complete this short anonymous survey. We’ll discuss our findings on in a future post.
Today’s CSO duties are split into two primary and distinct roles: an internal function and an external one. For our SaaS clients, these roles are blurring together and becoming hard to differentiate. The CSO has become a mix of many things - part modern technologist, part business strategist, part customer advocate, and part compliance and governance warrior.
Our clients are seeking a modern leader who can shape, embrace, and lead security architecture and strategy around key objectives like leveraging public cloud infrastructure, adopting new resource ecosystems, and driving an overall mindset change to achieve DevSecOps. The problem is that conversations about these technical objectives are, well...technical. In order to precisely communicate with executives, a CSO must be able to perform a kind of magic.
Executive teams want a CSO who can weave together a viable, scalable, and sustainable security story for their software and services brand. Essentially, they want a customer advocacy evangelist. When a company begins running complex environments—whether pilots or actual production migrations from virtualized cloud to containerized (Kubernetes) solutions—the CSO’s role is spotlighted. These environments produce complex challenges to an organization’s attack surface which leads the CSO to have a visible role in making the clients feel secure and comfortable with the process. If you are the CSO of a software or service provider, you are now one of the first discussions with buyers. CSO leaders have become part of the sales cycle.
Furthermore, the CSO is tasked to build a team and/or process that will help automate the sales engine through consistent training of SREs or the sales force. The CSO is ultimately responsible for winning customers and keeping the strategic direction on course. We’ve seen the number of VP of Sales or CROs on our CSO interview panels skyrocket in the past year. Most VPs of Sales realize that CSOs are not going to be sales leaders, but they do expect them to be highly-tuned customer-facing leaders.
As for Compliance and Governance - that could be its own blog post. We see a few dozen CSO searches per year and it is rare to find any two companies that define their CSO’s role around compliance scope in the same way.
The CSO is now driving the conversation around whether a company’s operating model will enable Security to maintain Compliance or whether Compliance will enable the direction of Security. This is a complex and difficult problem for most of our clients. Finding the perfect CSO is a search for an artist, architect, and artisan—all in one.
I began my exec search career focused on CIO searches. I learned how to dig deep when defining the CIO’s scope and how to position the CIO’s organization. One of the critical components was the build-out and maintenance of an IT PMO that was primarily IT and Technology project sponsored and funded by the business. The PMO leadership position was a strategic ambassador to the business that often lived under IT. Many companies have been able to transform their IT PMO into an Enterprise PMO within the organization.
First, let’s take a step back. For those of you who aren’t as ancient as I am, or don’t know much about PMOs, a project management office (PMO) is a group — internal or external to a company — that sets, maintains and ensures standards for project management across that organization.
The PMO was born in the mid-90’s as a reactive governance process around managing projects. At that time, projects were deemed unsuccessful at an alarming pace; this still happens today. From a technology timeline, the PMO arrived on the scene around the same time that we moved from mainframes to Client/Server. The IT PMO was born out of the need for the implementation and adoption of technology solutions and/or processes in business projects. These solutions determined the success of the company’s initiative or program. Infrastructure was also important, but the needs in and around Enterprise Applications (SAP, Oracle, Peoplesoft, Baan) primarily drove the creation, flow, and funding of these projects and the formation of the modern day PMO. Essentially, you had a technical solution with business needs and drivers that spawned the need for specialized project managers and business systems analysts who were skilled in the art of translation from Geek to Business.
PMOs quickly became vital to the company’s success in deploying technology solutions. Today over three-fourths of global enterprises have maintained a PMO for at least five years. PMOs have become the one-stop shop for project principles (Agile, Scrum, etc.) project updates, best practices, policies, and methodology lessons within a company. They are often the primary librarian/gatekeeper of documentation and real-time analytics. And while they are susceptible to economic downturns, the ROI on a well-managed PMO is indisputable.
I was fortunate to have managed several fantastic Head of PMO searches which sold me on the long-term value to a company’s efficiency and culture. I saw that the PMO represented the true intersection between people, process and technology.
Ten years later, Hitch Partners is focused on the CISO’s transformation from InfoSec and Compliance to a highly visible and sales enabled DevSecOps leader. The transformation has led to the creation of many intense and complex Security related business projects. Though IT projects may affect a portion of a company using the new service or tools, security projects affect everyone in a company, its partners, and even the customers. While vendors and service providers are driving implementations within companies, often the company itself is leading many of these projects. Sometimes a company is prepared for this with a treasure trove of talented, disciplined, and subject-matter focused project managers, but this is quite rare. Meanwhile, the rate of new Security project adoption moves forward at a breakneck pace with sponsoring often coming down from the top. With all that said, I often wonder if we will see a revitalization/rebranding of the PMO focused in the Security project space; a Security PMO.
The security market is still in a consolidation phase and within today’s companies, we have an unusually high number of security options between new tools and services being introduced in an ever-changing landscape of expanding technology platforms. The public cloud providers have opened up new channels and ways of protecting the data collective, resulting in dozens of new projects being sponsored by the business. While before it was an IT project, today the business is reliant on these projects to manage, grow and differentiate their businesses. Everyone, from the executive team to sales, needs the super geeky security stuff to work, to protect them, to prevent incidents, to scale, and most importantly, to communicate in terms that the average executive will understand. We are talking about security solutions and policies that can, have and will make a massive impact on businesses, yet these are often solutions that less than 1% of the world can really understand and/or explain. It is the perfect environment to grow the value of a PMO; a virtual petri dish of sorts.
