Defense in Depth: CISO Recruiting is Broken

The demand for CISOs is growing due to increased regulations and cyber threats. Yet, while the demand is there, the supply keeps rotating. Companies think the next CISO is going to fix the problems of the last one. Why is a CISO’s tenure so short and why is the hiring process for CISOs so disjointed?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, Steve Zalewski, and Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, RevCult

On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses.

Full Transcript

David Spark

The demand for CISOs is growing due to increased regulations and cyber threats. Yet, while the demand is there, the supply keeps rotating. Companies think the next CISO is going to fix the problems of the last one. Why is a CISO’s tenure so short and why is the hiring process for CISOs so disjointed?

Voiceover

You’re listening to defense in depth.

David Spark

Welcome to Defense in Depth, my name is David Spark, I am the producer of CISO series and joining me on a regular rotating basis, love having him on because he is one of the most quotable CISOs I know, is Steve Zalewski. Steve thank you so much for joining us

Steve Zalewski

As always, David it’s a pleasure.

David Spark

Awesome. Our sponsor for today’s episode is RevCult. If you have a sales force environment I highly recommend you listen to what RevCult has to say in the middle of the show because sales force security is a little bit of a thorny subject and they are a sales force security organization and they attack it from a very specific angle which I think you’ll be interested in. But now let’s get to the topic at hand and that is the issue of hiring a CISO and how broken it is. Our guest today wrote a phenomenal article and I’m going to introduce him in a second but I want to know what you thought about this article about the CISO’s tenure and why it’s so difficult for companies to hire a CISO. What your take on this piece, Steve?

Steve Zalewski

Well this is one of the most lucid summaries of the problem I have ever read. It just stunned me with the clarity of what it is that we’d been struggling with and that’s all I could think of was just such a lucid summary, succinct, concise, got to what we were trying to do.

David Spark

You are not alone by the way, Steve. All throughout this piece, our guest, again who I’m going to introduce in just a moment was getting nothing but raves for this article. So those listening, don’t worry we will point to it in this actual blog post and we’ve had him on this show before but it’s actually been a while. So I’m glad we have him back again, it is the CISO for Soft-banking Advisers, Gary Hayslip. Gary thank so much for joining us.

Gary Hayslip

Thank you Steve and David, I’m really happy to be here.

Why does this still happen?

00:02:25:07

David Spark

Matt Stamper CISO for Evotek said quote, when CISOs are engaged in risk management, I think the revolving door dynamics tends to decrease. When the CISO is removed from risk-management strategy, there’s always greener pastures. And Jared Couillard of Cohere Health said quote, some companies hire as a means to check the box, perpetuating the burnout. And Nir Rothenberg CISO of Rapyd said, the 12 to 18 months turnover for CISOs can also be connected to a bigger trend of relatively short turnovers in the tech industry. So, by the way, Gary outlined a lot of good points for the turnover and here are some additions as to what makes it happen and what doesn’t make it happen. Steve, your take.

Steve Zalewski

So there are three or four issues that were really talked about in this paper and that the first thing I want to say is this problem is still evolving. It isn’t a ten year old problem. Ten years ago we thought we had it solved with technical CISOs. Right four years ago we thought we had it solved with CyberRisks CISOs. Eighteen months ago or even a year ago, I would say what we’ve realized is business risk and all of the transformation that’s occurring is causing us to evolve again. And there’s no right answer because no organization, two organizations are on the same place in the maturity curve.

David Spark

Gary, if you would like to outline why you think CISO tenures are so short as you did in your article, I’d love to hear it.

Gary Hayslip

Oh definitely. I mean, and thank you for letting me talk about it. Honestly most of this just came from observation talking with fellow peers like Steve and hearing, the challenges that many of us were facing. And talking with many of our peers that are presently interviewing and talking with companies right now. And which I found what was really interesting and I talked about it in the article, was the fact that it seems like it’s a lot of the same companies that are in that 12 to 18 months rotational cycle. Whereas so and so’s looking for a CISO and a bunch of CISOs are sitting there talking with each other and we’re like I thought they just hired somebody, where did that person go? And today because of all the different communication mechanisms that we have, us CISOs talk to each other we know who’s hiring, who’s not, where’s a bad place to go and why. What are really good places that we would love to work at, whether or not it’s just a CISO but even a deputy CISO or an individual contributor, just because the culture is excellent, you really like the company. So we know these things. What I started finding when I started talking with a lot of my peers and looking at these companies is that it’s really not just the CISO’s fault that they’re leaving. And it isn’t everybody thinks well they just had a CISO and they were there for 18 months and they’re gone, so they must have had a breach or something and that CISO must have done something wrong. No not really. I mean, I found when I started doing a lot of the research on this, the whole breach incident thing was like less than 20 percent, it’s actually pretty small. The wider range of stuff, when you really look at it is, as Steve alluded to, you’ve got an evolving market and the role itself is evolving and becoming more of a business executive role and companies themselves don’t understand that.

