I was recently invited to present the keynote address at a virtual conference to the CISOs in the financial services sector in a major emerging market. In my effort to articulate the benefits of going from being an Enterprise CISO to vCISO Service Provider, I put together the matrix above.
I decided to write this article to share my perspective on the future of the Chief Information Security Officer (CISO), largely based on my recent experience moonlighting for 2 years as the part-time Virtual Chief Information Security Officer (CISO) for FlexDrive (acquired by Lyft).
I made a strategic decision in late 2019 to resign from what others would consider a dream job working for one of the most respected financial institutions in the world – the Federal Reserve Bank of Atlanta, where I had the unique privilege of serving on the leadership team of Allen Sautter and Russell Eubanks for 2 years, leading Cybersecurity Strategy and Continuous Improvement.
The Atlanta Fed’s Information Security Department (ISD) team is probably the most diverse and talented team in our industry that I have worked with in my 30 years of experience in the area of Information Technology across 4 continents; including 23 years of experience assisting various organizations globally to build robust, comprehensive, effective, mature and sustainable information security programs through the integration of internationally accepted best practices.
As I reflect back on this decision and how the first half of 2020 has turned out for me, I think back to my previous LinkedIn Article, published on January 1, 2020 titled Welcome 2020: The Cloud is here to stay…so also is cloud data breaches!.
Well, when I wrote that article 10 days before publishing my book on Attribution (the chain of events spanning 2 decades, across 4 continents that inspired my book is described in my recent Curious 2 Learners podcast with my friend Elliott Abraham), little did I know that what laid in store for the whole world in 2020 would be much more impactful than all the largest cloud and non cloud related data breaches we have seen in the past 2 decades combined!
While I do NOT have a crystal ball to confidently predict the future, I will be remiss, if I did not highlight the past and present of the CISO that informs my decision to attempt to predict the future of the CISO.
The Past, Present and Future of the CISO!
Over the past 2 decades, generally speaking, there are two paths that most industry veterans have taken to become CISOs i.e. the Geek path and the Non-Geek path.
The Geek path typically involved going from Geek, to Techie, to Sysadmin, to IT “Guy”, to Dr. No, to ISO and eventually to CISO in 10 to 20 years.
The Non-Geek path typically involves going from Business Partner, to Business Enabler, to CISO and I have seen this take as little as 5 years.
For the future CISO to be effective, I believe we need a hybrid path to CISO that combines the Geek and Non-Geek paths.
The future of our knowledge based economy is to work from anywhere, at any time and for anyone.
I have been very fortunate to train, certify and mentor some of the best CISOs in the industry through the Holistic Information Security Practitioner Institute (HISPI). The awesome and thankless work that these CISOs do have kept their employers out of the headline news for having a major data breach and I could not be prouder of them for this awesome achievement.
However, leading HISPI’s outreach to help close the talent and diversity gap in Cybersecurity related to Minorities, Veterans and Women through the Cyberist, I always tell my mentees to be careful what they wish for as aspiring CISOs. There is always the risk of burn out due to factors such as lack of support, insufficient budget, lack of resources, lack of funding, lack of talent, job fatigue and stress. To cope, CISOs are turning to destructive habits such as alcohol and medication abuse. This is a crisis that my friend Phil Agcaoili has been warning about for the past few years.
Thanks to highly publicized data breaches in the past 15 years, most CISOs now have visibility to top management and perhaps a seat at the table on the organization’s board; however, most organizations are still not giving the CISO the necessary Authority, Autonomy and Budget.
Authority, Autonomy and Budget are critical success factors for Building and Executing a Winning CISO Strategy that I discussed in my interview by Dan Lohrmann shortly after I left the City of Atlanta as their first CISO in 2016.
The COVID-19 pandemic and endemic issues of Social Injustices have created the perfect storm and opportunity for an exponential increase in Cybersecurity threats due to remote work, job insecurity and layoffs due to economic uncertainty. Increasingly, CISOs will be forced to leave their well paid jobs for the opportunity to use the same skills as Virtual CISOs with a lower risk of burn out.
I have observed and also experienced that CISOs pursue one or more of the following options when they decide to leave their highly paid corporate CISO roles, to control their own destinies.
Option A – Startup Entrepreneur
Option B – Independent Consultant
Option C – Public Company Board Membership (a topic for a follow up article)
I have personally chosen Option A (Startup Entrepreneur) twice by leaving the 2 CISO roles that I held from 2006–2007 and 2015–2016. With hindsight, unless I had the privilege of building a team and raising $100 million+ in venture capital funding like my fellow former CISO and Entrepreneur Aleksandr Yampolskiy, Co-Founder of SecurityScorecard, the least risky option is Option B (Independent Consultant) and that’s the option that I chose to pursue this year. Choosing the option of Independent Consultant gives you the revenue stream, peace of mind and flexibility that you need to control your own destiny. It also affords you the freedom to pursue the other options while you build some traction.
According to the 3rd annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG), for the job-related pressures driving virtual CISO (vCISO) as attractive career option:
1. 10% of organizations now employ a vCISO.
2. 29% of CISOs are currently working as a vCISO.
3. 21% are considering it and 33% would consider it in the future.
4. 50% of the respondents claim that working as a vCISO brings more variety and flexibility to a CISO position.
The results of this ESG/ISSA global study would indicate that CISOs are clearly seeking to avoid some of the politics and stress while taking more control of their careers.
Through my company eFortresses, I have been engaged as vCISO by 3 small businesses and I have to say, it’s been the most rewarding experience, particularly because it has also allowed me to develop future leaders that are shadowing me as entry level apprentices in their role as Cyber Security Analysts.
CISOs seriously exploring what the future holds for them should consider these actionable steps:
1. Update your resume
2. Moonlight by starting with a side hustle
3. Reach out to your local nonprofits and SMEs
4. Solicit feedback from your partners about vCISO Services
Have a safe CISO to vCISO journey!