One of the challenges in building today's Security programs in a small to midsize company is that we often have highly technical practitioners explaining the business benefits of a security change, tool, or regulation. Frankly, these technical heroes are doing well and holding their own, but as the company and the complexity of their problems increase, this will not last. The business will need to see a greater concentration of disciplined project management professionals to help match the transformation that Security is undergoing. The business needs faster and more accurate translation of the security project value and status. Enter the Security PMO. Another major challenge we face is that PMO organizations require executive level sponsorship in order to be efficient and effective. Given the highly matrix-nature of technology organizations, it is challenging to get resources allocated to corporate cross-organizational projects without visibility of these projects from the executive ranks.
While the concept of the PMO has been around for over 15 years, we are now seeing signs that the concept of a Security PMO may be a reality. With DevSecOps becoming more commonplace, there is a significant need for Security PMOs to exist. So far, there have only been small steps taken in this direction. Just like the original idea around an IT PMO, it will take some time to become mainstream. For most companies, the security program is void of a PMO structure, let alone a budding PMO focused on Security projects.
In 2015, Security projects were still grouped in with IT projects. In 2016, we heard crickets when we brought up the concept of a separate PMO for Security. In 2017, the awareness improved and now in our daily conversations with CISO’s and Security Leaders we are finding that Security-focused Project Managers are being sought after and hired at an increasing pace. Perhaps this will be the year we help a company develop their first versions of a comprehensive Security PMO.
In the last few years, changes in the security industry have forever altered the way we think about the CISO’s role in an organization and how we build an effective and scalable security program. Hitch Partners was founded to bridge the gap between yesterday’s CISO and today’s.
For over a decade, the CISO was a strong lieutenant within the CIO’s organization. In late 2014, we began to see our first CISO searches where the reporting structure moved from the CIO’s organization to other C-level executives, namely the CFO, CPO or Head of Engineering. This year, as we look across our search portfolio, we have over a half dozen CISO searches all reporting to different C-level positions.
How did we get to this point?
I am fortunate to have been a practitioner on an accelerated and wild journey starting with the fall of VMS-based computing; to the rise of Open Systems; to the beginning of Linux (and LAMP); to the introduction ‘of NAS, SAN, and VM’s; to having a front seat during the rise of TechOps and eventually touching upon the beginning origins of DevOps.
In 2004, I entered the world of executive recruiting focused on the CIO, CTO, and TechOps space. Security was always an important component of our CIO searches, but it wasn’t a stand-alone executive level or a necessary strategic position until just a few years ago when we began to see quick and drastic changes occurring in the CISO space. These interesting changes were the basis for founding Hitch Partners.
As a generalization with no disrespect intended, the previous version of the CISO was a bit stuck on an approach that was not sustainable. The InfoSec community focused too much on their needs and control over the networks, systems, applications, and, yes, even control over their customers – the employees. Oftentimes, policies and procedures were focused on protection, but not focused on business enablement. Some would say that the legacy CISO position was coming from a place of “no”. Furthermore, many legacy CISOs did not come from a Dev background and therefore lacked the hands-on arsenal and compassion for Dev and product teams that is required to be successful today.
Here’s how things have changed.
While InfoSec, AppSec, Risk, and Compliance have remained important components to the CISO role, we are now seeing an increased focus on Product Security, Security Engineering, and External evangelism. In a SaaS environment, the priority is running on the public cloud and getting products out the door quickly and securely. With Cloud operations moving in as standard within both high growth companies and enterprises, the legacy approach to security defense, awareness, compliance, and protection is giving way to DevSecOps.
DevSecOps has changed the way we organize our security programs and teams. A properly structured security team allows a software product company to operate, build, and launch products in a more efficient manner that leads to a distinct competitive advantage, but it starts and ends with security.
DevSecOps has also changed the way we manage and focus on Compliance. I heard a great phrase a few months ago: “The legacy CISO used Compliance to manage Security while the modern CISO uses Security to manage Compliance.”
Another big difference we see in today’s CISO searches is the need for a client-facing persona and unique executive presence that can drive sales enablement. The idea that your company’s CISO will help secure an individual customer’s trust during the sales cycle is a very new concept, but it has already become commonplace. As such, the identification and evaluation of candidates requires a deeper dive into their background and is often harder to find.
C-Suite and Board Level Exposure:
Today’s CISO will also have more regular exposure and interaction with the C-Suite and often the BoD. This mindset shift continues to evolve which in turn determines how searches are conducted, how the org should be structured; who should be involved in the decisions; and what the best way to build a security program is.
These and other changes in security leadership happened so rapidly (over the course of three years) that the candidate market for CISOs was turned on its head and companies were (and are) caught off guard by how complex and challenging this newly crowned executive position has become. The conversation around finding the right CISO for a company has shifted from a fairly straightforward search and hunt to more of a data-driven-advisory-led journey to find the right balance of leadership presence, architecture and technical skill, data protection experience, Risk and Compliance knowledge, Customer presence; and program build experience.
I will not go so far as to say that we wanted to create something special and unique, but we did want to create a new firm that would help clients troubleshoot the gap in security leadership talent. We help candidates navigate client searches that are still defining their CSO scope, not to mention changes to their overall culture, resulting from a move to DevOps. We are consummate learners and feel that we have a strong understanding of this fractured marketplace. As a result, we often help clients with their search strategy and can further guide them on the do’s and don’ts of a Security executive search. We believe that engaging a firm to manage your security leadership search is not only about leveraging the firm’s deeper network, but also about leveraging the data and environmental lessons that the firm has learned over dozens of similar searches. We provide data to help advise, define, calibrate and recalibrate, and even with all of the data, we may still be wrong because the market is ever-changing. It is an exciting time to be involved in this space and witness the evolution of the security industry.