Not every security leader works at a Fortune 500 company
Looking at different types of CISOs, differences between all of them, and the movement I see happening between CISO groups
Several months ago, I published a deep dive discussing the problem of CISO resignation. That article, which received a lot of attention, spurred two discussions that inspired me to write this piece. I look at two problems:
Whether or not the state of the CISO's role at large enterprises can be used to generalize about all CISOs
Whether or not vCISOs are qualified enough to have “CISO” in their name since many vCISOs never served as full-time security leaders
Although at first glance both debates appear to not be related, after a lot of reflection I realized that they very much are. I discussed this topic with several CISOs and vCISOs in my network, and the article that follows is an outcome of these discussions.
When we talk about CISOs, we mostly mean security leaders at large enterprises
It is not possible to discuss the state and the trends surrounding the CISO role without first looking at different types of security leaders.
Before we dive in, it is worth recognizing that as an industry, we have done a poor job of understanding the multitude of different types of CISOs. The reason for this is everybody’s focus on the enterprise space:
Industry analyst firms sell to enterprises so naturally CISOs they talk to work in Fortune 500, or at best - Fortune 1000 organizations.
Resellers and integrators target the same Fortune 1000 businesses.
Event organizers love seeing security leaders from recognizable firms as keynote speakers and panel participants.
Venture capital firms want to see CISOs from companies with large security budgets on their advisory boards.
Journalists want to speak to CISOs from recognizable brands.
Regulators pay the most attention to the work of security leaders of publicly traded organizations.
This list can go on and on. For absolutely valid reasons, for over a decade most parties in the industry have equated being a security leader to being a CISO at a large enterprise. I am not an exception: when several months ago I decided to take a closer look at the question of CISO resignation, and I zoomed in precisely on the list of Fortune 500 security leaders.
Given how much attention the industry has been paying to security leaders at the world’s largest enterprises, we have accumulated a solid body of knowledge about their needs, challenges, ways of working, and trends shaping the CISO role. We have even found a way to classify them into different groups. Jeff Pollard, VP and principal analyst at Forrester, identified and explained six types of CISO: transformational CISO, post-breach CISO, tactical/operational expert CISO, compliance and risk guru, steady-state CISO, and customer-facing evangelist. Steve Zalewski, formerly a CISO at Levi Strauss & Co., outlines the three types of CISOs: the technical CISO, the cyber risk CISO, and the business risk CISO. Whichever of these approaches we take (and there are many more), it is clear that most discussions about the CISO persona are focused on the enterprise CISO.
I have observed that there are many different kinds of CISOs and that the type of CISO is largely dependent on the size of the organization they serve. In this piece, I am looking at different dimensions of the CISO role across a wide variety of businesses.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 3,500 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
The book is intended first and foremost for builders - startup founders, security engineers, marketing and sales teams, product managers, VCs, angel investors, software developers, investor relations and analyst relations professionals, and others who are building the future of cybersecurity. If this sounds like you, you should get a copy. The book has been rated 4.9 out of 5 on Amazon based on 80+ reviews, and in 2024 it became a finalist of the SANS Cybersecurity Difference Makers Awards.
Four types of security leaders
Different types of organizations allocate different amounts of resources to their cyber defenses. As a generalization, the budget factor along with the company size dictates what a security leader in an organization would look like, what they would be required to do, and what they will be accountable for.
Enterprise CISOs
Most of the time when people in the industry are talking about the challenges of CISOs, they mean precisely security leaders of the top largest enterprises, Fortune 500 or Fortune 1000. Their needs are what predominantly shape most industry reports, especially those produced by industry analysts.
The worries of the needs of CISOs working at large enterprises are fairly unique. First and foremost, the regulatory requirements they are expected to fulfill are substantially larger than those of mid-market enterprises. Second, their scale of operation demands solutions that can support the complexity of multi-national, hybrid, multi-cloud, and often incredibly complex tech stacks. Third, although the amount of money each company is willing to allocate to security varies, the challenge isn’t as much about getting the resources but about appropriately allocating them to drive the best results. CISOs at Fortune 1000 organizations are forced to deal with a lot of politics, continuous and sophisticated attacks, frequent regulatory hostility, and, subsequently, a lot of stress.
