Conventional wisdom says that a detailed understanding of the unique business functions of a particular industry is required to translate cybersecurity threats into the business risk language that other public and private sector executives expect – or even demand. For example, a solid background in banking, including financial controls, processes and related regulations, is usually required to be a CSO or CISO at a large bank.
This line of thinking has led many security leaders to not even apply for CSO roles in other industries. But why?
To dig deeper into this topic and get answers to help others, I asked a series of questions to two experts who have successfully navigated senior security leadership roles across multiple industries over many years.
From 2016-2019, Cheri McGuire served as global group chief information security officer (CISO) at Standard Chartered Bank based in London. She has held senior roles at Microsoft, Symantec, US Department of Homeland Security Cyber Division/US-CERT, and Booz Allen Hamilton. Cheri currently sits on the Monetary Authority of Singapore International Cyber Advisory Panel, the Board of Directors for Entrust Datacard Corporation, and the Executive Advisory Board of Tenable. She is also a non-resident scholar at the Carnegie Endowment for International Peace advising on their Financial Cyber strategic initiatives.
Cheri is a recognized expert on cyber risk management and resilience, policy and information sharing, and public-private partnerships, and has testified numerous times before the US Congress. Previously, she served on the World Economic Forum Global Future Council on Cybersecurity and the board of The George Washington University Center for Cyber and Homeland Security.
Mark Weatherford is the Global Information Security Strategist at Booking Holdings, a Fortune 250 company representing six global brands that include Priceline.com, Kayak.com, Bookings.com, OpenTable.com, Agoda.com and RentalCars.com. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world. Previous roles include Chief Cybersecurity Strategist at vArmour, Principal at The Chertoff Group, Deputy Under Secretary for Cybersecurity at DHS, CSO at the North American Electric Reliability Corporation, CISO for the state of California and CISO for the state of Colorado.
I first met both Cheri McGuire and Mark Weatherford when they worked in senior government security roles, and their experiences illustrate how government service can be a great training ground in cybersecurity. Here, these two industry-leading CSOs offer career advice and provide guidance for aspiring industry-hoppers to follow.
Dan Lohrmann: Every security leadership role is different, but what are some common functions and challenges that generally transcend industries? Do these apply for public and private sector leadership — or are they more unique for government?
Cheri McGuireCheri McGuire: Most security leaders today are accountable for a common set of functions that run the gamut from strategy, governance and policy to data protection, threat intel and incident response, to testing, training and awareness, and much more. Ask almost any CISO and they’ll share common challenges as well, such as budget constraints, board visibility, staffing shortages, rapid technology adoption, and exponential growth in regulations. These apply across public and private sectors, and while stakeholder audiences may be slightly different, the same skills are required. For example, if you are presenting a case for more security budget, you need to clearly articulate risk reduction outcomes, projects, timelines, and resource requirements. Whether you are presenting to a government agency budget committee or to a corporate board, there is not much difference — except perhaps the volume of paperwork and approvals needed.
Mark WeatherfordMark Weatherford: Certainly, the ability to communicate well grows in importance the higher you rise in an organization. We’ve talked about the importance of leadership communication skills for years but I don’t think most people really understand what it means to communicate at the executive level because it’s more than just avoiding ‘geek-speak.’ Communicating at the executive level means being able to see the organizational big picture and understand that security is just one small piece in the overall scheme in running an organization. It means sitting next to the CFO or the general counsel in a private company, or the agency secretary or a congressperson in the public sector, and being able to engage in a conversation around how, for example, the coronavirus is affecting quarterly revenue, or how government sanctions may impact private industry’s ability to compete over a three-year horizon. I still see far too many security people who forget to check their security-ego at the door when having C-suite and board-level conversations and it hurts their credibility. In fact, it hurts the credibility of all security professionals because it adds to the perception that we’re just a bunch of propellerheads who don’t understand EBITDA or policy decisions with consequences beyond the security perimeter.
What are the major differences that you have experienced as a leader in different industry verticals?
McGuire: The major differences are inherent to the business of the industry vertical itself. When I was working for the government, core to the mission was securing the homeland. The same was true when I was consulting and supporting government security clients. Working for two major software and security providers, security was embedded in the dev and vulnerability cycles, and many of the products were security. So, moving to the financial industry was somewhat different, in that the core mission or product is not information security, it is banking services. Of course, the foundations of these services are trust and security, but they are comprised of many more functions than strictly information security. As such, it was important to factor in other critical risks (i.e., operational, regulatory, reputational, physical, etc.) and business drivers (i.e., digitization, fintech, open banking, crypto currencies, etc.) to develop a broader “whole of business” risk approach to security, versus the more narrowly defined security risk roles I had served in previously.
Weatherford: Two things: pace and revenue. The pace of activity in the private sector is vastly different than the pace of activity in the public sector and that is directly tied to revenue. In a private company where you report earnings to Wall Street every quarter and the expectations of your board of directors and shareholders are tied directly to financial performance, there is an incredible sense of urgency to make sure you are doing everything possible to help the company meet their goals. This means that as a C-suite leader in the company, you are always looking for ways to increase the efficiency of your security organization — and even adjust your objectives if necessary — to help advance the overall corporate mission.
