Recently, Michael Piacente of Hitch Partners was a guest on Open Source Security podcast hosted by Josh Bressers and Kurt Seifried. Michael discussed the past, present, and future role of the CISO in the industry.
In the past, we covered how important a strong position description is to setting the company’s expectations for the CISO role. The same can be said for a CISO candidate’s resume or CV when looking for a position. The resume is still the best two-dimensional introduction to the candidate’s security narrative and career trajectory.
If you’re applying for a CISO role, your resume should accomplish three primary goals:
1: Take the reader on your journey
The reader needs to see how you have become a consistent performing leader and how and where you have grown. Make sure to include where you were promoted; how you transformed your position; and how you gained the confidence of the business and other like-minded past executives in past positions.
Tell the reader about the companies you have worked for. How large are they? What market do they operate in? What is their scale? Do not assume that the reader knows. Even if you are working for a well-known company, take the time to explain the group that you are with. For example, if you are with a SaaS company, talk about the scale of the delivery infrastructure, the number and market size of the products, and anything else that allows the reader to evaluate scale. The scale at which your current company operates in is a critical part of the evaluation for an onlooking executive.
2: Clearly define your successes
Share your wins and accomplishments. This is probably the most consistently underperforming part of the CISO resumes that I review. A CISO’s role is very difficult and this is your time to shine. Show what you have accomplished in each of your positions. We like to see facts - specific business results, their impact on the business and how those accomplishments came about. Include specific samples of your security program scale, scope and successes that you and your team were able to accomplish during your tenure. Ask yourself: How did you drive the security programs and strategy? How did you drive security DNA and discipline into the creation of the company’s products and services? What evidence do you have on tying security successes back to the business strategy?
You can answer these and other questions by offering samples of project wins, specific before and after examples, and bullet points that focus on the high-level business impact that occurred as a result of your efforts. When explaining these successes be sure to air on the side of more detail around the scale and scope of the project or program you completed. How you specifically achieved these successes should be discussed during the interview process.
3: Show how you are a sales and business enabler
The need for today’s CISO to be a true sales enabler has never been more important in the evaluation of a CISO candidate. Take the time to explain how you (and don’t forget your team) helped strengthen the company’s product, compliance story, or overall security posture in the community. In addition to proving how you work regularly on both the internal and external sales enablement effort, it is also important to show evidence of your outward facing skills in contributing to the security community. Be sure to highlight specific content you have created, discussions you have led, and panels you have participated on as ways you are working to impact the greater community.
Being able to achieve these goals during the creation and revision of your resume will likely weigh heavy on your evaluators.
A few more quick tips to consider when creating your CISO resume:
LinkedIn versus Resume
We are often asked, “How much detail should you have on LinkedIn versus your resume?” Our suggestion is that the resume and LinkedIn profile mirror one another with the resume including more information and samples of projects or work. We see LinkedIn used by executives to get a quick view of the candidate while the resume is given more time and consideration. Be sure to fully describe anything you list in the summary section of your resume in the appropriate tenure section.
The old ‘two page’ rule
We still receive a lot of questions about this rule. While it is important to stay concise, it is not important to limit yourself to two pages. Add the necessary data and detail to get the point across. If it takes three pages to do that, so be it.
Use facts and figures
This is an important one and something we are constantly reminding senior leaders about. If you cannot quantify your accomplishments than that is a problem. In a resume (or on LinkedIn) you need to specify figures, monetary savings/or spend, and percentages to quantify your work.
A company searching for a CISO/Head of Security must decide not only where the new hire will report, but also what the scope and expectations of the role will be. These complex decisions are crucial to the company’s success. With so much at stake, how does a company ensure that all of their interviewers and influencers are on the same page?
We’ve developed a unique spin on the discovery process called “Interviewing the Interviewers” or ITI. Our team spends a day or two onsite, meeting with the interviewers and influencers and getting a sense of their perceived evaluation criteria and thoughts on the process. We ask a custom set of questions that relate to the originally spec’d position we were offered (if it exists) and/or what we were told by the hiring leader. The entire ITI process is meant to be swift, personal and intrusive.
After the interviews, we present our findings to the executive sponsor of the search with the goal of establishing a common language and understanding. In the security space, we hear a variety of terms that ultimately describe the same concepts. AppSec and Security Operations are two great examples; we’ve seen at least five different definitions of these terms from client to client and function to function. Our findings eventually become the basis of a thoughtfully constructed position description.
