Evolving the CISO role: servant leadership, dual career tracks, and permission to fail
Looking at three areas I believe are required for us to evolve the CISO role as we are going to the future: servant leadership, dual career tracks, and permission to fail.
The CISO role is only 29 years old. The world's first Chief Information Security Officer, Steve Katz (1942 - 2023), was named to this newly-created role by Citicorp back in 1995. Since day one, the role has been perilous and complex. Citicorp didn't create the position because it realized that technology needs to be secured. Instead, around 1994, there were rumors that the company had been hacked, and no one knew whether it was true or not. It turned out that Citicorp’s systems were indeed compromised and Russian hackers stole more than $10 million from the bank.
Since day one, the security leadership role has been constantly changing. In this piece, I am looking at three areas I believe are required for us to evolve the CISO role as we are going to the future: servant leadership, dual career tracks, and permission to fail.
This issue is brought to you by… Vanta.
Security questionnaires: the true impact of automation — get the guide
Drowning in security reviews?
Security questionnaires are a massive burden. Almost every customer or prospect requires them, and they can be lengthy, repetitive, and require manual back and forth that distracts security teams from actually running their security program.
But, using automation, industry-leading companies like Intercom and SmartRecruiters complete security questionnaires up to 5x faster. No more clunky spreadsheets or long email chains. Automation is disrupting the status quo—with proven results.
In Vanta's report, you’ll learn:
How automation is being used to answer security questionnaires
How much time real companies save by automating security questionnaires
How often teams do—and do not—have to step in to review auto-generated answers
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Need for servant leadership
Concept of servant leadership
Servant leadership is a concept that promotes the idea that leaders should be focused on recognizing talent, helping people on their team achieve their true potential, and empowering them to make a difference in the organization while leveling up their skills and abilities. In other words, leaders make an impact by building high-performing teams and clearing the obstacles for them to do what they can do best, and not by being the most senior or the most knowledgeable or the most senior person in the room.
While the idea of servant leadership is well understood, it would be an overstatement to say that we have been widely successful in getting it implemented in practice, not just in security but also in other areas of business. There are many reasons why that is the case, but the most important one, in my opinion, has to do with the fact that it requires executives to undergo a mindset shift. Usually, people are promoted based on factors such as their ability to identify and solve the right problems, execute, and drive change. This naturally makes them more confident in their own abilities and talents, and with that confidence often comes a leadership style that emphasizes the individual.
Servant leadership requires one to bet on their team instead of solely on their own abilities. In a way, it means that an individual has to relinquish a certain degree of control and delegate a lot of impactful decisions to their team.
Cybersecurity has been late to embrace servant leadership
Cybersecurity has been lagging in embracing the ideas of servant leadership. There are several reasons why that is the case. First and foremost, security leaders are frequently used as scapegoats for any of the mistakes, miscalculations, and frankly bad luck that impacts the security team. This factor naturally makes them more likely to exert a high degree of control over what’s happening on the ground. If they are going to be held accountable for every decision, they better be sure that they are the ones making, or at least closely overseeing these decisions. Second, we as an industry have borrowed a lot of approaches to leadership and organizational design from the military, intelligence, and law enforcement agencies. Since many security practitioners and security leaders come precisely from these backgrounds, it makes sense that we have brought the way they were doing things there into the industry. A good example of how the hierarchical environments translated into security teams is the tiered system for security operation center analysts (tier 1 analyst, tier 2 analyst, tier 3 analyst, etc.) and the escalation process for security operations. None of these are bad approaches, it’s just that since they have been established we have learned a lot of new techniques that we can now use to our benefit. Another reason why the ideas of servant leadership are still very new to security is that most security leaders are just now starting to get closer exposure to other areas of business. Compared to their counterparts in engineering, few CISOs have historically been invited to participate in strategic business decisions, and not as many have formal training in people leadership or, say, an MBA.
Servant leadership and security in the coming years
Even though security has been late to embrace ideas of servant leadership, the industry is rapidly transforming. More and more security leaders are starting to see themselves as business leaders first and security professionals second. CISOs are recognizing that organizations’ environments have become too complex for them to be an expert on everything, and it is that realization that is driving them to hire the best and to delegate more. As security practitioners are becoming more and more specialized, I anticipate that this trend will continue. CISOs can no longer be expected to have the best answer to every question, and they have to rely on their teams to identify and prioritize critical problems and recommend the most appropriate security solutions.
Moreover, as cybersecurity has become a board-level concern, more and more security leaders are expected to become managers of business risk, not just information security risk. The vast majority of CISOs are able and ready to rise to that challenge and welcome an opportunity to help shape the company's direction. Those that aren’t interested in going beyond the traditional scope of the CISO role, may find themselves struggling to compete in the coming decade.
