You can learn much about an organization by comparing the executives who are being hired with those who are being fired. To that end, let’s have a brief look at two very different types of cyber security executives passing in opposite directions through the revolving door of the departing Trump Administration. To start, you might not have noticed that the outgoing President recently hired a Chief Information Security Officer (CISO) for our nation. Way back on November 4th (seems like a long time ago), articles began to appear that Camilo Sandoval had been quietly appointed to one of our nation’s top cyber security positions in October. The previous CISO, Grant Schneider, had quit the job during summer to join Venable’s advisory team.
Like perhaps many of you, I’d never heard of Camilo Sandoval, despite four decades in the industry with my tentacles reaching into the nooks and crannies of our nation’s cyber community. So, I checked LinkedIn and found him to possess a nice resume that was certainly impressive. But it was also a background that would make him patently unqualified for the CISO position in any large organization – much less our country.
Let me explain: When hiring a CISO, and TAG Cyber has been involved in this process many times, the background of the candidate must include extensive experience in senior positions that involve selection of cyber security technology, management of policy and compliance initiatives, leadership of security teams, and immersion in the massive security community. As far as I can tell, Sandoval’s resume would be tossed in any reasonable search process.
Despite having held positions advising the VA in technical matters, serving as a chief of staff at a bank, and spending time in the 90’s as an intelligence analyst, the word “cybersecurity” isn’t even hinted on his LinkedIn resume. There is, however, the one position that jumps off the page: He spent over a year as the guy directing voter contact operations for Donald J. Trump for President, Inc. This is important work but has nothing to do with cyber.
I would ask that you set aside the partisanship for a moment and ask yourself: Is this a valid background for a cyber security executive for America? Take me for example: Would I have made a better choice? I’ve spent forty years in this area, and no one called me. Take Charles Blauner, or Jim Routh, or Phil Venables. Would any of these fine executives have been better choices? Did anyone in Washington call them? Answer: No.
Now let’s glance across the turnstile at someone Donald Trump just fired-by-tweet (I still can’t get used to that process). Christopher Krebs spent the last couple of years as the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in our Department of Homeland Security (DHS). Unlike Sandoval, Krebs does have the word “cybersecurity” all over his resume, including time spent at Microsoft directing cyber policy.
I can personally attest to his fine approach to the job, and his immersion in our complex community. (He and I sat together for dinner at February’s RSA conference – the last event I attended before the pandemic.) Despite partisan correlation between his government and commercial appointments (he worked for Bush, left for industry during Obama, and returned to government under Trump), I can report that his approach has been anything but partisan.
Now – again setting aside the bias, have a second look at the background of this executive, and ask yourself if he looks like someone worth keeping in government. I believe that you will come to the same conclusion as me: This is exactly the type of person who should be making decisions about cyber security for our nation. His background could serve as a template for the academic, industry, and government experience required for a senior position in cyber.
Here’s another thing: I’ve watched the many sad eulogies about Krebs on TV these past few hours, and I can’t help but laugh. Krebs told the truth and got fired. As his punishment, he will now follow the path of prior fine executives like Andy Ozment who left DHS for a CISO position at Goldman Sachs. If you do the typical salary math on this type of transition, you will measure something like a twenty-X increase in annual compensation. Really.
So, I guess the good news in all of this is that while our nation has inherited a nakedly partisan vote solicitor as our temporary CISO, and while an experienced and capable security executive is now cleaning out his desk in DC and will probably be shopping for a brownstone in Tribeca pretty soon – we can at least come to one conclusion that might help us all feel a bit better: Telling the truth can be lucrative.
Stay safe and healthy.