4 Comments

Thank you again for another excellent article, Ross.

My own experience is an anomaly (aren't they all?). I have a technical background, but also a military background that gave me the strategic-thinking and leadership required of a CISO.

My last role was a vCISO in a large ITO firm of over 100,000 employees. Its cloud managed service served over 100 enterprise customers all over the world. Because it is a large company, it was assumed that security was a solved problem on account of the mature GRC organization the company already had. I disagreed - I built a new governance framework to ensure we were provably delivering the security outcomes these customers required in their diverse geographies and industries. The company already had a CISO and a Deputy CISO, but the industries we served were so diverse that they were spread very thin and seemed quite disconnected from realities on the ground. My own "department" was one cloud engineer who did his best to implement my vision!

My current role is CISO of a rapidly-growing specialist cloud managed service firm of fewer than 800 people. I suppose you would therefore call this a "midsize" company, but it also has over 100 enterprise customers all over the world. I now have a department of over 25 people across four subdepartments (compliance, security architecture, consulting, SOC) and am responsible for securing both my own company and the parts of our customers for which we have responsibility. I am both an internal CISO and a vendor CISO. I present risk to the board, and travel to meet customers to discuss their risk. I also get heavily involved in sales.

It might seem counterintuitive that my mid-size firm has the security department and governance structure of a good-size enterprise, whereas in my large firm I struggled for security resources and spent too much time fighting internal bureaucracy and politics, but a smaller company is under greater scrutiny by large enterprises than a large one would be!

Expand full comment

That does indeed sound unusual but also highlights a great point - that any categorizations are just our way to approximate reality, and not a perfect reflection of it. I believe that principle is called "a map is not the territory". There are indeed companies in the finance industry that invest less in security & GRC combined than someone in retail or manufacturing. There are 10 people shops with more sophisticated approach to security than 500 people organizations etc.

Expand full comment

Absolutely, as George Box said: "all maps are wrong but some are useful". I first heard that when Simon Wardley was describing Wardley Maps!

Expand full comment

Such a great post. The reality is the cybersecurity leaders, including CISO's, much like broader cybersecurity are a diverse group depending on industry, organization, size and more.

Expand full comment