Carl Froggett combines CISO and CIO. He currently occupies both positions at Deep Instinct. Before then, he was CISO at Citi for almost 17 years.
Combining CISO and CIO
Froggett has long believed the two roles overlap, making a combined role attractive. But it doesn’t work for all companies. Citi has more than 200,000 employees. Deep Instinct has fewer than 200. Combining CISO and CIO would be too much for one person at Citi, but works well at Deep Instinct.
“Both CISO and CIO ultimately do the same thing,” he explains: “they both support the business. The CIO is responsible for the technology strategy – the software, the infrastructure, the cloud strategy, etcetera – while the CISO is responsible for ensuring it is secured.” Put simply, each depends upon the other to support the business.
“There is no such thing as zero risk,” he continues, “unless you want to turn everything off and go home.” So, the business cannot operate safely without the CISO. But equally, the business cannot operate at all without the CIO’s infrastructure – there’s nothing to turn off before going home. Technology and security need to work together for the benefit of the business.
If the two roles are separate, there can be conflict, but they need to work together. If they are combined, conflict can more easily be avoided but impartiality can be lost.
“What you lose, and I’m very aware of this every time I make a decision, is the impartiality and alternative view,” he continued. “So, I have my IT team challenge me all the time. The culture is: ‘if you need to, speak up’.” He aims for openness where everybody challenges each other. “The main issue with combining the roles is you can get tunnel vision if you don’t have the alternative view; and that can lead to bad decisions.”
Early career
Froggett began his journey with an interest in technology, gaining a BSc in Computer Science from Loughborough. He first started work as a contract engineer before joining Salomon Brothers in 2004, and worked there, mostly as a network engineer, for almost four years.
During this period, Salomon was acquired by the Travelers Group, and Travelers merged with Citicorp to create Citigroup. Froggett didn’t technically ‘leave’ Salomon, but he found himself working for Citigroup in 1998 (which rebranded to simply Citi in 2003).
But with the corporate name change (effectively from Salomon to Citi in 1998) came an equally important occupational function shift. He switched from IT engineer (the technical nuts and bolts of maintaining computer functionality) to become EMEA Information Security Services Manager at Citi for almost 9 years before becoming CISO. He remained Citi CISO for almost 17 years.
Transitioning to cybersecurity
“I started my career with a number of technology roles, from sys admin to email to DNS and to trading. I was in a trading environment [at Citi] in the early 2000s,” he explains. This, incidentally, was the period in which business moved to the internet, and cybersecurity emerged as a distinct and accepted profession. Communication had previously largely been a physical wire from source to destination; but was becoming a software-defined virtual network and more easily attacked.
“Because of my experience in a wide range of technologies, I was asked if I could look at the security and exposure of these new communication technologies,” he continued. “So that’s how I accidentally got into cyber. But I immediately just loved it, because I love the challenge. That challenge and the excitement of it continues today, more than 20 years after I started in security.”
It’s because, he explained, security is always behind new technologies. “Take AI and LLMs today. Security is always behind the bleeding edge of technology – you’re always behind the eight-ball. You have to find creative ways to mitigate the risk in the short term until the technology catches up with built-in security controls. We’re seeing it today with guardrails and prompt injection and other AI concerns.”
He doesn’t believe the basic requirement for creative solutions to get round the eight-ball will ever end. New technology continues to develop behind that eight-ball, and security must continually find ways to solve the problem. “I’ve always enjoyed that challenge, and over the years it has just become more and more important. And it will continue to be more and more important. The quick answer for why I became interested in cybersecurity is because somebody asked me to go and look at a security problem because they didn’t know how to fix it. And I never escaped because I loved it.”
Froggett was given the opportunity to move into cybersecurity because Citi believed his technology background would help him understand and tackle security. History proves Citi was right – but he never lost his equal love of technology and always believed that technology and cybersecurity should work in lockstep while both working for the good of the company. It is little surprise that the pull of both ‘professions’ would eventually guide him to a position that combines both – which is Carl Froggett today: CISO and CIO at Deep Instinct.
Being a leader
This career path started as an engineer and system administrator and transitioned to a leader of people in both information technology and cybersecurity. What makes, and what is, a leader? Can anyone be a leader?
“I wasn’t a leader. I wasn’t a born leader,” he said.
“I always wanted to be part of something bigger than me on my own, and that involves working within teams. I never had a problem with working within teams. Leadership for me just came through opportunity. I didn’t seek it out; it found me. And I ended up running a small team of technical people that ultimately grew into 200 plus people.”
It might have just happened, but it still wasn’t easy. “One of the hardest things in my career, something I don’t often talk about,” he continued, “was the process. I was part of a technical team, and I was a senior technical person. I wasn’t the team leader, but the team would look to me for unofficial guidance and help.”
He became the unofficial ‘anointed’ leader of the team. But then, because of a particularly thorny issue, he was temporarily, but officially, promoted to team leader. Temporary often presages permanent – as it did here. But overnight he found himself responsible for people rather than just a technology solution.
“That was a horrible time, because overnight my teammates started treating me differently. I felt isolated. I was no longer just responsible for the direction and the architecture, but suddenly I was responsible for the people, their appraisal, their salary, their issues, their aspirations, their career growth and development. That was a really tough transition for me personally.”
