This podcast episode was originally authored by CISO Series “Defense in Depth” and aired on March 23, 2023.
How do you make the argument that your company needs a CISO, and that YOU should be that leader? What do you need to demonstrate to prove you can be that person?
Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Radley Meyers (@radleymeyers), Partner, SPMB Executive Search.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, SPMB Executive Search
[David Spark] How do you make the argument that your company needs a CISO and that you should be that leader? What do you need to demonstrate to prove you can be that person?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me as my cohost, it’s Geoff Belknap. He’s the CISO of LinkedIn. Geoff, let everybody know how you sound.
[Geoff Belknap] Hey, David. This is what I sound like. I feel like people have figured this out by now, but just in case.
[David Spark] They have figured it out. But if we’re getting a first time listener, they don’t know.
[Geoff Belknap] That’s true. Hey, and you, first time listener, thanks for tuning in.
[David Spark] I’m on board with that as well. Hey, this episode is sponsored by a brand new sponsor, SPMB Executive Search, an executive search firm for innovators. And by the way, our guest comes from SPMB. It’ll be very critical why they are here, because of our discussion today. Now, we have had many CISOs on our show who were the first CISOs ever for their companies. In many cases, they actually made a convincing argument that the position should be open, and they should fill that position. Pretty bold, but regulations are actually pushing more organizations to have someone lead data security and privacy. And a CISO is often that person. So, the timing is actually right to make this move. So, I’m eager to have a conversation about those people who want to be CISOs, because I hear it from a lot of people who listen to the show. “I want to be a CISO one day. What are the moves I should be making now to groom myself, and how should I start approaching?” And you did this one day yourself, Geoff, for a first time. Yes?
[Geoff Belknap] I did indeed. Although the time where you can build your career by inventing yourself as a CISO, we’re transitioning out of that phase and now you really have to invent yourself as a business leader. And I’m sure we will get into this.
[David Spark] Yes. We very much are going to get into this. And it’s our sponsored guest… So thrilled that he’s joining us today. He is from SPMB Executive Search. In fact a partner at SPMB Executive Search. It is Radley Meyers. Radley, thank you so much for joining us.
[Radley Meyers] Hey, guys. Yeah, very excited to be here. Thanks for having me.
What needs to be considered?
[David Spark] David Stirling, EVP and CISO over at Zions Bank Corporation, said, “Be business leaders first. Understand the P&L revenue generation, go to market, and long-term strategy of what you’re defending. Once the business is no longer abstract to you, the most affective ways to protect it will be readily apparent, and you can present the value in terms your executive team or board can grok.” And Umar aka Chris Carter of Optiv said, “A leader must not only have the technical and political chops, but she/he must also have a sound understanding of the why behind the organization’s existence and how value is added or taken away.” Geoff, these are answers a little more detailed to what we say again and again on the show – learn the business.
[Geoff Belknap] Again and again. It’s right there in the title – chief information security officer. You are a chief officer of that organization. If you’re going to be somebody who’s leading security for a very small organization that’s just getting started, it’s completely okay to not have those chops. You can me somebody that’s an expert in end point detection, or firewalls, or just an IT generalist that has an interest security. But if you are going to be the chief information security officer or the chief security officer or a large growing organization, you really have to understand how the business works and how to speak to the people that are the other business leaders in terms that they understand. It can not all be about the technology. You cannot be a fancy, expensive IT person. You have to be a business leader.
[David Spark] All right, I’m assuming you will echo the same comments, Radley, as well. Here is my question – for those people who are wanting to be CISOs, how do they best show that they’re learning the business and to show that, “Hey, I am CISO material.”
[Radley Meyers] Yeah, I think goes back to you are say a director of X group underneath the security arm, it’s finding, one, mentors that can help uplevel you to that communication expectation. So, that’s one piece. Two is getting exposure to more parts of the business, as Geoff was alluding to. Trying to get time with customers, trying to work within the product, organization. Whatever your weakness is, you need to find the mentors that are going to give you the insights and help uplevel you. And then the third piece is getting on the radar of your CEO. You are not probably reporting into your CEO. You’re probably a few levels down at that point. And so making sure that you understand the needs of the business through the chief executive so that you can start thinking like the chief executive.
[David Spark] And if you can demonstrate that, I’m sure that kind of lights a fire to the CEO, yes?