I don’t mean to say that there is no sense of urgency in the public sector; it’s just that the motivations are vastly different. Leaders in the public sector often take a longer-term perspective since shorter-term revenue goals aren’t a measuring stick they have to concern themselves with. In addition, the workforce tends to be a bit more stable in the public sector so, in the absence of emergent security crises, it’s easier to take a longer-range perspective for solving security challenges.
What advice would you give on overcoming a lack of specific business expertise in areas as a new leader? How can one grow into their new role?
McGuire: When I took the global CISO role at Standard Chartered, a number of colleagues commented that I didn’t have financial services experience and that I was taking a big risk. However, I approached the new role with a 90-day listening tour, met with leaders and team members across the organization, asked enough questions to fill a notebook, visited sites around the world, and even shadowed some operational leaders to learn core banking processes. The key was building relationships early on and then knowing the right business experts to reach out to later. Growing into the role is about having the right mindset and being open to learn, giving yourself a break that there are no dumb questions, and recognizing that most business colleagues are more than happy to help you get up to speed early in your tenure.
Weatherford: Everyone skins their knees and elbows a few times when learning the leadership ropes but I’ve found that identifying a mentor or coach willing to help is the fastest and most efficient way to understand organizational norms and business specific details. As long as you can be professionally non-threatening to leaders of an organization, getting coaching or advice from someone you respect builds both your own expertise but also provides the opportunity to identify a personal champion — and it never hurts to have a champion! If you need to understand the nuances of finance, ask the CFO for help. If you want to establish a good relationship with the board, find a board member willing to coach you on what the board expects from you and even how to respond to certain board members. The most important thing the board wants to have in a CxO is confidence – confidence that they know what they are doing and confidence that they are accurately representing the risk to the board.
What skills are especially important to lead security functions in a new industry? What undervalued abilities are CxOs looking for during the selection process?
McGuire: First, you got the job for your security chops. But in any new role, and especially in a new industry, it’s vital to be a good listener, stakeholder focused, collaborative, solution-oriented, and most importantly manage expectations — both your colleagues' and your own. It takes time to learn a new industry, and give yourself some breathing room to do that. Also, don’t assume anything. Recognize that techniques or approaches you’ve used in the past may need modifications or not be fit for purpose in the new organization. Flexibility is key.
In addition, skills that CxOs are looking for include: a strategic mindset, not just a tactician; an ability to clearly articulate and translate technical risks in plain language to the board, exec team and regulators; and an ability to develop a network and relationships with other business execs, not just the IT or security team. In short, key attributes of any strong senior leader.
Weatherford: Number one, hands down, top of the list, is the ability to integrate neatly into the culture. I’ve often selected a less-qualified technical candidate simply because I felt like they could work better with the team than other candidates. It comes with experience but I’ve learned to trust my gut, and I’m rarely wrong these days. Nothing destroys a good work environment faster than hiring someone who doesn’t fit. This is doubly important when selecting a leader. All organizational cultures are different and, unless there is a direct mandate to re-architect the culture, it’s critical to find someone who fits in. We’ve all seen it: You hire someone new and soon start having teaming problems. The new person has too strong of a personality and alienates everyone, or too weak of a personality and the stronger members of the team take advantage of them. It’s not that the people are bad, they are just wrong for the specific organization.
Any other related tips you can share?
McGuire: There is enormous pressure on CISOs in any organization today. It’s important to have a clear understanding and agreement of what is and is not in your job scope, as well as how your performance will be measured. A recent survey by Nominet highlighted the toll that stress is having on the health and well-being of CISOs, with 88 percent reporting moderate to high levels of stress. And there is added pressure if you are in a new industry, so it’s important to invest the time to avoid burnout. The old adage that “security is a marathon and not a sprint” has never been more true.
Finally, I speak to a lot of security leaders who are retiring from or leaving government to join the private sector. Nearly everyone talks about how challenging the transition is and how different the cultures, operating cadence and delivery expectations are. Recognize that big career changes can create some uncertainty and feelings of doubt. This is normal and a lot of your colleagues have experienced similar. There’s a great support network out there —don’t be afraid to reach out if you need it.
Weatherford: Like a fine wine, it takes time to become a good leader. One of the things I often caution security professionals about is to be careful about taking a CISO job too far above their experience level. Unfortunately, in our environment today where there are simply not enough good and experienced CISOs, too many people are either being pushed into roles for which they don’t have the right kind of experience or, because they covet the CISO title, they are taking jobs they aren’t prepared for. In either case, the results are often disastrous for both the organization and the person. In the best case, both the organization and the person recover and move along. In the worst case, the organization is permanently damaged and the person’s professional reputation takes such a hit that they find it difficult to get back on track. My advice: Develop a checklist of skills you think you need, be honest with yourself about your weak areas, and find a mentor to help you become that CISO everyone respects.