David Spark

You believe what Steve was saying that 18 months ago we thought we knew the strategic CISO and now we realize no, we need a technical CISO or vice versa.

Gary Hayslip

One of the things I did in the article was I actually did a nice kind of a mind map and showed, what a technical CISO is, what a strategic CISO is. And that there’s many of us who’ve been in this role for quite a while that we kind of evolve from one to the other. Are there some of us that just like doing technical and we like staying with Stardust. We’re not really interested in doing the strategy stuff. Then there’s some like me that, I wear multiple hats, I can step back and forth for whatever the business needs, you know I have no problem with it, but each of us is different. And my whole thing about the article was that trying to help companies understand that when you’re hiring a CISO not all of us are alike. Many of us, depending on where we’re at in our career path, we’re going to bring different skill sets and different experiences and you need to understand which ones you need currently. Obviously if you’re a start up and you’re hiring your first security executive, you probably don’t need a strategic CISO, you need a technical one, you’ve got stuff to build, you’ve got things that you need to go and put in place. However, 24, 36 months down the road, you’re getting ready to go for IPO, you probably need a strategic CISO because it’s a different focus, it’s a different view of where you’re going as a company. Just as companies tend to change out management teams and CFOs and different CISO executives, as the company progresses I’d look at it as the same way with security executives as well. But companies need to understand where they are at and what they need and what I find a lot of times is they don’t. They just assume CISOs are CISOs and they’re not. It is a very unique role, the skill sets, the experience, the education. The stuff that we bring to the table is very unique and the thing about it is that most of us do not stay just sitting in security. I mean, like my job with my current employer, I’m dealing with risk, I’m dealing with legal, I’m dealing with compliance, I’m looking at contracts, I’m working with and helping with due diligence or new deals. It’s a wide range of stuff besides just managing files and managing email security.

Why are they behaving this way?

00:08:23:15

David Spark

CK Chim, CISO of Dyson said quote, many top company execs are expecting the CISO to deliver “mission impossible” starting from educating the board, developing strategy and vision, defending the bad actors, removing internal barriers, down to delivering the technical security projects and employee awareness, along side with tough challenges to justify security budget and the need for balancing the company risk appetite. Steve, I think what CK outlined right here is what is needed and wanted from the CISO which is pretty tantamount but I don’t think they realize how much they’re piling on to an individual.

Steve Zalewski

Yes and I think some of what Gary said and what we’re talking about is, you can have a technical CISO, you can have a strategic CISO, you can have a business CISO. And so much of it depends upon the individual company, what verticals it’s in, what it’s trying to do. And they’re looking for a shopping list of somebody that can do it all and more and more. As Gary says, what you want is a general purpose CISO that understands where to focus and when. And as an example I’ll say many SaaS vendors want a technical CISO and when they go public they may think they want a strategic CISO. But at the end of the day, the technical CISO is what all their customers want to hear from as the evangelist for security, if you’re a security SaaS play. And so therefore you don’t actually want a strategy CISO whereas if you’re a fortune 500 and you’re manufacturing, then you absolutely do. So they’re listening to a whole lot of analysts and a whole lot of experts telling them you need all of this and the CISOs themselves sometimes are selling themselves short by just saying yes, as opposed to stepping back and providing some of that initial guidance during the hiring process.

David Spark

I know when you were looking Gary, that you said every CISO job listing looked completely different. And do you think it looked different because they knew what they wanted or didn’t know what they wanted and they were copying and pasting from something else?