[Radley Meyers] Absolutely. Absolutely. Because a lot of the time if you have a CISO, the CEO is probably a little bit more read in on what they want out of a CISO. But if there is no CISO in the organization and they’re starting to think about hiring their first CISO, most CEOs don’t really even have a firm idea of what they want because the role is evolving so quickly and constantly. So, the more that you’re in front of them and as that vision of what they need out of their CISO for the position is evolving, you’re read in. You now can start to learn the things that that CEO is going to want out of the CISO, and then you’re on the gravy train.
[David Spark] That’s a really good point is that it seems that given that CEOs often don’t know what they want that if you can demonstrate, you will literally be the model. They can see it play itself out, and that seems like an easy walk right into the role.
[Geoff Belknap] Yeah, there are decades of precedent for roles like head of sales, or now head of revenue, or head of legal, which we call general counsel, or chief legal officer, or finance. But there is not a ton of precedent yet…I know this may be shocking…of what makes a great CISO. What’s a really good pairing of skills for an organization. You now, if you don’t already have a CISO…you have the opportunity to show that maybe you’re that person. Maybe you’re that set of skills. I think that’s a really wonderful opportunity. And I’ll tell you, the secret is understand the business in the same terms, vocabulary, and frame of mind that the rest of the business leaders, especially the CEO does. If you understand what the key elements are for that business to be successful and you can talk about them in the terms that the CEO can, you are already halfway to being amazing at the job if now you understand what are the technical decisions that you need to make or the technical equities that you need to balance to move that company forward in a more secure, trustworthy fashion.
What’s the total cost of ownership?
[David Spark] Jerich Beason, Commercial CISO of Capital One, said, “Talk about the cost of not doing security, not the cost of doing it. Opportunities lost, customer churn, erosion of customer trust, regulatory and legal implications, and so on. Then lay out a plan to win in whatever industry you are in because of not security not despite it.” And this kind of sounds like he’s writing the roadmap of how you sort of define for the CEO what they need. What do you think, Radley?
[Radley Meyers] Yeah, it’s funny. We often use this approach in recruiting. It’s what’s it costing you to not have this person in the seat on a daily, weekly, monthly basis. Now my fee seems pretty minimal. And so we’re not so different. I think this goes back to the first point, which is this only works if you know the business well.
[David Spark] Good point. You can’t jump to this right away. You have to know the business first, and then you can do this.
[Radley Meyers] Exactly right. And so you should know what… If you want to be taken seriously in this regard, you need to be able to speak to kind of how having a mature security program impacts your customers, what that cost [Inaudible 00:08:26] You should know your customers both practically and theoretically, or the time that you’re wasting on product development, not having a dev sec ops functions well established, whatever it is. What’s the hiring plan for the company, and is this program prepared to scale? All of these are costs. And so if you can tie security into how you’re making product development more efficient or how you’re going to make the ease of hiring through whatever it is…through working with HR… If you cannot answer these questions then you can’t do the cost analysis and convey that in a way that’s going to be impactful.
[David Spark] Just very quickly, what I’m hearing from you is doing that well builds trust. Not doing it well does not build trust.
[Radley Meyers] Yeah. Yeah. Trust is core to it all, yeah.
[Geoff Belknap] I’ll also mention being able to articulate that well also sort of subtly transmits that you understand how the business works. If you can articulate those costs… And I think even more important than costs are the upside value, the potential accelerator to the top line, that having a head of security brings, you are well on your way to landing that role.
Sponsor – SPMB
[David Spark] Radley, from the business side, quick answer to this – what is the shortest time and the longest time it’s taken you to hire a CISO?
[Radley Meyers] Shortest time was I think 45 days. Longest time was actually my first search when I joined SPMB, which was 11 months.
[David Spark] Wow, that’s a long time.
[Radley Meyers] [Laughs] Yeah, it was painful.
[David Spark] All right. We talk about businesses not knowing what they want. When a business comes to you and they want help finding a CISO, how ready are they in getting a CISO in the sense of how well do they know what they want, and how much are you helping them?
[Radley Meyers] Yeah, so this has shifted a lot I would say over the last four years because historically we were doing searched for public companies that had security leaders. Whether it was in financial services or healthcare where there’s a little bit more depth there. We didn’t have to do as much defining on the front end. There was a pretty good understanding of what they were looking for based on precedent. I would say the last four years, I spent probably more time talking companies out of hiring a CISO… I say that being a true executive level CISO. They were not ready at the executive level to bring in a real CISO. They were probably better off with a director of security and IT or whatever that function was. But we walked through exactly what the next couple years would look like and when to call me when they actually wanted to hire that executive. So, I would say I probably spend about 50% of my time on the front end working with companies to identify is it new products that they’re looking to develop, is it that they realized that they’re sitting on a treasure trove of data, and they want to monetize that data. And they need somebody to come in and set up data security in a way that’s going to allow them to do that affectively. We go through all of these different scenarios and understand the maturity of the business, and then go from there.