The degree to which an individual security leader is able to make an impact in the enterprise varies greatly from one company to another. While some hold an executive-level title of a CISO and have a seat at the C-leadership table, others are VPs or SVPs (Senior VPs) reporting to the CIO.
As I have previously discussed, while analyst firms and many industry insiders talk about the “great CISO resignation”, looking at the movement of CISOs in Fortune 500 enterprises does not appear to support this assertion for this demographic group. The fact that CISOs of Fortune 1000, despite the incredible pressure and stress of their role aren’t quitting in droves, is impressive. In my view, it’s a testament to their dedication to the profession, a strong sense of mission and purpose, and the desire to do what needs to be done despite all the odds. Last but not least, it also shows that the compensation levels CISOs at the US largest companies enjoy may be serving as a solid retention factor.
Security leaders at large enterprises typically take one of two paths: they either have a large security team or a small one augmented by an outsourced service provider. Many companies tend to be heavily focused on fulfilling compliance requirements and therefore they either see security as a by-product of compliance, or use compliance as a justification to get a budget on security.
When it comes to the backgrounds of people who become security leaders at the enterprise, they tend to be fairly diverse. Based on my observation, many come from compliance and governance roles, IT and infrastructure leadership, intelligence agencies and law enforcement, and some (although relatively a minority and typically concentrated at cloud-native tech companies) from incident response (IR), software, and security engineering.
Mid-market CISOs
As we move past Fortune 1000 and look at smaller enterprises, we enter the mid-market segment. Companies in this segment vary greatly with respect to the way they approach security and structure their security organizations (if they have them).
Depending on the type of business, some organizations in this category hire CISOs that contribute at the leadership level, while others either have them report to the CIO, Head of IT, or Head of Engineering. Plenty of mid-market enterprises do not have a dedicated security leadership role to begin with, instead incorporating the responsibilities that traditionally would fall under a CISO in job descriptions of other technology executives. Because regulatory scrutiny in this segment is lower (especially for privately held corporations), the security budgets of mid-market enterprises are much smaller compared to their Fortune 1000 counterparts. This means that instead of being able to fund teams of security engineers, detection engineers, and top-tier incident responders, many have to “do more with less”.
Unlike Fortune 1000 CISOs that work with the world's largest consulting firms, have access to industry analyst firms such as Gartner and Forrester, and tend to buy new solutions via arrangements with channel partners, mid-market CISOs are much more agile in their decision-making and constrained by their budget, which makes them a target for security startups.
I would argue that CISOs of mid-market enterprises are most affected by the disparity between the resources and the expectations. First and foremost, they are expected to strengthen their company’s defenses, prevent attacks, and respond to incidents as effectively as their Fortune 1000 colleagues, but on a fraction of the budget. They are overextended, underfunded, and frequently burned out. To make the situation worse, CISOs of mid-market companies often aren’t being compensated all that well, hence why it is no wonder that a big percentage, based on my anecdotal observations, frequently change jobs. Whenever we hear that CISOs are leaving their full-time jobs to become vCISOs, it is typically mid-market, not Fortune 500 security leaders that take that path.
The smaller the company, the more different the titles and the scope of responsibility of security leaders. At many companies under 500 people, security work is typically handled by the CIO. It’s not uncommon to see businesses between 500 and 1,000 employees have a Head of Security - a tactically-focused individual in charge of buying and configuring security tools, and commonly, work of an external service provider, MSP or MSSP. As a rule, companies start calling their Head of Security a CISO when they have a dedicated budget and are willing to have them hire one or two security or IT practitioners.
Because of the frequently hands-on focus on the mid-market enterprise CISO, people in this role commonly have a background in IT, sometimes software engineering (if they work at a tech startup), and to a lesser degree, compliance.