Froggett wasn’t a born leader, he had leadership thrust upon him. What characteristic enabled him to cope and thrive as a leader? “Empathy,” he said. “Not just empathy toward people, but empathy to the business.” It implies that Froggett sees leadership as a bridge between the staff’s personal effort and aspirations, and the company’s direction and purpose.
Career advice
“When opportunity knocks, you say, ‘Come on in’. Never say no to an opportunity. Never just shut it down. You don’t have to say yes at the end, but you won’t be able to say yes if you don’t take that initial opportunity.”
It is clear in his career that he took this advice to heart.
“I can give you another example,” he said. “While at Citi, the company was looking for managers to work with HR to create leadership training. I was a manager, not a senior leader, but I took that opportunity, and I ended up hosting and doing training and development for hundreds of leaders at Citi.
“Saying yes to opportunity was probably the best advice I was ever given. You expand your network; you get to meet more people; you get to work on different things; and you expand your knowledge. You gain the experience of being uncomfortable in different situations, and you learn from that experience, and you can take that experience and apply it in totally different scenarios.”
People may say you were lucky. “It’s not random luck,” he said. “You make your own luck by grasping thorny nettles and working your way through them and continuing to evolve. If you just stay in the same place hoarding and protecting your own knowledge, you’re not going to grow. So, welcoming opportunity was probably the biggest single piece of advice I ever received.”
He gives the same advice to his own team members today, but with one major addition: Speak up. “People make mistakes. Don’t cover them up, let’s deal with the mistakes. Small things become big things very fast.” This helps him personally as a leader, but it also highlights which team members wish to grow.
“Not everyone wants to. Maslow shows us that different people have different primary aspirations. But if I know that a team member wants to grow, I turn to my own experience of opportunity. I try to give that opportunity, and I encourage understanding the importance of accepting opportunity.”
It’s a double-edged sword. He benefits personally. “I want them to grow, because I feel that not only will I get the best work out of them, but they’re also going to want to stay.”
But that personal growth can accelerate personal ambition. “I had a team member who started with me as a graduate. He became a manager within my team, running a major group within it. Now he’s running risk at the London Stock Exchange. He’s gone on to achieve major success. Many others have done similar, and I’m really proud to have played a part in their success. Nurture the person and not just the work is one of my philosophies of leadership.”
Primary cybersecurity concern for today
We’ve talked to Froggett on how he got to where he is today. But what cybersecurity issue right now is his primary concern?
“Artificial intelligence,” he said. “I see a huge upside to artificial intelligence for us as individuals, for citizens, for advances in medicine and other major achievements. Equally, on the flip side, it can be used for great harm. From a security perspective, we’re already seeing that, with bad actors leveraging generative AI models to do harm. We’re seeing them write code using gen-AI, so they don’t need skill anymore. Gen-AI allows you to be intent based, not instruction based. Historically, hackers needed to be able to code, they needed a lot of expertise to be at the top of their game for hacking.”
That’s no longer the case with gen-AI. Although the signs of what’s coming are already with us, he thinks it will get worse. “It’s just a matter of time. We’ve seen this before with cloud. We’ve seen this before with internet, with battery technology, with chip technology. We run into a barrier, and it doesn’t seem to progress – and then there’s a big breakthrough, and we’re off to the races again.”
Companies, especially security companies like Deep Instinct, are well-versed in AI and have a chance to counter AI-wielding bad actors. “But if I think of the wider community like my family, my parents – I’ve been educating them on some of the more real things they can already face, like deepfakes and deep phishing and the very sophisticated, realistic attacks against regular people. It’s a worry, because humans want to trust generally, and so I don’t know what the answer is. But that does keep me awake at night; along with the fact I have two daughters in their early 20s.”
He also believes AI will disrupt business careers generally, including, “the kind of career progression I was lucky enough to enjoy.” Instead of needing 100 expert software coders, companies will need just one who is expert at AI prompting to do the work of 100 people.
“I see AI as a force multiplier, but maybe that means there will be fewer of those junior opportunities. I don’t think they’ll disappear within the medium term, but I do worry about the negative impact that such a transformational technology is going to have on society.”
Does he worry that AI will reduce human as opposed to machine intelligence? “I’ve gone backward and forward on this. We used to use an abacus, and then we had paper and pencil, and then we used a calculator, and now we use Excel. But there’s still a lot of smart accountants and mathematicians, so the way I think about it is that they were tools to enable us to make progress more quickly. The glass half full side of me wants AI to be the same – it’s a tool that enables us to do things much more rapidly, for good.”
But if you have a glass half full, it is also half empty. “On the human imagination side, well, you see it already today. I look at LinkedIn, and I know the people concerned and I know they didn’t write it. It’s clearly just some AI-generated slop.”
This is the great dichotomy of AI. If the glass is half full, it could be an amazing tool for increasing the creativity and productivity of humanity. If the glass is half empty, it becomes a replacement for creativity and a shortcut to slop. But when you consider Froggett’s history, this is exactly what excites him in cybersecurity – finding a creative way to get past the eight-ball of AI concern to harvest the potential benefit of AI.
Related: CISO Conversations: Keith McCammon, CSO and Co-founder at Red Canary
Related: CISO Conversations: John ‘Four’ Flynn, VP of Security and Privacy at Google DeepMind
Related: CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at Adobe
Related: CISO Conversations: Kevin Winter at Deloitte and Richard Marcus at AuditBoard