[David Spark] All right. Well, I want to talk a little bit about your business, SPMB. For those people who are not aware, it is the number one executive search firm serving the technology market and one of the largest independent retained search firms in the country. Now, for 45 years, they have specialized in recruiting C-level executives and board members to large multi nationals across all categories – media, consumer, financial, services, healthcare, renewables – on their path to digital transformation. So, SPMB also partners with disruptive growth oriented startups, building out the leadership teams at the most innovative companies in the tech space. They bring the knowledge of a large global firm and combine it with the personalized service and attention of a boutique to connect top executive talent to the best and fastest growing innovators across the country. Closing hundreds of C-level searches annually, SPMB has recruited key leaders into countries that have generated over one trillion in market value for our clients. So, SPMB bring extensive knowledge and expertise to its dedicated security practice, leading both functional searches – CISOs and VPs – to finding security strategy and building out executive teams at top security software companies. To learn more, just go to their website. It’s spmb.com. Couldn’t be easier.
Does it play nicely with others?
[David Spark] Robert Wood, Centers for Medicare and Medicaid Services, said, “Just start doing it. It’s such a common misnomer that people need titles and authority to lead. Leaders are bold. They rally people. They bring vision, and they inspire. That can and does from anywhere.” Kevin Johnson of Headway Workforce Solutions said, “It helps if there is experience dealing with the crises in their paths including cyber-attacks.” And Andre Ferreira said, “You need someone you can trust that won’t run away when the proverbial hits the fan – someone that navigates and ensures it.” So, two issues came up here, Geoff, that I want to stress is I love Robert’s comment of, “Just do it.” The Nike slogan. And a lot of people feel uncomfortable with that, and I’d like your thoughts on it. But the second is, wow, someone who’s been through the worst and has come out the other side, that’s someone who’s building leadership potential, I think. What’s your take?
[Geoff Belknap] Yeah, there’s so many good suggestions here. I think Robert’s suggestion of just doing it is a great idea. Now, to be clear, what I believe he means by just do it is not just assume that you are an executive and start inviting yourself to meetings and print out some business cars.
[David Spark] Like a Seinfeld episode.
[Geoff Belknap] Yeah. Which might work. I would option that TV show that four of us would watch. I think this does work. Doing security is not the getting up on stage and giving talks. It’s everything you’re building, everything you are operating now… If you’re in IT or if you’re in production engineering, whatever you might be doing, have the security angle to it. If you are now owning that security angle to the thing that you already own and you’re adding security to that and thinking about it, and you can articulate it and demonstrate that to people, you’re already being a security leader. And that’s a fantastic place to start from. Now, let’s talk about the experience dealing with crises. Certainly if you are a security leader, part of your role is going to be dealing with problems. Some of those are going to be urgent or emergent problems. And it is really good to look at yourself in the mirror and understand and assess your capability to stay cool under pressure. And staying cool under pressure, you might think about it as being able to throw that football when you’re under pressure or maybe you’re really good at playing poker, or maybe you just understand that when there is chaos and ambiguity, you are cool as a cucumber, and you can still collect yourself and make some decisions. That will be a trait that will serve you very well. It is not the only trait you need. Certainly you could be worse at that and better at other things, but it’ll be pretty important to your long-term mental health if you choose to take this role. So, I think the last suggestion here I think is really good – cool as a cucumber and won’t go running for the hills when it hits the fan because it will hit the fan. Whether that’s a foreign nation state attacks your organization and you have to deal with it or it’s just you’re dealing with an escalation and a disagreement between you and another business leader about how you solve this issue with security trust in mind, those can be very stressful, too. And you have to be built for that kind of stress to be in this job.
[David Spark] So, speaking of stress, I just met the Sella Winds [Phonetic 00:16:13] CISO, who the first 30 days when the breach was revealed, he lived in on campus housing, was working from six AM to midnight across the street. He lost 30 pounds. Unbelievable.
[Geoff Belknap] That’s one day to do it.