Virtual CISOs (vCISOs) and CISOs as a service
Although it is tempting to only focus on the needs of the enterprise, small businesses are a critical part of the American economy. “Small businesses are generally defined by the U.S. Small Business Association (SBA) as independent businesses having fewer than 500 employees. Based on SBA's definition, there are 33.2 million small businesses in America, which account for 99.9% of all U.S. firms. Small businesses are credited with just under two-thirds (63%) of the new jobs created from 1995 to 2021 or 17.3 million new jobs. Small businesses represent 97.3% of all exporters and 32.6% of known export value ($413.3 billion). They also employ almost half (46%) of America's private sector workforce and represent 43.5% of gross domestic product.” - Source: The U.S. Chamber of Commerce.
It makes complete sense that the 33.2 million small businesses and nearly half of America's private sector workforce they employ also need to be secured. The way security at an SMB looks is, however, substantially different from an enterprise. A small 150-person company doesn’t often have a single full-time IT person, let alone someone responsible for security. A lot of companies rely on managed services provided (MSP) and assume it’s good enough until they get to 200-250 people. This is a small subset of the small business category: out of the 33.2 million small businesses, 27.1 million are run by a single owner and have no employees, 16% have between one and 19 employees, and only 650,003 small businesses have between 20 and 499 employees.
The level of understanding of security among SMBs is low, so the vast majority aren’t concerned with their compliance, let alone cybersecurity posture. The small subset of those who are, are typically driven by one of the three motivators:
Seeing compliance as a sales enablement. This may include SOC2, ISO 27001, and other certifications common in the industry the company operates. This is by far the biggest motivator that drives, based on the observations, about 80 to 90% of interest.
Being pressured to provide proof of compliance with various standards by the clients, or evidence of some security program by their cyber insurance provider. This is the second most common driver for companies to adopt security (10-15% of small businesses).
Being proactive and looking to build security into the product or service offering from day one. This is by far the least common motivator for small businesses to adopt security.
It is worth noting that although I frequently emphasize that compliance is not the same as security, compliance is, indeed, the main factor that drives companies to invest in security efforts; while this is frequently the case for large enterprises, it is especially relevant to small businesses.
Small businesses do not have the resources and a business justification to hire full-time employees in non-core functions such as legal, marketing, accounting, or cybersecurity. Instead, they achieve growth by focusing on their main value proposition and leveraging external help for the rest, which in practical terms means hiring consultants, agencies, and fractional professionals. To satisfy their security needs, small businesses rely on virtual CISOs (vCISOs) or CISOs as service providers.
There is a common sentiment in the industry that one cannot possibly become a vCISO if they were never a full-time CISO. The main reason why this assumption is wrong is that full-time CISO and vCISO are two fundamentally different roles. vCISOs meet their clients where they are and help them to lay the foundations for their security efforts. In some cases, this means explaining why it is important to adopt a password manager instead of storing credentials in a Hubspot CRM (even if the CRM requires MFA to log in), in others, it means deciding how to spend the $900 per month (or $30 per employee) the company is able to allocate on security, and sometimes, it’s about “sneaking in” additional security measures when all the customer is looking for is a compliance certification. vCISOs might be doing a lot of work in spreadsheets instead of modern governance, risk, and compliance (GRC) tools, and configuring what an enterprise CISO would consider laughable controls, but what matters is that these measures are appropriate to the stage and the needs of the organization. To summarize, unlike what some in the industry may believe, vCISOs aren’t a junior, “less experienced” version of CISOs but rather a different type of security practitioners serving an entirely different market.
The closest analogy that comes to mind is the difference between a middle school teacher and a university professor: while the professors are highly educated, specialized, and generally better paid, no parent would argue that a middle school teacher is not important to their child’s development. Similar to how without a good middle school teacher a kid may never be ready for the university, a company that doesn’t establish solid security foundations early with the help of someone like vCISOs, may never grow large enough to later hire a full-time CISO. Both are important, and both have a role to play at different stages of the person’s (or company’s) life.