Gary Hayslip

I think all the above to tell you the truth. The interesting thing I find is when I talk with companies, a lot of times they know or they kind of envision this is where they want their new security executive, their new leader to be. But they don’t really understand the role so much of what this kind of person does and what I found, honestly I’ve been in interviews with companies where I just kind of stopped the interview and say, right I’m too senior for what you’re looking for. And they just kind of look at me. I said, honestly I’m too senior and I’d probably cost too much for you. With that said, let me walk you through probably what you’re looking for and why. And this is an approach that I would highly recommend that you go ahead and you take because you’re not going to afford what you’re trying to hire. And I do think that sometimes companies, they take two or three descriptions of different jobs and they kind of put them together and then they think there’s going to be one person out there that’s going to fit this unicorn mold that they’ve put together.

David Spark

Also at the price that they’ve got too.

Gary Hayslip

Yeah.

David Spark

Which is, that’s the part that’s the gotcha. 

Gary Hayslip

And I’ve made recommendations to companies that, okay take a look at this, you can hire somebody that’ll do 80 percent of this for you. And then let him or her as they stabilize and build out their security team, let them hire a deputy that’ll do some of this unique stuff that you’re looking for.

Steve Zalewski

And I want to chime in on Gary on that because it has to do with what is a CISO. How many of us have seen where they’re hiring their first CISO and it’s jobs size one person, you, or hiring a CISO to go build out a security team.

David Spark

We’ve had many of those people on our shows by the way, Steve.

Steve Zalewski

Or I’m a mining company and I’m the CISO and I have two people because we mine coal and the revenues of coal mining may reflect in how much money I have and there’s three people for this company that’s international and does two billion dollars. And then you get a fortune 50-year-old, fortune 100 where there’s 300 or a thousand people on the security time and they’re doing 50 billion dollars worth of revenue and they need a CISO that can be customary, outward facing. That’s another big part of the problem is there’s no set of expectations, it’s all just called a CISO.

Gary Hayslip

I’ve seen people mind map like all the different skills and all the different things that CISOs do but again it’s a big menu where companies pull different things and it’s different for each company. And then it’s even frustrating when you talk with companies because they’re like, well nothing’s happening, everything’s quiet, we’re not having any security issues. So you don’t really need that much in resources, so we’re going to take away 20 percent off the budget. And you’re kind of like no, no, no, no, no, nothing’s happening because we’re doing a good job. We’ve got to build correctly, we’re staffed correctly. But when you really think about it you’re saving from a future event, something that’s not happening right now and that’s extremely hard to get to educate the executive teams on boards on. But when they get it, it’s just amazing when they get it because then they understand the value that you’re bringing and you get integrated so much into other things.

Sponsor – RevCult

00:14:09:10

Steve Prentice

Many people think of sales force as a SaaS solution or maybe even a CRM and that’s definitely how it started but over the last ten to 15 years it has evolved into much more. Here is Brian Olearczyk who is CRO at RevCult the world’s leading provider of sales force security and government solutions.

Brian Olearczyk

Sales force really started out to drive significant business value and it’s extended far beyond traditional CRM, far beyond the role [UNSURE OF WORD] the clouds. They’ve brought more and more data into the platform. They’ve brought more and more robust and sensitive processes into the platform, like loan origination, electronic health records, HR, finances. And so Infosec and or audit have taken a bigger understanding of how sales force is actually being used. It is really a missed critical system and our Infosec really needs to start to understand that it’s not just a CRM anymore, that’s it’s doing far beyond what you originally expected.

Steve Prentice

This is where RevCult fits in.

Brian Olearczyk

We have organizations, one understand what their security responsibilities are within sales force. Two, help organizations to find a strategy or security policies for them to effectively manage those responsibilities. And then three we provide audit capabilities that allow for the automation. And a much more elegantly simple way for those security controls to be implemented, managed over time as the platform evolves and then proven to align to either your Infosec policies, or any other regulatory or compliance requirements that you might have.

Steve Prentice

For more information visit RevCult.com.

Who has a solution?

00:15:47:01

David Spark

Krista Arndt of Voyager said quote, one of the most important tasks we have is to have a deep understanding of what it is we are being tasked to protect. And no more effective way to do that than to allow us to be a part of these conversations from the inception of a business idea down to its implementation. And Alex Paunic of PreCog Security said quote, most CISOs felt that some of these problems with lack of leadership investment in cybersecurity can be fixed if CISOs would report either directly to CEO or CISOs become part of the board. What do you think about that? I mean, if they’re in the conversation, if they’re part of it from the top down do you think there’s less of a rotating door? 