[David Spark] He’s still at the company to this day, and he’s still dealing with some level of fallout two plus years later. That is… I was quite impressed with his story of how he dealt with it. Radley, I’m throwing this to you. Do companies ask to say, “I want a CISO who’s actually been to war.” Or do they actually go, “Oh, don’t give me any CISOs who have ever dealt with a breach.” How do they respond to that?
[Radley Meyers] Yeah, it’s funny. That, too, has evolved. I think it’s true of every executive placement I’ve done is people want executives who have some scars. You have to have been through some stuff. Earlier in my career, there was maybe a negative reaction to somebody who was at a company when there was a breach, but I think that’s all but gone. I think people look at it as… I’ll say it’s all but gone as long as the story doesn’t end there. If you were somewhere and you had a crises, and then you were gone, that happens. But I think the beauty of it is when you can explain what the change was and what the outcome after a breach or after a situation, that’s when you really get into the next level.
[David Spark] Yeah, double down on that for just a second for me. The story, the ability to tell the story and what happened I have seen from my own experience of telling like, “This worked. This didn’t work.” I have been able to sell on just that. Have you watched CISOs be very compelling doing that?
[Radley Meyers] Absolutely. It’s what actually made me fall in love with this function. The first security search I was doing was for one of the big credit bureaus after Equifax. And I remember calling around and saying…thinking nobody is going to want to return my call or do this job. And everybody was calling me back, and everyone was really excited about it. They all had their own stories about the challenges that they had faced or the issues that they had solved for their companies. That was the moment I was like, “Wow, this is a really, really compelling community and people who are not afraid of the fire.” And so that ability to tell those stories is really what pulled me in.
[Geoff Belknap] Yeah, look, no one takes this job because they want a quiet, calm, relaxing experience. There are lots of much more relaxing jobs like explosive ordinance disposal or…
[Geoff Belknap] …like battlefield reporter. But the reality is people who want this job want to have an impact. They want a challenge like that. I think it also is really important if you think this is the career you want, you need to answer for yourself whether that’s the kind of challenge you’re looking for.
What are the best practices?
[David Spark] Bill Lawrence, CISO over at SecurityGate.io, said, “Needs to be a phased approach along the journey towards better security. A focus towards training the whole company to recognize phishing, for example. Use passwords and MFA and be unafraid of letting us know if something didn’t go right actually can be a low cost, low hanging fruit.” This was just sort of like a tip of like, “Oh, this could be a first easy phase.” Wib J. Gridley said, “A plan to grow from within instead of going outside to look for unicorns, thereby saving the company money and underscoring the company’s self-proclaimed culture.” So, some of this actually goes to what you were saying just earlier, Radley, of companies saying, “I need to hire a CISO.” And you’re like, “Eh, you’re not at that level yet.” And yeah, a lot of companies don’t need to jump to CISO, but they do need some kind of security leadership and some help to some level. What are signs either you don’t need a CISO or signs of, “Let’s start at stage one here.”
[Radley Meyers] Yeah, I think the easiest sign is just the scale of your business – how big your company is. I think that complexity of your product offering is another sign. I think once you start thinking about global scale or what type of data you’re then bringing into your business, I think that’s when the conversation starts to get a little bit more interesting from a security standpoint. I think as scale becomes top of mind then it’s time to start thinking about bringing in a true security executive.
[David Spark] Good point. Geoff, let me ask you, when did you know it was time for yourself to become a CISO?
[Geoff Belknap] Oh, well, this is where I wish I had the time machine and I could go convince myself to do something else.
[David Spark] Like the battlefield reporter you mentioned?
[Geoff Belknap] I think we’ve talked about this before. Like ice cream truck driver or something like that. Something that people respect and appreciate. No, I think…
[David Spark] Everyone likes to see the ice cream truck.
[Geoff Belknap] Everyone likes to see the ice cream truck coming. Everyone loves to hear that noise. People do not like to hear the Slack DM message.
[David Spark] By the way, that’s the answer to your problem. You should walk around the office with the ice cream truck sound so people won’t fear your arrival.
[David Spark] Geoff, we’ve solved it completely for you.
[Radley Meyers] Gamification right there.
[Geoff Belknap] This is a heck of a startup idea right here. So, to answer the actual question, I think I did just as we’re talking about. I was working for an organization. Security was core to our value proposition. There was a lot of upside for us, and I was doing something else in the organization. Some of the leaders… I think in my case, I was very fortunate. Some of the leaders came to me and said, “Hey, we’re thinking about building as we grow…building a security function. You’re an adult who makes good decisions.” And I said, “I don’t know about that, but I qualify for at least one of those things.” “Do you want to give it a shot?” And I said, “Yeah, I’ll give it a shot.” And it worked out.