We’ve found that the ITI method is an effective way to discover the true meaning of the client’s target and the best cultural match. Here’s why:
Face-to-face time with interviewers and influencers helps us become familiar with everyone’s roles, motivations, and styles while allowing the team to get to know us. While many executives have worked with search firms, most have not worked side-by-side with a search partner. Understanding our value improves the search.
Interviewers and influencers get a chance to have their voices, thoughts and perspectives heard. We are able to get each individual’s definition of the role and the evaluation criteria/priorities without influence from others. This is the key element to getting buy-in and calibration.
We learn about the client’s environment using an internal lens which allows us to see the client in their natural habitat. We are able to observe the office environment and culture and make it part of the story. We ask questions to get a sense of the vibe, employee interaction, client organization, and meeting structure.
We hear the company’s pitch from a number of people who will interview our candidates. Since most of our candidates are gainfully employed, our clients need to make their pitch crisp and enticing. If the individual, or company as a whole, is not a strong pitcher than we want to identify this upfront. From there, we evaluate who should be pitching to the candidates and when he or she should appear in the process.
Most importantly, the ITI method gives us data to present to the hiring sponsor(s) to determine whether they can overcome obstacles or beliefs that may challenge the success of the search process. In the end, it is all about executive sponsorship. If we do not have the necessary air cover and ability to influence mindset then the search is likely to be unsuccessful. We could run the risk of simply finding and presenting a collection of candidates without much advising. When this (rarely) occurs, as an esteemed search legend says, we “Fetch versus Search”. And the results can be drastically different.
Whether it is the ITI method or something different, a strong discovery process from a search partner or internal recruiting function is an absolute. This process sets the stage for how the company will act when faced with difficult alignment questions, scope definitions, evaluation expectations, and overall qualification priorities and ultimately determines the success of the CISO/Head of Security role.
Technology has become an essential component for most modern businesses. Because of that, technology leadership requires a place in the org structure that enables it to impact and improve the whole company. If a CISO/Head of Security is placed into the wrong structure, the results can be poor or possibly detrimental.
The ever-evolving CISO/Head of Security role is still searching for a permanent home within many organizations. The discussion around where this key position will reside has been front-of-mind for most of our clients and a hot topic within our community.
To provide some relevant data we can break down our current project portfolio. Today in our current portfolio of CISO/Head of Security search projects, there are almost as many different reporting structures as there are searches. We have 7 open search projects, and 6 different C-level leaders that the hire would be reporting to, ranging from CEO, COO, CFO, CPO, CIO to CTO/SVP Engineering.
So, where does this strategic and critical position belong in your company's structure? We’ve seen that opinions tend to vary based on the answers to these five questions:
- What does the company’s historical security structure look like, and how successful has it been?
- What level of impact will the Head of Security be expected to have within the company?
- What is the maturity level of the security program and compliance efforts within the company?
- How does the company build, deliver, and sell their product or service?
- What are the external optics of the company’s product/services security posture? What will clients need to see and say about the structure the company deploys for their Head of Security function?
Let’s use an upstart SaaS cloud-first product company as an example. The company starts with security being an important component of the engineering or PD organization because they began building everything in AWS, Azure or GCP. When the company’s attack surface becomes large and complex enough to warrant hiring their first Head of Security, they could go a few directions. They might decide to expand the existing Sec Eng/Ops function, or they might create a separate security function and pull SecOps out of Engineering altogether.
But let’s say that the company is coming from a more traditional shrink-wrapped software delivery model with professional services. They have a functioning and more traditional IT structure, which might warrant the Head of Security sitting within the CIO’s organization. Simple enough, right?
Then what happens when that same company migrates their entire product suite to a cloud delivery model using public cloud infrastructure? At that point, the security function might split in two (InfoSec/Compliance + SecOps/DevOps) or DevOps might be rolled under Security Ops. Another possibility is that the GC takes Compliance and everything else security related falls under Product or Eng. The point is - there are a dozen different, completely justified, ways to go.
All said this is a transformative and exciting time to be a leader in the Security space. For CISO/Head of Security candidates out there, it will take patience and diligent discovery to determine if the roles being presented to you will enable your growth and impact in your next company. For companies looking to make this important hire, it will take patience, lots of data, and perhaps several tough conversations within your company to get it right. You might even choose to listen to your search partner. ☺
Especially on a topic with so many different opinions, we’d love to hear yours. What do you and your company think the right structure should be? Please complete this short anonymous survey. We’ll discuss our findings on in a future post.