Gary Hayslip

Well, I can tell you when I was a CISO at Webroot, I was part of the C-suite. I reported to the CFO and I would periodically, usually every other month, I would brief the CEO. But being part of the C-suite, I got a chance to see how the business was run, and I have to admit it was fascinating. I had a lot more of an executive view and I understood the impact of my program and the changes that we were making in the projects that we were doing. And at the same time my program was extremely visible to all the other departments, people knew what we were working on and why and we were extremely effective.

David Spark

Have you had the opposite of that problem?

Gary Hayslip

Yes.

David Spark

And when you had the opposite of the problem, what was your feeling of like I think we’re doing the right thing here or whatever/ what was it?

Gary Hayslip

Well I mean, the opposite of it honestly you feel like you’re in box, no-one’s really paying attention to you. You get pulled out if there’s auditors or if there is an issue but otherwise than that, nobody knows who you are. You don’t really know how effective you’re being or how much you’re helping the company.

David Spark

And that’s a recipe for walking out the door, yes.

Gary Hayslip

Yeah I mean I can tell you a lot of CISOs like that. You get very uncomfortable because you get this feeling of accountability, and it’s like if you’re not part of the being able to do the solution and to fix things and being part of the leadership team, you’re blind.

Steve Zalewski

If your company values IT, if the CIO and the IT organization is foundational to you making money, then reporting to the CIO is fine.

Gary Hayslip

Oh yes.

Steve Zalewski

If your company does something else, where IT is considered a necessary evil, not foundational to the business, then reporting to the CIO is a difficult place to be. Because trying to get your message across, it gets buried under the larger bias of the company’s prospective of IT. In which case Cybersecurity is not an IT perspective, it is a business cyber risk perspective and you need to get out from under there, to be able to give the executive team the opportunity to give you the time and effort that you deserve.

Nothing will happen until we take action.

00:18:56:13

David Spark

Bob Turner, CISO of the University of Wisconsin, Madison, where by the way, I’m just going to interject, my sister was a professor there for a period of time. Bob says quote, if the answer sounds like the organization does not know what they want, they may not be your best fit. A kind of a tip to what we were just talking about. And Bruno Adamo of BNP Paribas said quote, I wonder how common it is for larger organizations to enlist help from qualified experts when hunting for the right candidate, not just generic headhunters but specialized ones with an understanding of what a CISO does. And lastly Tim Howard of Fortify Expert says, every CISO role is different. It really needs to be mapped to the business needs. So I’m going to ask you first, Steve, it seems if you’re in a cloud you really need some outside help.

Steve Zalewski

So here’s what I’m going to say. Nothing will happen until we take action, things are happening. The actions are recurring as a result of bad decisions being made in the hiring of CISOs. And that this conversation is actually part of the general industry realizing it’s broken and trying to understand why. And I don’t think it’s from a lack of people trying to do the right thing. And what you’re seeing is the Cybersecurity market, the industry is still going through maturity, we’re still young at 30 years. And so therefore everybody is trying to grow through this and it’s going to be a while before we start to reach the level of maturity like we have with the CIO or CFO. This is one of the reasons why I think Gary and I love this job is because there is so much change, that being a static CISO you can do it and there’s spots for it. But we’re here to be part of the solution not just propagate the problem.

David Spark

So what would be your general advice Gary, to the organization that either just let a CISO go, hiring their very first CISO and they need to create that job posting or seek someone’s help. What should they be asking themselves when they ask to hire a specific CISO?

Gary Hayslip

If they just went and said that their most recent CISO just left, I would hope that they interviewed the individual to understand why, to understand why the person’s leaving. They don’t need to know where they’re going or what they’re doing but they just need to understand why. Because most people aren’t leaving just because they’re leaving. And then I definitely like what Bruno mentions here about using a third party candidate to go ahead and assist. This is a unique role that as Steve says, is still changing. Each business uses it differently and there’s nothing wrong with an HR team saying, hey I need a little bit of help, I want to get an outside consultant in here to go ahead and help us kind of tune what we’re looking for, to make sure that the person that we’re hiring is not only going to fit the culture that we currently have but also is the right type of executive that we need for today. And where we think we’re going to be at in 18 months.

David Spark

And again this is just me sort of shooting from the hip but does an average organization even know what the market place for CISOs is like the different kinds of CISOs they can get, are they even aware?