These changes have implications for the buying process. While for the years to come, security will continue to be adopted mostly top-down, I think the role of security practitioners in the buying process will continue to increase.
One area where we are and I would anticipate will continue to struggle is developing people. Theoretically, we should be able to hire junior security practitioners and help them grow and accumulate experience. In practice, however, things work differently. Security teams are small, and since security is seen as a cost center, it is very hard for CISOs to get an increase in headcount. When they are successful, they have to make decisions that are the best for the business, and that means bringing someone on board who has the right experience and can get up and running quickly. As a product leader, I have seen the same happening in product management: since product teams are small, and the role is incredibly impactful, it is impossible to hire junior PMs. Many misunderstand how this works and oversimplify the whole problem as “gatekeeping” which certainly gets the likes on social media but doesn’t really address the problem. As an industry, we have to do better, but it will take us time and continued effort to do it.
Dual career track in cybersecurity
Concept of dual career track
The concept of a dual career track originated in software engineering. The premise is rather simple: in order for software engineers to grow and reach the pinnacle of their careers, they should not be forced to become people managers. Not everyone who is a brilliant technologist has an aspiration to hire, lead, and manage engineering teams, and people should not be forced to do what they are not good at in order to get higher pay or to earn recognition from peers and the organization for their contributions.
Although the concept originated in software engineering, it is certainly no longer limited to it. I believe that cybersecurity would greatly benefit from following suit and embracing a similar approach as well.
Cybersecurity has been late to embrace a dual career track
Cybersecurity has been slow to embrace the idea of having a dual career track. This has resulted in several challenges. First, there are plenty of CISOs who, if they had a choice, would not have taken the path of people and business leadership. The problem is that getting into people management is often the only way to increase one’s compensation and career standing. There are many brilliant technical security practitioners who would likely have been happier if they were able to continue growing their responsibilities and compensation without going into management. Sadly, many organizations lack any career ladders for technical security practitioners, which in turn forces them to consider people leadership.
The fact that security doesn’t have a dual career track causes a variety of challenges for us as an industry. Sadly, solving this problem is not that simple. Since security teams are small, there is usually little room for practitioners to grow. While some engineering-centered organizations have introduced roles of principal/staff security engineers, there is still no such thing as a distinguished security engineer. Organizations outside of the traditionally mature venture-backed enterprises and cloud-native Silicon Valley startups tend to not even have principal/staff levels.
Dual career track in security in the coming years
The shape of security leadership is changing and so are the demands for the CISO role. CISOs are now expected to build teams, own cybersecurity strategy, oversee and direct execution, own governance, risk, and compliance, and navigate the ever-evolving regulatory landscape while also ensuring that organizational controls are capable of guarding against attackers.
With so much on CISOs plate, it is time to recognize that one person simply cannot do it all. In particular, it’s simply not possible to be a business leader and a technologist who is on top of every new attack vector and method at once. As an industry, we would greatly benefit from developing dual career tracks where technical security practitioners who are brilliant in their respective fields can grow into roles of distinguished engineers/architects and own the technical side of security without getting direct reports or the CISO title. This should also allow them to get compensated at a level similar to or equal to that of CISOs.
While I am fairly confident that large infrastructure providers such as Microsoft, Google, and Amazon, to name a few, will eventually (or have already) embrace this approach, I am doubtful the rest of the industry will get there anytime soon. The simple truth is that security is a very young discipline and we’re still at the earliest stages of professionalizing it. That said, we are most definitely moving in the right direction.
Permission to fail
The concept of permission to fail
The concept of permission to fail is simple: people make mistakes and since nobody is perfect, they should be given room to fail, recover, and learn from these failures. Companies should not be seeking to axe executives when the company experiences a breach unless the CISO in question was clearly negligent or incompetent, and is directly responsible for the incident. Fortunately, in the overwhelming majority of cases, we see none of that.
Permission to fail in cybersecurity
Cybersecurity has been notoriously bad for permitting people to fail. This is not at all fair as no technology is bulletproof, and it’s only a matter of time before an organization suffers an incident. No matter how many sacrifices people make and how much heart and soul they pour into their work, eventually, something will break, and when it does, they will be blamed. We have learned that software engineering is not perfect, and the best we can do is to establish systems and processes and catch most of the critical bugs. Yet despite all our efforts, we know that eventually, some customers will run into issues; sometimes blocking, and at other times, merely annoying and inconvenient. This is why we have the process of bug triage, and why engineering leaders don’t get fired when someone runs into a P0 issue.
