Experts have pointed out that the broad adoption of the cloud in business is changing the role of some IT professionals. For example, where system administrators used to manage on-prem servers to support business applications, many have parlayed those skills into cloud expertise.
That’s happening in cybersecurity too, including at the leadership level, according to Michael Piacente, an executive recruiter at the boutique talent agency Hitch Partners. Mr. Piacente has a unique perspective because he sees the evolution in the roles and responsibilities his clients are asking him to fill.
1) How is the cloud changing CISO responsibilities?
Mr. Piacente said he believes the “information” part, or the “I” in CISO, is “going away from a nomenclature perspective.” Where security was once largely focused on information security, today it includes a broader category of responsibilities including and applications running in the cloud.
The cloud has facilitated software development which means there are entire businesses today that are built solely on applications in the cloud. This means the “crown jewels” of the business are also in the cloud, and so the “hygiene piece we didn’t get right in on-prem has carried over to the cloud and gotten worse.”
As a result, the role of a modern CISO is in many ways about “adversary hunting.” More importantly, it requires defining that in a way that is meaningful to the organization – and partnering with developers to implement controls and best practices to implement it.
Partnering is the operative word because development doesn’t report to the CISO, yet in a cloud environment, it’s critical to overall security. In many ways, this is a cultural shift in the role that has caused some researchers to conclude an essential skill of high performing CISOs is to learn to lead without authority.
2) How is the cloud changing the requisite skill sets for a CISO?
The skills that separate one CISO from another, center on the ability to both to explain the “complexities of dynamic adversaries” to both a technical audience, such as DevOps and to a business audience, like the C-Suite or the board of directors. In addition, information has to be articulated in a manner that gives the organization confidence in the security program.
The challenge is that talking with and persuading developers is an entirely different skill set than speaking to and influencing a board of directors. This requires cross-functional experience, and the combination of these talents is so rare.
Beyond that ideal, he suggests companies look for three core competencies in a CISO:
a) Infosec knowledge. CISOs much have a fundamental understanding of information security including how enterprise networks and the broader internet works.
b) Communications skills. CISOs need an “ability to communicate at the executive level.” Where Mr. Piacente sees candidates fall short is in conversations with the CFO. Many are accustomed to “working on complex technical problems” but have little experience distilling the meaning for a high-level business audience.
c) Sales enablement. Piacente says security leaders are generally good about getting on the phone with clients and presenting at conferences to build confidence in the security of their products. Where this is evolving is among those companies that are based on a model of software-as-a-service (SaaS). This role is customer facing – but not as a salesperson and beyond the scope of a sales engineer. The purpose to instill confidence in the product from peer-to-peer.He sees CISOs being hired in product companies as small as 50 employees to fill a sales enablement role. As these companies sell into the Fortune 500, or large enterprises, the role of the CISO here is to explain to a potential customer the security methods and practices used in the SaaS product are safe.
3) How is the cloud changing who CISOs report to?
When he first started in executive recruiting, Mr. Piacente says he was primarily filling CIO roles. At the time, the head of security was usually task-organized under the CIO, but that started to change in 2011 or 2012.
While the largest of enterprises, such as the Fortune 500, have mostly maintained that organizational structure, it’s changed considerably among the mid-market and smaller (but not small) enterprises. He noted at one time his firm was recruiting for eight different CISO positions, each with a different reporting structure. Some of these positions reported to the CEO, CFO and COO, among other structures, but interestingly, only one reported to the CIO.
Why? He said it’s because enterprises are moving data to the cloud. Where cybersecurity responsibilities used to end at the IT perimeter – the classic role in information security – today it includes application security. As such, the scope of the role has grown from just securing physical assets and infrastructure – to securing business applications, governance and compliance in the cloud.
CIOs, among most of the mid-sized enterprises he works with, aren’t tasked with managing, let alone securing, anything in the cloud. That role falls to development operations (DevOps) or some cases, development, security and operations (DevSecOps).
When his firm does see CISO positions reporting to the CIO, and business is cloud-oriented, the company has to figure out how to “embed IT in engineering” which he likened to “an allergic reaction.” This is usually a harbinger of difficult conversations to come.
* * *
The full podcast runs just about 30 minutes and is well worth a listen: Episode 116 – The future of the CISO with Michael Piacente
Note: Bricata has a comprehensive threat protection platform that covers cloud, on-prem and hybrid environments. If you’d like to see the product in action, we’d be glad to show you. Click here to request a demo.
If you enjoyed this post, you might also like:
Unleash the Kraken! 6 Things Your CISO is Thinking but Can’t Say Aloud