The Growing Adoption of the Cloud-focused CSO

Hitch Partners was built on the idea that a new wave of CISO (aka ‘CSO’) talent would flourish in this Engineering and Product-oriented cloud-based world. The CSO’s critical function has traditionally been to protect the fortress by building better IT security programs and hygiene while driving stronger compliance. The modern CSO will be protecting code residing in a public cloud architectures while leveraging techniques such as microservices and open-source container systems such as Kubernetes.  

The practice of security leaders who are deeply embedded in identifying, evaluating, and protecting Engineering and Development risks, while not disrupting product velocity, has ignited the rise of the Cloud-focused CSO.

Over the past few years, we have built a CSO candidate framework to help clients identify their needs and distinguish the best security leader match for their organization. The CSO framework can be broken down into three* main executive profiles:

  1. The Risk and Compliance CSO – A more traditionally defined security executive focused on Information Security risk and governance across an Enterprise.

  2. The Security Operator CSO – An executive security operator focused on a combination of InfoSec, AppSec, and Cloud Security responsibilities.

  3. The Cloud-Focused CSO – An Engineering and Product-oriented driver of the security programs, posture, and awareness in a pure public cloud (often cloud-first) environment.  

*Hybrid combinations of these three profiles indeed exist.

We set out to track the adoption and growth of the Cloud-focused CSO across the U.S. Our research was compiled from 30+ CSO search projects and interviews with 700 CSOs/Heads of Security. After evaluating the adoption across a geographically-dispersed set of cities and regions, it became clear that the practice and need for Cloud-focused CSO’s is spreading rapidly across the nation (and the world).

Educating oneself in Cloud-focused CSO practices and trends can be a tremendous opportunity for both prospective clients to learn more about modern security hiring trends and for current and future CISO/CSO’s to expand their experiences in order to become more indispensable in their organizations.

Is your organization getting ready to transform to a Cloud-focused CSO leader or has your organization already taken a Cloud-focused approach to Security leadership? If so, please share your thoughts on this rapidly changing landscape.

Take a look at this infographic on the rise of the Cloud-focused CSO and let us know your thoughts. We welcome comments, critiques, and questions.


How GDPR Can Be a Good Thing for a CSO’s Career: Part 2

In part one, I discussed how GDPR could positively impact both a CSO’s company and his or her career development.

In part two, I’ll offer a few more suggestions on how CSOs can use GDPR to boost their careers while bringing their team members together.

Know where your Security Program relates to GDPR

For those who have struggled with creating buy-in for compliance issues, you now have a law that provides an excellent teaching moment, but you need an action plan. You can utilize this opportunity to establish, enhance, and/or lock down your security program. With the exception of a few company vertical types, such as those deep in the financial services space, most CSOs have never had anything like GDPR to use as a platform for securing their security program.

Now is the time! You have everyone’s attention and they should be listening. Laws that have penalties large enough to threaten revenue will affect annual margins and in turn affect personal bonuses - which tends to get people’s attention. You will a streamlined plan and one that is ready to execute especially when dealing with compliance-focused projects. If you are an incoming CSO, starting with a new company, you should have the framework of your GDPR compliance training ready to go on Day 1.

Your program will only be successful if everyone knows what is going on, your narrative is clear, and scenarios are tested and practiced. Work closely with your non-technical counterparts and compliance teams to lay out and test your plans. Continuously perform application assessments and identify your gaps. Be ready to share your data mapping and inventory practices. Create real-time scenarios that can answer the questions and prepare everyone for responding to inquiries. Consistently practice and enhance your data breach and incident response plans. Be prepared and ready to execute on your program. Many of these procedures should be commonplace in your world, but perhaps not to the average user of the data.

Know what you have under the hood

Simply relying on your tech stack may not go well. Your privacy strategy and technology may be flawed as it relates to GPDR.

For instance, one of the big GDPR misconceptions is that some companies feel that they have a loophole to avoiding regulations because they can anonymize the data. No such luck. This loophole was considered when the terms were crafted and is covered in the “identifier” portion. Even if you have data sets that the regulators cannot see, the data can still lead to someone’s identity. Bits of information can be pieced together which could identify a person and voila! You have yourself an infraction. Of course, this growing area of anonymization and encryption technology using AI/ML is one of the areas where the regulators will likely focus and test companies.  

Another area to consider is how you deliver your service. If delivered purely in the Cloud, on-prem, or a hybrid, you will be under the scope. In GDPR, there is not a huge difference. If you are billing customers, collecting data and creating telemetry then you are under the obligations. It may even start at the code level if you are a SaaS company. That is why it is critical to work closely with your Engineering and Product teams to create better visibility and enhance their awareness of policies and best practices. (see Privacy by Design as a reference).

