Today’s CSO duties are split into two primary and distinct roles: an internal function and an external one. For our SaaS clients, these roles are blurring together and becoming hard to differentiate. The CSO has become a mix of many things - part modern technologist, part business strategist, part customer advocate, and part compliance and governance warrior.
Our clients are seeking a modern leader who can shape, embrace, and lead security architecture and strategy around key objectives like leveraging public cloud infrastructure, adopting new resource ecosystems, and driving an overall mindset change to achieve DevSecOps. The problem is that conversations about these technical objectives are, well...technical. In order to precisely communicate with executives, a CSO must be able to perform a kind of magic.
Executive teams want a CSO who can weave together a viable, scalable, and sustainable security story for their software and services brand. Essentially, they want a customer advocacy evangelist. When a company begins running complex environments—whether pilots or actual production migrations from virtualized cloud to containerized (Kubernetes) solutions—the CSO’s role is spotlighted. These environments produce complex challenges to an organization’s attack surface which leads the CSO to have a visible role in making the clients feel secure and comfortable with the process. If you are the CSO of a software or service provider, you are now one of the first discussions with buyers. CSO leaders have become part of the sales cycle.
Furthermore, the CSO is tasked to build a team and/or process that will help automate the sales engine through consistent training of SREs or the sales force. The CSO is ultimately responsible for winning customers and keeping the strategic direction on course. We’ve seen the number of VP of Sales or CROs on our CSO interview panels skyrocket in the past year. Most VPs of Sales realize that CSOs are not going to be sales leaders, but they do expect them to be highly-tuned customer-facing leaders.
As for Compliance and Governance - that could be its own blog post. We see a few dozen CSO searches per year and it is rare to find any two companies that define their CSO’s role around compliance scope in the same way.
The CSO is now driving the conversation around whether a company’s operating model will enable Security to maintain Compliance or whether Compliance will enable the direction of Security. This is a complex and difficult problem for most of our clients. Finding the perfect CSO is a search for an artist, architect, and artisan—all in one.