The same is not true for cybersecurity. Somehow every organization expects their security team to be perfect, and smarter than any attacker be they script kiddies throwing things at thousands of companies or nation-states targeting specific organizations. Security is always a losing game as there are criminal syndicates and nation-state actors that have millions of dollars to spend on the latest tools and the best talent, and if they are particularly determined, to literally fly their operatives thousands of miles and to bribe any employee on the ground, or better yet to get them hired by any company and gain access to the most sensitive secrets from the inside. And yet, security teams are not allowed to make a single mistake.
Permission to fail in cybersecurity in the near future
Working in security means anticipating and fearing failure. As an industry, we have no choice but to change the perception of what it means to fail.
In security, most of the details that lead to breaches have little to do with the decisions of the executive leadership. The number of misconfigurations, the number of software bugs, the number of vulnerabilities, and the number of potential attack methods are so high that no matter what security teams do, it will never be enough. There is no rule that bad actors will only exploit vulnerabilities marked by tools as “high priority”, and there is certainly never going to be a time when attackers will stop looking for new ways to break into our infrastructure. We cannot judge CISO's effectiveness based on incidents that happen despite their unwavering commitment, despite their best effort, and despite their hard work. Moreover, having incidents on one’s resume should be seen as an asset, not a liability (certainly when these incidents weren’t easily preventable). Once in a while, there will inevitably be cases when someone just didn’t care enough or wasn’t competent to be a leader but these are incredibly rare exceptions, and not the rule.
All that said, I think changing the way we treat security will take time. We’ll inevitably need to review what constitutes a failure and when people should be in fact rewarded and recognized for their hard work, even if they never become perfect.
The good news is that the changes are happening. Over the past several years, we have seen plenty of cases where following a big security incident, security leaders weren’t fired, but instead, they were promoted or given expanded responsibilities. More and more organizations understand that security is complex and that they would greatly benefit from having someone on the team that is able to handle that complexity without constant fear for their job.
The CISO role is transforming as we speak
The CISO role is transforming, and this transformation is happening in front of our eyes. Several weeks ago, Senate Finance Committee Chair Ron Wyden, D-Ore., and Senator Mark Warner, D-Va., introduced a bill to set strong cybersecurity standards for the American health care system.
As the one-page summary of the bill explains, the legislation:
“Modernizes HIPAA security requirements by creating mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses, and business associates.
Enhanced standards apply to systemically important entities and entities important to national security.
Requires covered entities and business associates to submit to annual independent cybersecurity audits, as well as stress tests to determine if they are capable of restoring service promptly after an incident, which HHS can waive for small providers.
Requires HHS to proactively audit the data security practices of at least 20 regulated entities each year, focusing on providers of systemic importance.
Increases corporate accountability by requiring top executives to annually certify compliance with the requirements. Congress already requires execs to sign off on financial statements, as part of Sarbanes-Oxley, and it is a felony to lie to the government.
Eliminate the statutory caps on HHS’ fining authority, so that mega-corporations face large enough fines to deter lax cybersecurity.
Supports the Department’s security oversight and enforcement work through a user fee on all regulated entities.
Provides $800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standards.
Codifies the Secretary’s authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system, as was necessary during the Change Healthcare attack”.
If passed, this bill has the potential to establish a framework around cybersecurity responsibilities and transform the CISO role the way the role of CFOs was transformed by the Sarbanes-Oxley. As Chenxi Wang explains on her LinkedIn, “For public companies today, the CFO and the CEO must certify the company's financial statements every quarter. This bill would have the CISO (and presumably the CEO) publicly certify its cybersecurity compliance annually. This step will allow the CISO to gain appropriate resources, take on proper accountability, and also receive much-needed protection for his/her job.”
These changes, if adopted in healthcare, could later get adopted by other industries as well, changing the CISO role as we know it for decades to come.
Closing thoughts
Cybersecurity is evolving, and so does the security leadership function. Since 1995, the CISO role has changed as did the industry. The role has indeed become more complex, but it is also more accepted and understood than it was three decades ago. Similar to how I am optimistic about the future of security, I am optimistic about the future of the CISO role and how it will continue to evolve in the years to come.
Already today, CISOs are expected to be business leaders first and security practitioners second. They are expected to own some of the most complex and impactful areas of the enterprise, and most are ready to face that challenge. In the coming years, CISOs will continue to need to reinvent themselves the way they have done for the past 30 years. As that happens, I hope that servant leadership, dual career tracks, and permission to fail will become a norm in the industry.
This is a great article Ross, and something for which I get the opportunity to see every day when consulting with cyber teams.
I've found the best practical guide comes from the Cyber Leadership Institute which is actively training CISOs in changing leadership models and engagement across multiple business stakeholders.