As the CISO role matures in the corporate environment and security managers level up their ranks from technology managers to more comprehensive risk advisors and business leaders, career advancement is also changing. For people today, CISO is no longer the final destination for the C-suite, as security leaders seek to leverage their ever-growing business skills into a broader class of C-suite executive positions.
Part of the obvious pivot by CISOs is the role of chief risk officer (CRO) and chief information officer (CIO). Another common shift is to the chief technology officer (CTO) role. With the drumbeat increasing in both the security and board-level business worlds for secure-by-design in software engineering, product development, and technology architecture, filling the CTO position with a former CISO is a big gamble when the conditions are right. It looks like.
Although there is still no statistical support to prove this trend, anecdotal evidence from companies like 20 is growing.th Century Fox, Bank of America, and Fifth Third Bank have promoted CISOs to CTO roles in the past few years. This is also the path taken by credit reporting giant Equifax, which a few months ago promoted CISO Jamil Farshchi to the co-positions of CTO and CISO.
For his part, Falci says the career change was a coincidence for both him and his employer over six years. Farshchi is a veteran CISO who has worked at The Home Depot, Time Warner, Los Alamos National Laboratory, NASA, and more. He came to Equifax in the wake of a massive data breach in 2017. He was tasked with helping to effect significant organizational and technology changes to support the company's digital transformation efforts, as well as bring about change in his security program.
“In my position as a CISO, my team and I have been deeply involved in technology from the beginning, and because of the reporting line structure, I have always reported to the CEO,” he explained. Masu. “So when his previous CTO left a few months ago, he took another opportunity to become CEO of another company. I was asked to expand my role.”
CISOs have skills applicable to CTOs
Even before the Equifax promotion, Farshchi said he was seeing evidence of a similar shift occurring across the security community. Not only has he seen a friend move from his CISO to his CTO or head of product type, but he has also seen his CEO and recruiter wonder if the CISO is right for his CTO role. We also responded to intuitive questions from In his opinion, it's a clear yes.
“A lot of the behaviors, a lot of the practices, a lot of the skill sets, strategic thinking, etc., that it takes to be successful in technology as a CTO are exactly the same qualities that you need to be successful.” ” he explains.
This is a sentiment shared by many in today's security and technology leadership communities. According to Bob Zoukis, a longtime cybersecurity and executive development expert who runs the Digital Directors Network, corporate CISOs (those who are true business leaders, not highly technical practitioners) need balance. It is said that many of them are ready to attack at any time. I am steadily preparing for the transition to CTO.
“Many of the CISO's jobs, from strategy to operations, translate naturally into the CTO role. CISOs are used to working cross-functionally and are used to working across the organization from a risk perspective. They are operationalizing the technology and introducing a lot of innovative technology from the security capabilities,” he says. “It's just a changed context where you start strategically selecting and deploying technologies from a value creation orientation rather than a value protection orientation.”
Randy Watkins, CTO of MDR provider CriticalStart, says cross-functional expertise and experience is one of the biggest advantages a CISO brings to the table as a CTO candidate. CTOs typically cross many disciplines and manage many complex relationships between engineering, product teams, business groups, etc., whether bringing technology-enabled products to market or supporting many internal customers and business groups. Deal with relationships. He uses applications and platforms for business.
“CISOs didn't have their own budgets, they didn't have enough people, so CISOs had to work cross-functionally,” he says, adding that CISOs collaborated with other IT and business groups to get things done. I explained that we needed to work together. and executives can get things done and make security efforts stick. “So cross-functional ability is definitely a must-have strength for a CISO, and it's also a strength for a senior leader in an organization. It actually kind of unlocks a pretty high ceiling.”
Although Watkins was not a CISO himself, he came from the security field and served as director of security architecture before moving to his role at Critical Start. The company is a security company, so his transition a few years ago was very smooth. While he felt he needed to develop and grow in terms of product management skills and knowledge, some of his CISOs needed to brush up as well to successfully advance in his CTO position. It may be a field where there is.
“The biggest learning curve was trying to understand the product management lifecycle, the Agile understanding waterfall, and the advantages and disadvantages of each,” he says. “It's been a pain to really build timelines and deadlines and understand things like sprint cycles and release dates and release cadences, and I feel like it's been a lifelong learning process. ”
As CTO of a security company, Watkins says he still has pretty good connections with his friends in the CISO community. He said what's been going well for this group lately is that they're becoming more and more product savvy, which will help many people hoping to compete for the CTO position in the future. Told. He says there are two reasons why this insight evolved.
“One is because we usually get approached for consulting, or we get pulled into VCs and PEs to talk about the latest and greatest technology,” he says. “And two, they need to talk to manufacturers like us, where we are in our product cycle, and how we can help build our business more. They want to understand how they can deliver value. This can help make a huge difference in flexibility and agility for the company.'' That's the role of the CISO. ”
Security-focused CTO supports secure by design
But perhaps the biggest benefit that CISOs bring to CTO candidates is the risk management mindset they bring to the innovation cycle.
“We're definitely going to see an escalation of security discussions earlier in the innovation lifecycle, and I think that's a really good thing,” Zukis says.
Mr. Watkins wholeheartedly agrees.
“I love any position that a security-minded person joins because they bring a unique security knowledge and thought process. “Even if you do,” Watkins said. “This is effective in tying the security thought process to every little aspect.”
This could have a big impact on secure-by-design efforts, which are often plagued by cultural and incentive issues more than any other. A security veteran CTO is more likely to have an intrinsic motivation to create better incentives for engineering teams to develop and create secure products from the beginning. More importantly, former CISOs are likely to be aware of the potential risks that new products and platforms may introduce early in the planning process.
“I think organizations that choose to have a security officer as their CTO should greatly benefit from safety by design,” says Farschchi. “They care deeply about security and are going to build it in from the beginning instead of rushing to bolt it on afterwards.”