Don’t forget about your third-party vendor relationships and related obligations. This is the likely chink in the armor for most companies and an area that the GDPR regulators will surely focus on. You may be in a situation where you need to drive revisions or even replacements for your User Agreements, 3rd Party Data requirements.

Know how GDPR can position you to help drive Sales enablement

As highlighted in previous blogs, the sales enablement function of the modern CSO is becoming one of the larger scoped components and a key metric of success. This is also another area where GDPR provides a unique opportunity to get closer to the business side of things.

You will need to pay close attention to the following things:

  •  How your marketing and sales departments are using data
  •  How your User Agreements are written
  •  What policies are listed in your customer contracts
  •  What do your 3rd Party Agreement look like

In any scenario where data is collected, mapped, stored, and otherwise used, there is an opportunity to teach the user community the best practices moving forward. Use your skill set and knowledge of the collective to become an advocate of privacy rights. If you see intentional or unintentional infractions for how personal data is used, accessed, and stored – speak up!

There is no certification for GDPR; it is law. Some of the new language discussing the basic rights such as ‘the right to be forgotten” is broad and can be open to interpretation. Learn the law and how to apply it and you can be the company’s great mind in this space.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework

How GDPR Can Be a Good Thing for a CSO’s Career: Part 1

GDPR is on everyone’s minds and in everyone’s inboxes right now. But what does it have to do with today’s CSO and his or her career track?

GDPR provides a rare opportunity for a CSO to place his or her fingerprints on the company’s data privacy approach and practices. CSOs are in a unique position to both help guide their companies through a difficult process and benefit from career development and exposure. GDPR is a compliance forcing function at a scale that we haven’t seen in nearly 20 years (i.e. SOX). If a CSO is able to bring together the many pieces, he or she will lead their company and ultimately their career to success.

As of May 25, 2018, GDPR became enforceable. The challenge for CSOs is to consider how prepared they are to drive this initiative and lead their companies to success. Most security and compliance regulations require a cultural change within the ranks to take hold, but many think that GDPR is the big one that will govern us all or at the very least will set the tone.  Though the EU took the lead on data privacy, this law affects all companies.

In this two part series, I’ll share a few suggestions for CSOs who want to use GDPR’s arrival as an opportunity to further their company’s success as well as their own.

Know your role as it relates to GDPR

As the CSO, it will be your responsibility to rally around the cause of data privacy and use this opportunity to bring everyone in your company (and its many third party relationships) along for the journey. It sounds difficult, but the good news is that you already know where and how the data flows throughout the company and how the specific people functions intertwine with that data.

In many ways, you (and your teams) are the true data source providers and keepers. Whether ceremoniously or officially, you are the Data Protection Officer. The knowledge from being in this position provides a unique opportunity for you. You are one of the executive leaders within your company that can appropriately drive collaboration and guidance and help mentor those directly affected by GDPR. Do not let this opportunity pass you by.

Your first step is to identify who, in the company, fits into the two main roles under GDPR; Data Controllers called “Controllers” and Data Processors called “Processors”. If your company is processing personal data in any way then both roles exist within your company. Your knowledge of the subject can be used to reach out, bring people together, and build a strong training program that will bring your company into compliance.

Weaving together the many parts of your company to ensure that data privacy is handled correctly is no easy task. You may be hamstrung by the complexity of your own proprietary technology. You may have hundreds of groups all contributing, in different data sets, to the data collective. Bringing these disparate teams together may be challenging as each group may come to the table with a different data collection and dispersal approach.

Every entity that works with data is under the same obligations for data privacy. Though the initial projections are that the bark of GDPR will be smaller than the bite, the threat of 4% of top-line revenue will hopefully motivate the correct behavior.

In part two, I’ll be discussing knowing where your security program relates to GDPR and how GDPR can help position you to help drive Sales enablement.

**I am not a CSO practitioner nor a GDPR expert. I am however a zealot and advocate for the CSO’s career development and the promotion of their increasing impact within today’s organizations.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework

Hail to the “Chief Look-Around-the-Corner Officer”

We are often asked what makes a great CSO? While every company is looking for something slightly different and every leader’s role consists of different parts, we tend to see a few traits that separate top CSOs from the pack.

