In the last few years, changes in the security industry have forever altered the way we think about the CISO’s role in an organization and how we build an effective and scalable security program. Hitch Partners was founded to bridge the gap between yesterday’s CISO and today’s.
For over a decade, the CISO was a strong lieutenant within the CIO’s organization. In late 2014, we began to see our first CISO searches where the reporting structure moved from the CIO’s organization to other C-level executives, namely the CFO, CPO or Head of Engineering. This year, as we look across our search portfolio, we have over a half dozen CISO searches all reporting to different C-level positions.
How did we get to this point?
I am fortunate to have been a practitioner on an accelerated and wild journey starting with the fall of VMS-based computing; to the rise of Open Systems; to the beginning of Linux (and LAMP); to the introduction ‘of NAS, SAN, and VM’s; to having a front seat during the rise of TechOps and eventually touching upon the beginning origins of DevOps.
In 2004, I entered the world of executive recruiting focused on the CIO, CTO, and TechOps space. Security was always an important component of our CIO searches, but it wasn’t a stand-alone executive level or a necessary strategic position until just a few years ago when we began to see quick and drastic changes occurring in the CISO space. These interesting changes were the basis for founding Hitch Partners.
As a generalization with no disrespect intended, the previous version of the CISO was a bit stuck on an approach that was not sustainable. The InfoSec community focused too much on their needs and control over the networks, systems, applications, and, yes, even control over their customers – the employees. Oftentimes, policies and procedures were focused on protection, but not focused on business enablement. Some would say that the legacy CISO position was coming from a place of “no”. Furthermore, many legacy CISOs did not come from a Dev background and therefore lacked the hands-on arsenal and compassion for Dev and product teams that is required to be successful today.
Here’s how things have changed.
While InfoSec, AppSec, Risk, and Compliance have remained important components to the CISO role, we are now seeing an increased focus on Product Security, Security Engineering, and External evangelism. In a SaaS environment, the priority is running on the public cloud and getting products out the door quickly and securely. With Cloud operations moving in as standard within both high growth companies and enterprises, the legacy approach to security defense, awareness, compliance, and protection is giving way to DevSecOps.
DevSecOps has changed the way we organize our security programs and teams. A properly structured security team allows a software product company to operate, build, and launch products in a more efficient manner that leads to a distinct competitive advantage, but it starts and ends with security.
DevSecOps has also changed the way we manage and focus on Compliance. I heard a great phrase a few months ago: “The legacy CISO used Compliance to manage Security while the modern CISO uses Security to manage Compliance.”
Another big difference we see in today’s CISO searches is the need for a client-facing persona and unique executive presence that can drive sales enablement. The idea that your company’s CISO will help secure an individual customer’s trust during the sales cycle is a very new concept, but it has already become commonplace. As such, the identification and evaluation of candidates requires a deeper dive into their background and is often harder to find.
C-Suite and Board Level Exposure:
Today’s CISO will also have more regular exposure and interaction with the C-Suite and often the BoD. This mindset shift continues to evolve which in turn determines how searches are conducted, how the org should be structured; who should be involved in the decisions; and what the best way to build a security program is.
These and other changes in security leadership happened so rapidly (over the course of three years) that the candidate market for CISOs was turned on its head and companies were (and are) caught off guard by how complex and challenging this newly crowned executive position has become. The conversation around finding the right CISO for a company has shifted from a fairly straightforward search and hunt to more of a data-driven-advisory-led journey to find the right balance of leadership presence, architecture and technical skill, data protection experience, Risk and Compliance knowledge, Customer presence; and program build experience.
I will not go so far as to say that we wanted to create something special and unique, but we did want to create a new firm that would help clients troubleshoot the gap in security leadership talent. We help candidates navigate client searches that are still defining their CSO scope, not to mention changes to their overall culture, resulting from a move to DevOps. We are consummate learners and feel that we have a strong understanding of this fractured marketplace. As a result, we often help clients with their search strategy and can further guide them on the do’s and don’ts of a Security executive search. We believe that engaging a firm to manage your security leadership search is not only about leveraging the firm’s deeper network, but also about leveraging the data and environmental lessons that the firm has learned over dozens of similar searches. We provide data to help advise, define, calibrate and recalibrate, and even with all of the data, we may still be wrong because the market is ever-changing. It is an exciting time to be involved in this space and witness the evolution of the security industry.