People who end up in a vCISO role come from a variety of backgrounds. Some, as I have previously discussed, are practitioners (analysts, engineers, or architects) who started a vCISO business on the side, others come from the compliance space, while a large percentage pivot their careers from technology-adjacent but not security-specific roles such as product management, IT support, consulting, software engineering, solutions architecture, or even software sales. As a rule, the vCISO role draws generalists. CISOs at large organizations don’t need to be hands-on or possess deep expertise in specific areas of security. They are first and foremost strategic leaders, and as such they have the budget to build and develop high-performing teams with the right skills. vCISOs, on the other hand, need to be able to do the work on their own. A lot of their role is about enablement, such as educating customers, coaching, and guiding them through changes, but a large part requires hands-on skills deploying and configuring a variety of tools appropriate to the business size and requirements.
It is worth adding a brief note about the way vCISOs are structured. While most vCISOs today offer their services as independent consultants, we are starting to see partnerships, cooperatives, and advisory firms such as SideChannel run by Brian Haugli, and Fractional CISO founded by Rob Black. The vCISO role is still early, but it’s becoming apparent that it’s likely to develop in a direction similar to law firms where solo practitioners and larger partnership groups co-exist in the same market serving different types of customers.
Field CISOs and CISOs employed by security vendors
There is a category of security leaders that deserves a separate mention, namely CISOs employed by cybersecurity vendors. The scope of responsibility of people in these roles varies widely.
Some CISOs who work for security vendors are focused exclusively on securing the organization: developing the security strategy, working with the company board, selecting tooling and managing relationships with providers of security solutions the company relies on, hiring, and building high-performing teams. In this regard, the role of security leaders employed by cybersecurity companies is no different than that of their colleagues working for software companies in other fields.
On the other side of the spectrum are security leaders hired to perform a more sales-focused Field CISO role. In the past decade, cybersecurity companies have learned that in a world where thousands of vendors are trying to get the same several thousand CISOs into a “short 30-minute demo” to see their next-gen tool, betting on credibility and human relationships can be a winning strategy. Driven by this realization, they started to hire experienced CISOs to perform a somewhat hybrid role - a part security leader, and part marketing and brand evangelist. Some companies go as far as to assign their Field CISOs a sales quota, while others measure their performance by the number of talks given, thought leadership articles published, and customer calls held. There are also a few security companies that see their Field CISOs as first and foremost consultants capable of coming in and helping a customer or a prospect to solve their problems, regardless of whether or not the product or service offered by the vendor that pays their salaries is suitable to be offered as a solution.
Over the years, many in the industry have treated Field CISOs and CISOs working for security vendors unfairly, questioning their qualifications, contributions, and often the value they are capable of providing. Malcolm Harkins summarized the problem in his LinkedIn post several months ago quite well:
Source: Malcolm Harkins
Malcolm’s post triggered an outpouring of support, and rightfully so. Treating security leaders (or anyone else for that matter) based on what company they work for is not right.
What is also wrong is our definition of a vendor. As a rule, we tend to see technology providers, be it infrastructure of SaaS solutions, as vendors while companies that use their offerings as customers. This technology-centric view of the world is not correct: for people and companies looking to buy furniture, Ikea is a vendor; for those shopping for groceries, Walmart is a vendor; and for airlines looking to expand their fleet, Boeing is also a vendor. Every company is always a vendor in its relationship with those who buy its offerings and a customer in its relationships with suppliers and providers it relies on to run its business. What follows is that every CISO is a vendor CISO; this is also what Malcolm pointed out in his post. The difference is that some are actively helping their companies to close deals and others may not have to do that. This is the case for a variety of reasons such as that some industries are more likely to see security as a competitive differentiator, or the fact that some people are more comfortable with customer-facing work than others.