[David Spark] Hold on. So, were you grooming yourself and you were like, “Aw, finally they paid attention.” Or you’re like, “Hey, that’s kind of nice. I would like that.” Where did this lie?
[Geoff Belknap] No, I think in my case… This is sort of as I referenced I think earlier. I think it’s a little bit different how this might happen now as how it happened for me many, many moons ago. I think when it happened for me, almost 15 years ago now, having a security team or having a CISO or a security leader was sort of like, “Yeah, if you’re the federal government maybe you do that.” Or maybe if you’re IBM or something like that, you do that. But no, no other companies really needs those things. I think in our case with our enterprise customer base and sort of the work that the company was doing, it became really clear that we needed that. I think now a days more companies would realize that. And I think there’s much more opportunity for people to raise their hand and say, “Hey, maybe we’re ready to grow up to a real security leadership role.” I think there are lots more opportunities for that now. But back then, it could really be about your technical skillset. I think in that case I was a fairly decent teller of narratives. Whereas today you’ve got to be a really seasoned business leader that has technical chops. You just have to have both.
[David Spark] This is a good point. It’s evolved.
[Radley Meyers] Yeah, and I think on that note, there is sometimes this rush to get to that top job. I will say once piece of advice is if you’re in that…whatever that, that number two kind of role right now, or you’re in that director level role, whatever it is, and your company decides that they want to bring in that CISO from the outside, don’t be disgruntled by that. If there’s an opportunity to be a number two to that seasoned leader, take the opportunity to be mentored by somebody. Because what I’ve seen is a lot of times I’ll have a CEO who loves their security person, but they realized they can only take them so far. So, they want to bring somebody in over that person, and that person then runs to get that top job when they’re not quite ready. And the impact that can have on your career to rush into that CISO job before you’re truly ready for that role, it could be a mistake. You end up having to backtrack, and it’s tough to pull out of that cycle.
[David Spark] That is excellent advice to close on. That is perfect. I love that, Radley. Okay, we’ve come to the point of the show where I ask both of you which quote was your favorite, and why. I’m going to start with you, Radley. Can you pick a favorite quote, and can you tell me why?
[Radley Meyers] Yeah, I really like David’s quote to start us off. I do think that…
[David Spark] This is David Stirling.
[Radley Meyers] David Stirling, yeah. About just being a business leader first. I think, like I said, this is just the biggest and most critical thing on the top of everybody’s minds. And with the shifts happening at the SCC, it’s going to be even more important. As security becomes more and more board level, it’s just critical for that to be…
[David Spark] Yeah, he set it up kind of beautifully for us. Yeah, it’s like you couldn’t become a CISO without it. Yes?
[Geoff Belknap] Yeah, absolutely.
[David Spark] All right, Geoff, your favorite quote, and why.
[Geoff Belknap] I would almost come back to something Radley said just a minute ago – if you have the opportunity to be a second in command or directly report to somebody who’s brought in to be a security leader, that is a phenomenal way to get yourself rapidly ready to be in that role in the future at that organization or somewhere else as it happens. I imagine Radley is familiar with this – other people are hiring. Your skills are marketable. But I think the other way or the other quote I would think about is the one that Jerich shared, which is talk about the cost of not doing security versus the cost of doing it. Talk about the opportunities lost, and the customer churn, erosion of customer trust, etc., etc. And then I think also really important to talk about what’s the upside. Like how will this function or promoting you into this function help the company grow and succeed. And all of those things are really important. Because, frankly, nobody wants to pay extra money for extra good insurance. What they want to do is invest in things that will bring return to the business. And if you can talk about it in those terms, you are going to have a winner on your hands.
[David Spark] Awesome. Great closing advice right now. Radley, any opportunities you want to give to our audience? We greatly appreciate you sponsoring CISO Series. If they want to get in touch with you or if they want to get in touch with SPMB, for both sides… Whether you’re looking to get a CISO position or you’re looking to hire a CISO, what should our audience do?
[Radley Meyers] Yeah, you can find me on LinkedIn, where all recruiters live. Or you can feel free to reach out to me. The beauty of having a name like Radley is I don’t have to compete for email names. So, email@example.com is the best way to get in touch with me.
[David Spark] Aw, very good. Thank you so much. We greatly appreciate it. And thank you, Geoff. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at firstname.lastname@example.org. Thank you for listening to Defense in Depth.