Protecting the data collective

The first and most common trait of great CSOs is the ability to be the ultimate guardian of the data collective. Traditionally, the CSO position has centered around being fully aware of incoming risks and up to speed on the latest threat landscape. It goes without saying that this is a tough skill to master, in part because the span and level of knowledge around security across a company is varied. Not too long ago, if you didn’t know your IT leader it was because everything was working properly, but things are different today. The modern CSO knows everyone in the company in one way or another.

Knowing how to protect the data collective is about choosing the right controls and tools to implement. The policies, reporting, defensive and offensive tools/resources are all under the purview of the CSO’s toolbox. Having a broad and deep understanding of the policies enables the CSO to report, monitor, defend, and anticipate what threats are coming.

Building effective teams and leadership

As investments in Security programs and CSO organizations become more complex and business-focused, we are starting to see a trend for CSOs to have ample evidence of team building and mentoring/leadership skills. Team structures are becoming more diverse as security organizations continue to become more complex. The CSO is now equal parts; technical expert, functional business process aligner, executive level guide, internal subject ambassador, and outwardly facing posture leader. What a scope! Hence the ability for a CSO to adequately build and lead teams is very much in the spotlight.

As a side note for those of you looking to conduct a new CSO search; this is one of those traits that candidates may not fully possess your search candidate slate. Clients who expect a CSO to enter with the full arsenal of polished executive leadership skills will need to adjust their expectations. Most up and coming CSOs are still growing their leadership skills and may not have been exposed to many management scenarios. To put it in perspective, this is a small, specialized group of technical leaders that deal with the reactive nature of every threat thrown their way. We feel that it is the client’s responsibility to invest in a CSO’s leadership training and mentorship.

The X Factor: Seeing around the corner

Though there are many other traits I could mention, there is one more that I consider critical. A CSO must be able to align the company’s security narrative back with the business and financial  goals. The CSOs who can truly distinguish themselves are clearly and consistently tying their project investments and results back to the underlying business. The most effective CSOs we know have an equal blend of technical expertise and business-readiness skills that enable them to scale their communication up or down in a fast growing/moving organization. They can gracefully explain complex technical challenges to anyone.

This of course is not as easy as it sounds. The tough security decisions (process, tools, org structure decisions) meant to protect the company’s assets can sometimes be counterproductive to the ultimate business goals. The visionary CSOs can turn the narrative into an effective roadmap then take the company’s products, services, Board, and all other elements on a journey. These Security leaders have a unique capability to “look around the corner”. They are able to see things from a technical, architectural, and business operations perspective and use that vision to better the company’s security posture.

Thank you to our partner Jason for the inspiration.

What Our SaaS Clients Expect From Today’s CSO

Today’s CSO duties are split into two primary and distinct roles: an internal function and an external one. For our SaaS clients, these roles are blurring together and becoming hard to differentiate. The CSO has become a mix of many things - part modern technologist, part business strategist, part customer advocate, and part compliance and governance warrior.

Our clients are seeking a modern leader who can shape, embrace, and lead security architecture and strategy around key objectives like leveraging public cloud infrastructure, adopting new resource ecosystems, and driving an overall mindset change to achieve DevSecOps. The problem is that conversations about these technical objectives are, well...technical. In order to precisely communicate with executives, a CSO must be able to perform a kind of magic.

Executive teams want a CSO who can weave together a viable, scalable, and sustainable security story for their software and services brand. Essentially, they want a customer advocacy evangelist. When a company begins running complex environments—whether pilots or actual production migrations from virtualized cloud to containerized (Kubernetes) solutions—the CSO’s role is spotlighted. These environments produce complex challenges to an organization’s attack surface which leads the CSO to have a visible role in making the clients feel secure and comfortable with the process. If you are the CSO of a software or service provider, you are now one of the first discussions with buyers. CSO leaders have become part of the sales cycle.

Furthermore, the CSO is tasked to build a team and/or process that will help automate the sales engine through consistent training of SREs or the sales force. The CSO is ultimately responsible for winning customers and keeping the strategic direction on course. We’ve seen the number of VP of Sales or CROs on our CSO interview panels skyrocket in the past year. Most VPs of Sales realize that CSOs are not going to be sales leaders, but they do expect them to be highly-tuned customer-facing leaders.

As for Compliance and Governance - that could be its own blog post. We see a few dozen CSO searches per year and it is rare to find any two companies that define their CSO’s role around compliance scope in the same way.

The CSO is now driving the conversation around whether a company’s operating model will enable Security to maintain Compliance or whether Compliance will enable the direction of Security. This is a complex and difficult problem for most of our clients. Finding the perfect CSO is a search for an artist, architect, and artisan—all in one.