The Field CISO role is indeed unique and almost entirely sales-focused, unlike that of operational CISOs hired to establish security controls. That said, not all security leaders who work for cybersecurity companies are Field CISOs. Moreover, most people hired into Field CISO roles have strong networks and a reputation as thought leaders in the industry that they are greatly incentivized to protect. Not a single Field CISO I know would go as far as to turn a 30-minute conversation at a conference into a sales pitch for their products. One thing that I am noticing is that Field CISOs and CISOs who work for security vendors appear to be greatly overrepresented in reports and media featuring insights of security leaders. The main factor, in my view, is that CISOs who work for security companies have a mandate to increase the visibility of their firm in the industry while those employed by businesses that operate in other fields (especially publicly traded enterprises) are often discouraged from talking to the media.
In a world where almost every day we read about new security incidents, customers want to know that their data is safe. CISOs, regardless of the industry they work in or the company they work for, are well-positioned to be the ones working to communicate to their company’s clients if the work security team is doing is sufficient to ensure the security of their information. Field CISOs are akin to consultants or vCISOs in that they have a dual mandate: to help their companies expand the business and acquire new customers, and to help their customers future-proof their defenses with the best tooling and resources.
Movement between CISO categories
Although for simplicity, I have categorized CISOs into several groups - Enterprise CISOs, Mid-market CISOs, Virtual CISOs, and Field CISOs, the reality is that these groups aren’t clearly defined, and neither are they static. Security leaders move from one category to another, and in most cases, these moves, or career transitions, follow several patterns.
Enterprise CISOs
Most security leaders who work at large enterprises and Fortune 1000 companies choose to stay in this segment long-term. When they look for new roles, they primarily consider other large enterprises. After retiring or when they are nearing retirement, they may join one of the large consulting firms, become independent security advisors to large enterprises, or shift their attention to boards and serve as corporate directors.
Security leaders at large enterprises don’t typically move into vCISO roles. There are several reasons why this is the case. First and foremost, most of them find the problems of small and medium-sized businesses not as interesting. To security practitioners who had the chance to experience working at the enterprise scale, challenges such as needing to convince a company to adopt a password manager aren’t at all exciting. Second, while employed, they usually don’t have free time to allocate to pursuing side projects and most are not allowed to offer security to other entities even if they did. Lastly, enterprise CISOs are generously compensated, so lack motivation to move into vCISO roles that come with high uncertainty and substantially lower pay. The closest enterprise CISOs can get to a vCISO-shaped position is when they choose to work for private equity (PE) groups that offer security to several portfolio companies.
A small percentage of Fortune 1000 security leaders looking for lower regulatory pressure and less political environments, move to mid-market enterprises. Historically, the number of security leaders who take this path has not been high, but that may be changing given the rising scrutiny from the regulators in recent years which primarily affects large publicly traded organizations.
Mid-market CISOs
Career aspirations are the main driver behind the movement from mid-level to large enterprises. Mid-market CISOs looking for the ability to make a bigger impact and higher compensation, are often encouraged to seek employment at larger corporations. For many, this is the natural next step in their careers.
The main reason for mid-market CISOs to move in the opposite direction, to smaller organizations, is the desire to lower complexity and stress levels. Mid-tier experienced CISOs who are burned down but not ready to leave the industry, sometimes choose to step back from the stress of full-time roles and become vCISOs.
Virtual CISOs
Since the overwhelming majority of vCISOs and people who serve as CISOs as a Service do not have experience as security leaders at large enterprises, they do not typically get hired by Fortune 1000 as CISOs. If somehow they were to get the role (which is highly unlikely), they would most likely not be successful. Most vCISOs would find that their experience does not translate well to the enterprise environments: they would lack the understanding of the complexity, the way relationships are built, the way resources are deployed, and what constitutes effective measures in highly nuanced customer environments.
Some Virtual CISOs, after accumulating experience helping small and medium-sized companies, are looking for ways to get a full-time role in mid-market companies. This is especially the case for security practitioners intentionally using a vCISO role as a stepping stone to advance their careers. On the other hand, vCISOs who were formerly full-time security leaders that stepped back due to stress, are likely to be exiting from vCISO roles into retirement.
