CSO Search

Hail to the “Chief Look-Around-the-Corner Officer”

We are often asked what makes a great CSO? While every company is looking for something slightly different and every leader’s role consists of different parts, we tend to see a few traits that separate top CSOs from the pack.

Protecting the data collective

The first and most common trait of great CSOs is the ability to be the ultimate guardian of the data collective. Traditionally, the CSO position has centered around being fully aware of incoming risks and up to speed on the latest threat landscape. It goes without saying that this is a tough skill to master, in part because the span and level of knowledge around security across a company is varied. Not too long ago, if you didn’t know your IT leader it was because everything was working properly, but things are different today. The modern CSO knows everyone in the company in one way or another.

Knowing how to protect the data collective is about choosing the right controls and tools to implement. The policies, reporting, defensive and offensive tools/resources are all under the purview of the CSO’s toolbox. Having a broad and deep understanding of the policies enables the CSO to report, monitor, defend, and anticipate what threats are coming.

Building effective teams and leadership

As investments in Security programs and CSO organizations become more complex and business-focused, we are starting to see a trend for CSOs to have ample evidence of team building and mentoring/leadership skills. Team structures are becoming more diverse as security organizations continue to become more complex. The CSO is now equal parts; technical expert, functional business process aligner, executive level guide, internal subject ambassador, and outwardly facing posture leader. What a scope! Hence the ability for a CSO to adequately build and lead teams is very much in the spotlight.

As a side note for those of you looking to conduct a new CSO search; this is one of those traits that candidates may not fully possess your search candidate slate. Clients who expect a CSO to enter with the full arsenal of polished executive leadership skills will need to adjust their expectations. Most up and coming CSOs are still growing their leadership skills and may not have been exposed to many management scenarios. To put it in perspective, this is a small, specialized group of technical leaders that deal with the reactive nature of every threat thrown their way. We feel that it is the client’s responsibility to invest in a CSO’s leadership training and mentorship.

The X Factor: Seeing around the corner

Though there are many other traits I could mention, there is one more that I consider critical. A CSO must be able to align the company’s security narrative back with the business and financial  goals. The CSOs who can truly distinguish themselves are clearly and consistently tying their project investments and results back to the underlying business. The most effective CSOs we know have an equal blend of technical expertise and business-readiness skills that enable them to scale their communication up or down in a fast growing/moving organization. They can gracefully explain complex technical challenges to anyone.

This of course is not as easy as it sounds. The tough security decisions (process, tools, org structure decisions) meant to protect the company’s assets can sometimes be counterproductive to the ultimate business goals. The visionary CSOs can turn the narrative into an effective roadmap then take the company’s products, services, Board, and all other elements on a journey. These Security leaders have a unique capability to “look around the corner”. They are able to see things from a technical, architectural, and business operations perspective and use that vision to better the company’s security posture.

Thank you to our partner Jason for the inspiration.

What Our SaaS Clients Expect From Today’s CSO

Today’s CSO duties are split into two primary and distinct roles: an internal function and an external one. For our SaaS clients, these roles are blurring together and becoming hard to differentiate. The CSO has become a mix of many things - part modern technologist, part business strategist, part customer advocate, and part compliance and governance warrior.

Our clients are seeking a modern leader who can shape, embrace, and lead security architecture and strategy around key objectives like leveraging public cloud infrastructure, adopting new resource ecosystems, and driving an overall mindset change to achieve DevSecOps. The problem is that conversations about these technical objectives are, well...technical. In order to precisely communicate with executives, a CSO must be able to perform a kind of magic.

Executive teams want a CSO who can weave together a viable, scalable, and sustainable security story for their software and services brand. Essentially, they want a customer advocacy evangelist. When a company begins running complex environments—whether pilots or actual production migrations from virtualized cloud to containerized (Kubernetes) solutions—the CSO’s role is spotlighted. These environments produce complex challenges to an organization’s attack surface which leads the CSO to have a visible role in making the clients feel secure and comfortable with the process. If you are the CSO of a software or service provider, you are now one of the first discussions with buyers. CSO leaders have become part of the sales cycle.

Furthermore, the CSO is tasked to build a team and/or process that will help automate the sales engine through consistent training of SREs or the sales force. The CSO is ultimately responsible for winning customers and keeping the strategic direction on course. We’ve seen the number of VP of Sales or CROs on our CSO interview panels skyrocket in the past year. Most VPs of Sales realize that CSOs are not going to be sales leaders, but they do expect them to be highly-tuned customer-facing leaders.

As for Compliance and Governance - that could be its own blog post. We see a few dozen CSO searches per year and it is rare to find any two companies that define their CSO’s role around compliance scope in the same way.

The CSO is now driving the conversation around whether a company’s operating model will enable Security to maintain Compliance or whether Compliance will enable the direction of Security. This is a complex and difficult problem for most of our clients. Finding the perfect CSO is a search for an artist, architect, and artisan—all in one.