Chief information security officers are relative newcomers to the C-suite. Many organizations employ CISOs, and it is well-known enough to have its own acronym. But it isn’t a given in all C-suites: forty-five percent of 130 respondents to 2021 survey from software company Navisite reported that their companies did not have a CISO.
We are two years past that relatively small survey, and the need for cybersecurity talent and leadership is evident. “We’re out of the phase where we’re deciding whether this is a flash in the pan,” says Geoff Belknap, CISO and vice president of engineering at social media platform LinkedIn. But who is the ideal person to fill the CISO role? What exactly does a CISO do? Who do they report to? The answers to these questions vary depending on the company and who you ask.
Eight CISOs shared what led them to their current role, their responsibilities, and how the CISO role could still be changing.
Where Do CISOs Start?
Seasoned CISOs don’t necessarily start their careers with an eye to becoming top cybersecurity executives. Belknap shares “there wasn’t a traditional path to the role” when he first began his career. He started out in law enforcement before shifting to telecommunications and network architecture. He found his way to a network security startup, eventually building a career dedicated to security.
Janet Heins, global CISO of audio company iHeartMedia, started out as a programmer. She worked her way to managing small teams, and eventually, she reported directly to a CISO. “The pivotal moment that propelled me into a leadership role in information security was when I served as the director of eDiscovery. In this role, I reported directly to the CISO, while my peers consisted of other InfoSec directors,” she says. “I found their work to be fascinating, and I was naturally drawn toward it.”
Joanna Burkey, CISO of information technology company HP, took her experience as a software engineer into the world of startups in the late 1990s. She spent 15 years on the product side of cybersecurity before becoming a regional CISO. “I think the time that I spent building and selling product gave me a breadth of experience and knowledge that I would be missing if I had been on the ‘practitioner side’ of the fence my whole career,” she elaborates.
Nicholas Kathmann, CISO of governance, risk, and compliance software company LogicGate, shifted from IT support to more complex roles. He eventually took on a role as red team leader and chief security architect, leading the security practice for a company’s large SAP and Epic customers. “Many CISOs spend their careers managing the security posture of one company at a time. The opportunity to familiarize myself with — at a single time — about 180 different customers has been a difference-maker in my career,” he shares.
Varied experience is a common thread among these stories. These CISOs didn’t find one niche and stick to it.
While many paths may lead to the CISO’s office, a unifying set of skills may make a leader more suited to the position. CISOs are immersed in the technical aspects of defending an organization, but they also need to be able to translate that knowledge into practical business applications.
What Do CISOs Do?
So, security professionals with all kinds of experience can become CISOs, but once they get the job, what will they be doing?
CISOs are tasked with the strategic leadership of information security for their companies. This can entail building a cybersecurity program and overseeing the teams that execute the policies that underpin that program. The responsibilities are many and varied. For example, Heins is responsible for incident response, security engineering and operations, identity and access management, cloud and application security, and governance, risk, and compliance.
Effectively implementing cybersecurity demands that CISOs spend much of their time engaging with stakeholders throughout an organization: board members, other executives, and people in other departments. They also spend part of their time on external engagement. Meg Anderson, vice president and CISO of investment management and insurance company Principal Financial Group, notes that she talks with her CISO peers about emerging threats and best practices. That part of the job can help CISOs think about how to structure their programs effectively and build a pipeline of talent for the future.
Team leadership and fostering talent is core to the CISO role. The size and structure of the teams under CISOs will vary depending on an organization’s size, needs, and resources. Jason Rebholz, CISO of cyber insurance company Corvus Insurance, oversees a team of 11 people split between different functions. Anderson shares that Principal Financial Group has about 225 people supporting its global information security.
CISOs grapple with many challenges in their day-to-day. Change is rapid and constant. New threats and new defense tactics are always emerging. CISOs can never stop learning. On top of the constant demand to stay ahead, cybersecurity workforce challenges persist. CISOs need to find and shape talent to build their teams. And they need to ensure the talent they do have doesn’t burn out.
Belknap describes the CISO role as “horizontal.” To be successful, cybersecurity must touch every aspect of a business. “If you have a great depth of experience or technical skill in engineering and you have zero experience understanding how a business operates or how the legal function and the finance function interact with marketing or sales or anything else, you are going to fail,” he says.