Field CISOs
The term “Field CISO” does not reference an organization's size. Some people in this role may be former security leaders from large enterprises who now work as Field CISOs at companies such as Palo Alto or Cisco. Others could be former mid-tier CISOs or senior security practitioners who serve as Field CISOs at smaller startups. When Field CISOs move back to operational roles, they typically join organizations similar to those they worked at before joining a security vendor. I have not seen many Field CISOs who stay in a sales-focused Field CISO role for a decade or more, but it is hard to tell why that is the case. One reason could be that the Field CISO role is still relatively new, but it is also likely that having to navigate the nuances of this sales-focused position makes it too hard.
Different but equal: supporting security leaders regardless of where they work
Security leaders come from all walks of life. Some have spent decades in compliance and risk management, and others built careers in IT, and worked as security engineers, law enforcement, and incident response, to name a few. Their backgrounds, without any doubt, influence the way they approach their role as CISOs, but I think that there is too much focus in the industry on where they come from, while what we should be thinking instead is what problems they are hired to solve.
Regardless of their backgrounds, CISOs have the same job: to protect their company’s data, reputation, people, and business. What that looks like is highly dependent on the type of organization:
Publicly traded corporations are subject to compliance requirements that do not apply to privately held companies.
Infrastructure, environments, and subsequently, risks faced by large multinational corporations are different from those faced by companies operating in one state or country.
Security measures needed to strengthen the defenses of a family-run, five-person e-commerce business are different from those appropriate to a mid-size national retailer.
Buyers of SaaS vendors see security as a critical part of the products they are buying so companies know they must invest in their defenses to acquire new customers; customers of a dental office don’t evaluate their security when deciding which dentist to see.
Regardless of where security leaders work, and whose problems they solve, their role is equally important. A vCISO helping a small mom-and-pop store to implement MFA is no less critical to safeguarding society than a CISO of a major social media company responsible for protecting the data of the platform's users. A Field CISO who helps an oil company adopt a security solution deserves as much respect as a CISO of a company that sells solar panels.
Not all security leaders are going to be pushing the boundaries of the field but we should not expect them to. We need people who are going to bring security to the 90% of the population, not only to the top 10% of large enterprises with solid security budgets. We need to remember that not every CISO is a Fortune 1000 security leader even if that's who most security vendors are targeting. I must admit that it’s not always easy and I have on many occasions made the mistake of equating “CISO” and “large enterprise”, but that’s exactly why we have to make an extra effort to not forget about different types of CISOs, and why they all are important.
Such a great post. The reality is the cybersecurity leaders, including CISO's, much like broader cybersecurity are a diverse group depending on industry, organization, size and more.
Thank you again for another excellent article, Ross.
My own experience is an anomaly (aren't they all?). I have a technical background, but also a military background that gave me the strategic-thinking and leadership required of a CISO.
My last role was a vCISO in a large ITO firm of over 100,000 employees. Its cloud managed service served over 100 enterprise customers all over the world. Because it is a large company, it was assumed that security was a solved problem on account of the mature GRC organization the company already had. I disagreed - I built a new governance framework to ensure we were provably delivering the security outcomes these customers required in their diverse geographies and industries. The company already had a CISO and a Deputy CISO, but the industries we served were so diverse that they were spread very thin and seemed quite disconnected from realities on the ground. My own "department" was one cloud engineer who did his best to implement my vision!
My current role is CISO of a rapidly-growing specialist cloud managed service firm of fewer than 800 people. I suppose you would therefore call this a "midsize" company, but it also has over 100 enterprise customers all over the world. I now have a department of over 25 people across four subdepartments (compliance, security architecture, consulting, SOC) and am responsible for securing both my own company and the parts of our customers for which we have responsibility. I am both an internal CISO and a vendor CISO. I present risk to the board, and travel to meet customers to discuss their risk. I also get heavily involved in sales.
It might seem counterintuitive that my mid-size firm has the security department and governance structure of a good-size enterprise, whereas in my large firm I struggled for security resources and spent too much time fighting internal bureaucracy and politics, but a smaller company is under greater scrutiny by large enterprises than a large one would be!