It’s been a bit of a longer than normal stretch since I last posted to the HMG community. The Quantum team has been heads down executing on a wide range of projects on behalf of our clients, recruiting key hires up and down their respective organizational charts. It seems everyone needs multiple security engineers, and we’ve been lately actively recruiting for deputy CISOs (that can be big D in official title or little d in functional mandate). Meanwhile, contract staffing continues to figure prominently in our body of work (probably worth a blog post unto itself at some point).
What’s prompted my timing now is a quiet alarm that’s been ringing slowly these past few years. My concern centers on a recent spate of top rated CISOs/CSOs disengaging from influencer roles in our cyber ecosystem as a result of personal ego swaying good leadership in and around the CEO’s office. Is this a trend? I hope not. But the numbers are such that we’ve moved well beyond one-off/outlier territory. And it seems I’m not alone in perceiving this worrisome development. More than a few cyber leaders and observers I hold in high regard also share my quiet angst.
Now you might very well say, life isn’t perfect—managerial misalignment is an historically episodic norm that happens across all upper ranks from time to time, be it CFO, COO, CIO, etc. Ego gets in the way; magnanimity is tossed aside; pettiness seems to take center stage. With the CISO, however, the stakes are far more exigent—the bad guys are out there in large and unknown numbers, actively seeking to do harm. Moreover, upper-tier talent among the CISO/CSO community, while growing, is still years away from reaching optimal, correlative numbers.
Simply put, the corporate community cannot afford to ‘lose’ even just one quality CISO. Doing so has potentially calamitous implications on several orders of magnitude. Uppermost, great CISOs by osmosis train the next generation of great CISOs. It’s a cumulative force multiplier effect.
The seemingly slow response by wide swaths of our corporate community over the prior cyber decade (2005-2015) to respond to the stark approaching digital threat was largely born out of simple ignorance. Cyber was an altogether new development. A new entrant on the universally recognized and generally accepted threat landscape. Try as they might, though, corporate leaders could not ignore this quiet, not-altogether-understood, increasing menace to day-to-day corporate operational well-being. Cyber, like it or not, had overnight inserted itself as a new priority tab on the operational-risk mitigation plan, imposed multiple never-before-considered new hiring requirements to the existing staffing plan and necessitated new annual spends on expensive new software—pitched by countless scores of ‘new company’ vendors. All this, of course, manifested as a new (and permanent!) line item in the budget; a significantly important entry that is increasing YoY.
The cyber bad-actor threat is constantly moving and adjusting. Hence, digital security by default is an imperfect science. But this goes much deeper and wider than heretofore traditional `fog of war’ scenarios. Open, transparent lines of communication are essential. Trust and open and frank dialogue are paramount.
The good CISO, by nature, is not a provocateur, nor is s/he alarmist nor malcontent. S/he is the named duty expert within the corporate construct for a lightning-fast paced, ever evolving, often redirecting, new-to-market sector. It follows, an engaged, situationally-aware CISO is sometimes the de facto bearer of bad, unexpected, controversial and not-entirely-understood—e.g. provocative—news. Often, she/he is the ‘communicator-in-chief’, proposing to higher-ups less-than-ideal solutions to real and tangible problems. Again, human nature suggests that most folks—even the more intellectually talented and operationally-minded corporate executive leaders across our land—are discomfited by continuous grey-area decision making in a subject area about which they know for all practical purposes relatively little. This is a clear and constant point of tension in the CISO–CEO/CFO construct.
Adding extra weight to this are the causal effects of a wholly unrealistic zero-sum game mentality that seems to have inhabited many corner offices. It’s akin to “OK, it took a while for me to get here, but I’m in. You have your budget, Ms./Mr. CISO. Now make sure nothing happens.” Any chinks in the digital armor, any penetration by the bad guys no matter how small or ineffectual, is deemed a wholesale loss. As with warfare campaigns, dynamic cyber (defensive) operations are 24/7 continuous in nature. In a word, they are unceasing. Think about this for a moment . . . in terms of the corporate organizational structure. Indeed, there really are few other positions where the ‘alert lamp’ is continuously lit. It’s an intense environment, and it can beat the best of us down.
There are of late notable cases of executive teams that are ignoring and quite stunningly turning on their respective digital security leader. Officially firing the CISO is out of the question, because that raises a whole host of unwanted flags for outsiders to scrutinize (e.g. “Was there a breach?”). So instead, they disinvite, cut off and in effect isolate her/him from day-to-day executive dialogue and planning. Pettiness and politics writ large.
This model can arguably work, despite its clear imperfections and inefficiencies, on a large corporate structural level (during periods of relative normalcy anyway). But for midsized companies, it can be ruinous. There is simply nowhere to hide. Angst and resentment build and open hostility is the resulting conundrum. The net effect is that some best-in-class security leaders are resigning “to do other things” or taking extended sabbatical. They may come back to the fray at some point. But as we’re in the midst of yet another cyber market consolidation cycle (4th round?), many of these folks are waiting it out.
Let me be perfectly clear: Our cyber ecosystem can neither afford nor sustain the loss of such integral front-line talent.
No quality executive wants to be shut out, especially a forward-thinking, operationally minded digital security professional who is fully vested in and passionate about keeping the bad guys out. It is absolutely critical to establish strong open-dialogue lines. Some, maybe even a lot of what the CISO delivers in the way of updates and status reports will strike as controversial, perhaps even provocative.
With cyber, as with all effective battlefield operations, egos must be checked at the door. Cyber can be humbling and indeed frightening. When it comes to cyber, no one has all the answers.
This is what makes cyber seemingly so unwieldy and messy. Let’s call it out for what it is—for cyber’ists, digital security is cool, challenging and intellectually very satisfying given the uber high-stakes nature of it all. For the vast rest of the organization, it can sometimes be a royal PIA! My advice to CEOs and other C-level leaders: Accept it. Learn to live with it. Don’t disengage your CISOs. Instead, embrace your CISOs. Enable your CISOs. Talk to your CISOs. Together you will get it done!
Steve Spagnuolo is a frequent speaker at HMG Strategy’s CISO Summits. To learn more about HMG Strategy’s upcoming 2019 Washington, D.C. CISO Executive Leadership Summit on September 19, click here.
Stephen Spagnuolo leads the Digital Security & Risk and Retained Search practices for Quantum Search Partners, an Arlington,-VA based firm with a 25-year heritage of collaborating with clients on their most challenging-to-close recruitments within the technology domain areas—software engineering, data analytics, product management, cybersecurity & risk—up and down the organizational chart. He brings nearly twenty years of experience recruiting senior and next-generation executive leaders on behalf of a wide-ranging client base, from Fortune 500 corporates to global/regional investment banks and consultancies to VC/PE-backed early stage/emerging growth companies. A graduate of the U.S. Naval Academy, he formerly deployed to multiple overseas contingencies as a Marine Corps infantry officer.