Where Do CISOs Report?
The line of reporting varies among the eight CISOs who spoke to InformationWeek. Heins reports to iHeartMedia’s general counsel. At data protection, backup, and recovery software company Veeam, CISO Gil Vega reports to the COO with dotted-line accountability to the CEO. Rebholz also reports to his company’s COO. Burkey reports to HP’s chief digital and transformation officer. Kathmann reports to the CEO and co-founder of LogicGate. Anderson and Nicole Darden Ford, vice president, global security and CISO of industrial automation company Rockwell Automation, report to the CIOs at their companies. At LinkedIn, an independent operating company under Microsoft, Bleknap reports into the engineering organization.
Lines of reporting may vary, but CISOs are no longer operating in a technical silo. They need to be able to communicate with senior leaders and stakeholders outside of their organization. “Having the ability to work very closely with industry regulators and board members has become more important than ever,” says Vega.
That communication helps to secure leadership buy-in; without that CISOs will struggle to do their jobs effectively. “As CISOs think about that reporting question, they really need to make sure they have the executive buy-in for cyber investments,” says Anderson.
Are There Different Types of CISOs?
CISOs share a basic mandate: defend their organization from cyberthreats. But meeting that mandate looks different at different organizations and different points at time. During the course of his consulting career, Deron Grzetich, national cybersecurity lead at management and technology consulting firm West Monroe, has identified a few different types of CISOs.
First, he describes the transformational CISO. This type of leader takes a company through a large-scale cybersecurity program makeover, perhaps following a breach or regulatory compliance issue. Steady-state CISOs maintain their organizations’ cybersecurity programs. Grzetich also highlights CISOs, often in the product space, who serve as customer-facing evangelists. Finally, he sees CISOs that are focused on compliance and risk.
CISOs might take on one or more of these permutations throughout their careers depending on the needs of the organizations they serve. But they need a command of both the technical and business aspects of their position. CISOS need to “effectively plan for cyber resiliency and then to be that translation layer between all of the great technical work that the cyber teams do to the board and other stakeholders that don’t know what a packet is or barely know what an IP address is,” says Grzetich. “I think that’s what we’ve seen in the very successful CISO roles. Those that can shepherd their program and act as that translation layer.”
Is the CISO Role Still Evolving?
Change, a challenging and exciting prospect, is inherent to cybersecurity. New technology and new threats shape how CISOs do their jobs and lead their teams. The role itself is likely to evolve as it continues to become more of a mainstay in the C-suite. “I think what’s still up in the air is how do you think about the CISO’s role and … the scope of accountability and responsibility for that role in the organization. How does it fit in?” says Belknap.
Burkey expects that CISOs will continue to evolve into true business partners who build cybersecurity strategies that support their organizations’ business strategies. “The north star I’m always aiming for is the optimal intersection of cybersecurity program to company risk, and I see this evolution continuing,” she explains.
Darden Ford sees opportunity in being a part of the first generation of CISOs. “It’s incumbent upon us to serve as change agents, especially in environments where a security mindset may not be at the forefront,” she says. “We’re here to enable the business, not hinder it, and set the pace for innovation.”
How Can Aspiring CISOs Prepare?
As the scope of the role solidifies, aspiring CISOs have the opportunity to learn from the people that came before them.
Burkey emphasizes the value of building a broad base of experience. “I would advise anyone interested in this role to focus on gaining experience in a variety of roles, and not stick to only one functional area or role,” she says.
As would-be CISOs navigate their careers, relationship building becomes an important skill to cultivate. Anderson always encourages her new employees to make a point of meeting the people in their business areas. “It’s important to meet them before something goes wrong. It’s important to build that trust to make sure that when there’s a crisis you have that relationship already,” she elaborates.
Finding a mentor can help future CISOs see what the role entails and identify the skills they need to hone. “Remember, CISOs are part of a giving community, so take advantage of that,” says Darden Ford.
No matter how the CISO role changes, it will remain a demanding position. “Too many security professionals see CISOs as simply the end of the game. It is not a role for everyone. Obtaining the title is the start of the game, not the end,” says Rebholz. “Be honest with yourself on what motivates you, what energizes you, and your comfort levels with accountability. You may find that the CISO role is not the right fit for you.”