Gary Hayslip

No. In fact, several of the companies that I interviewed and I talked with people, I was asking them where are you getting, like the compnumbers. I was like where are you getting these numbers. And they had like a third party that they were pulling numbers from and when I would look at it, it would say IT level four manager or something. And I’m like guys that’s IT, that’s not cybersecurity. It was like they were trying to assume okay, it’s going to be at this level and then we’re going to add ten percent and that should be fine. And I’m like no. And I’d sit there and I’d tell ’em, I say no, I said in this market right here you’re about 30K actually less, than what I know several of my peers in this area are making. But that’s what I’m saying is that it is something that’s changing and I do think people are actively working on it and I think the rash of companies that are hiring right now is because they realize they do need someone in that role. They do need someone to be in charge of security and manage risks.

Close

00:23:30:14

David Spark

Excellent point and that brings us to the very close of our show. Thank you very much Steve, thank you very much Gary. Now it comes to the point where I ask what was your favorite quote and why and I will begin with you Steve. Which quote was your favorite and why?

Steve Zalewski

I have to go with Bob Turner at the CISO University of Wisconsin Madison because your sister went there. So I got to go.

David Spark

But she didn’t go there, she taught there.

Steve Zalewski

She taught there. So I have to go there. But here’s what I want to say about that actual quote, joking aside. Fortunately for CISOs there is no stigma for CISO for being in the job for 12 or 18 months and moving on. Just like there’s no stigma with being part of a breach where it used to be. So as a CISO, here’s how I challenge it. If you’re going to go into a job that doesn’t look like a good fit because you want to be a first time CISO or for whatever reason, it’s not a really good fit and you’re going to force fit. Then use that opportunity to learn for yourself but leave the organization in a better position than you found it. So that the next one comes in, so that as the industry matures, that’s just it. We don’t have a stigma with you’ve only been in the just for 18 months. There’s a reason why all this is happening so learn through it and realize it’s actually a positive thing.

David Spark

I would think companies that they have a series of 12 to 18 CISOs in a row, that would be a stigma of the company, yes? Steve.

Gary Hayslip

Yeah. 

Steve Zalewski

You would say that’s a reverse red flag.

Gary Hayslip

Yes.

Steve Zalewski

Okay and I’m willing to say there’s culpability on both sides.

Gary Hayslip

Right.

Steve Zalewski

On the hirer and the hiree and that’s I think what this whole conversation was about, was there’s red flags and it’s not only on one side. And so how are we trying to understand that because it isn’t that one side is doing it wrong, it’s both sides are trying to learn through and do the right thing.

David Spark

Gary, what was your favorite quote and why?

Gary Hayslip

Well I think, mine was Tim Howard with Fortify Experts every CISO role is different. It really needs to be mapped to the business needs. With the caveat is that the problem is businesses don’t always understand their needs. And that unfortunately, as you just said Steve, is part of the problem. Where CISOs don’t always understand the role that they’re interviewing and joining and the businesses don’t always understand who they’re hiring. So they’re hiring the wrong type of executive because they don’t understand their needs.

David Spark

Excellent. Well I want to thank both Steve Zalewski and Gary, and Gary I’ll let you have a final word in what we always ask all our guests, especially if they’re CISOs is, are you hiring? So make sure you have an answer for that question. But I do want to first mention our sponsor RevCult. Again, if you have a sales force environment, security is not easy and check them out at R-E-V-C-U-L-T dot com, RevCult. Steve thank you very much, I’m going to jump straight though to Gary. Gary, any last words and are you hiring?

Gary Hayslip

Yes we are hiring. I’ve got roles in Boston on the east coast and I’ve got a role in London. So I am hiring to have people on my team. Last word of advice as Steve went ahead and alluded to, this whole thing is constantly changing. That’s the reason why I wrote this article was that for CISOs and for businesses that understand both sides of the coin here and that we need to work with each other to go ahead and alleviate a bunch of these issues.

David Spark

Excellent point. Thank you very much Gary, thank you Steve, thank you audience for that matter. Gary if I’m interested in those jobs, where would I find them, how would I get in contact with you?

Gary Hayslip

We’re actually posting them up on LinkedIn, one of them’s already up there so I would just go ahead and check the SoftBank on Linked In.

David Spark

Softbank Investment Advisers. Alright, thank you very much, everybody, thank you audience for all your contributions whether they’re witting or unwitting, I always appreciate them. Thank you very much for that and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.