In the last few years, changes in the security industry have forever altered the way we think about the CISO’s role in an organization and how we build an effective and scalable security program. Hitch Partners was founded to bridge the gap between yesterday’s CISO and today’s.
For over a decade, the CISO was a strong lieutenant within the CIO’s organization. In late 2014, we began to see our first CISO searches where the reporting structure moved from the CIO’s organization to other C-level executives, namely the CFO, CPO or Head of Engineering. This year, as we look across our search portfolio, we have over a half dozen CISO searches all reporting to different C-level positions.
How did we get to this point?
I am fortunate to have been a practitioner on an accelerated and wild journey starting with the fall of VMS-based computing; to the rise of Open Systems; to the beginning of Linux (and LAMP); to the introduction ‘of NAS, SAN, and VM’s; to having a front seat during the rise of TechOps and eventually touching upon the beginning origins of DevOps.
In 2004, I entered the world of executive recruiting focused on the CIO, CTO, and TechOps space. Security was always an important component of our CIO searches, but it wasn’t a stand-alone executive level or a necessary strategic position until just a few years ago when we began to see quick and drastic changes occurring in the CISO space. These interesting changes were the basis for founding Hitch Partners.
As a generalization with no disrespect intended, the previous version of the CISO was a bit stuck on an approach that was not sustainable. The InfoSec community focused too much on their needs and control over the networks, systems, applications, and, yes, even control over their customers – the employees. Oftentimes, policies and procedures were focused on protection, but not focused on business enablement. Some would say that the legacy CISO position was coming from a place of “no”. Furthermore, many legacy CISOs did not come from a Dev background and therefore lacked the hands-on arsenal and compassion for Dev and product teams that is required to be successful today.
Here’s how things have changed.
While InfoSec, AppSec, Risk, and Compliance have remained important components to the CISO role, we are now seeing an increased focus on Product Security, Security Engineering, and External evangelism. In a SaaS environment, the priority is running on the public cloud and getting products out the door quickly and securely. With Cloud operations moving in as standard within both high growth companies and enterprises, the legacy approach to security defense, awareness, compliance, and protection is giving way to DevSecOps.
DevSecOps has changed the way we organize our security programs and teams. A properly structured security team allows a software product company to operate, build, and launch products in a more efficient manner that leads to a distinct competitive advantage, but it starts and ends with security.
DevSecOps has also changed the way we manage and focus on Compliance. I heard a great phrase a few months ago: “The legacy CISO used Compliance to manage Security while the modern CISO uses Security to manage Compliance.”
Another big difference we see in today’s CISO searches is the need for a client-facing persona and unique executive presence that can drive sales enablement. The idea that your company’s CISO will help secure an individual customer’s trust during the sales cycle is a very new concept, but it has already become commonplace. As such, the identification and evaluation of candidates requires a deeper dive into their background and is often harder to find.
C-Suite and Board Level Exposure:
Today’s CISO will also have more regular exposure and interaction with the C-Suite and often the BoD. This mindset shift continues to evolve which in turn determines how searches are conducted, how the org should be structured; who should be involved in the decisions; and what the best way to build a security program is.
These and other changes in security leadership happened so rapidly (over the course of three years) that the candidate market for CISOs was turned on its head and companies were (and are) caught off guard by how complex and challenging this newly crowned executive position has become. The conversation around finding the right CISO for a company has shifted from a fairly straightforward search and hunt to more of a data-driven-advisory-led journey to find the right balance of leadership presence, architecture and technical skill, data protection experience, Risk and Compliance knowledge, Customer presence; and program build experience.
I will not go so far as to say that we wanted to create something special and unique, but we did want to create a new firm that would help clients troubleshoot the gap in security leadership talent. We help candidates navigate client searches that are still defining their CSO scope, not to mention changes to their overall culture, resulting from a move to DevOps. We are consummate learners and feel that we have a strong understanding of this fractured marketplace. As a result, we often help clients with their search strategy and can further guide them on the do’s and don’ts of a Security executive search. We believe that engaging a firm to manage your security leadership search is not only about leveraging the firm’s deeper network, but also about leveraging the data and environmental lessons that the firm has learned over dozens of similar searches. We provide data to help advise, define, calibrate and recalibrate, and even with all of the data, we may still be wrong because the market is ever-changing. It is an exciting time to be involved in this space and witness the evolution of the security industry.