In this edition of CISO Conversations, SecurityWeek talks to two Field CISOs, Fawaz Rasheed (VMware Carbon Black) and Nabil Hannan (NetSPI), about their new and emerging role. While company CISOs are operationally responsible for the security of their own companies, Field CISOs provide security advice to the company’s customers, clients, or partners.
“A company CISO is held accountable for his or her own company’s security,” comments Nabil Hannan. “In my role as a Field CISO I work with different customers and partners, helping them understand what their security posture looks like, understand where they might have gaps, and help them strategize. So, I act as an advisor to them.”
It’s a two-way street. The customer receives advice on maximizing the potential of the vendor’s product with additional advice on overall security strategies, while the Field CISO can return with insights on what the market requires. This could spur improvements to the existing product, or even the development of new product.
It is a difficult, demanding, and rewarding role. It requires someone who can go into another company, effectively tell both staff and executives, ‘You’re doing this wrong — you should do it like this…’, and yet be welcomed to come again.
This is what we’ll discuss: the knowledge and skills a Field CISO should possess, the career background, the soft skills, and how to get the role.
The first obvious requirement is an extensive, almost encyclopedic knowledge of cybersecurity relevant to many different industry sectors. Rasheed suggests that would be someone who, like himself, has already worked in the capacity of a company CISO. Hannan has never done so, and thinks it could even be a disadvantage. Individual company CISOs can sometimes get trapped in their own verticals, and gain extensive knowledge of that one vertical.
“Medical device security is very different from a firm that only builds web applications,” points out Hannan. For him, the spread of knowledge came from working as a consultant with many different clients in many different verticals.
The purpose of the Field CISO is not simply to promote its own company and product, but advise customers on how to maximize the use of that product within their overall security posture. This inevitably involves working closely with the firm’s security, IT, and business leaders; and the advice can go way beyond the Field CISO’s own product.
“I try to be product or tool agnostic,” says Hannan. “My goal is not simply to sell my own products or services, but to provide overall help and advice including industry trends and insights that customers probably need to consider. Most of my meetings are face to face with leadership at different organizations. I ask them what challenges they have, and what they’re trying to solve today. Are there any emerging problems that nobody is yet addressing. These are the questions that I’m trying to get in front of.”
Rasheed agrees the agnostic approach in bringing outside trends to the table is an important part of the job. “I speak with different CISOs, CIOs, and CTOs every week,” he says. “The company CISOs often ask what others in the same space are doing about third party risk management, ransomware protection, endpoint security, business transformation and more.”
He believes the Field CISO also serves the role of a posture validator. “Company CISOs often ask me to look at their security program. Are there any gaps, anything else I should be doing? Much of this will have little to do with VMware Carbon Black or its products. But providing context and a frame of reference together with the lessons I’ve learned is key to the job.” This highlights the advantage having a company CISO background. “Because I’ve also been down that path, we can have an open dialogue on my recommendations because I have experience of the same challenges they’re facing.”
A company CISO’s need for soft skills is well known. A Field CISO needs that to the nth degree. He or she can be viewed as coming from outside the customer company to interfere with existing operations – and this can cause tension with the customers’ own staff.
“A conflict or a sense of apprehension is always there,” says Hannan, “because you’re often coming in to call someone’s baby ugly. You’re coming in to tell them where they have mistakes, where they have gaps. Nobody wants to hear that – nobody really wants their dirty laundry aired.” Ways of handling this tension will be different for different Field CISOs, but it is not something that can be ignored.
A second area of soft skill expansion comes in talking to the leadership levels of multiple organizations. Company CISOs must understand the business side of their organization to communicate with business leaders. But Field CISOs must understand the business side of multiple organizations in multiple different verticals.
“It requires a lot of studying and talking to people with more experience in specific areas,” says Hannan. Often these are conversations with former clients who have become friends and mentors. “The key is having the right mentors who can guide you and advise you, when you run into challenges where you need more insight.”
Rasheed also focuses on the areas that are generally common between security and business: “How do we demonstrate RoI to the CFO, what type of metrics should we present to the board?”
While it is necessary to be fluent in businessspeak, the Field CISO needs to be able to pivot back to the engineers and talk engineering. Both of our Field CISOs believe that a background in engineering is essential for this.
Becoming a Field CISO
At the time of writing, LinkedIn has 85 “chief information security officer” vacancies available in the US. It has just one posted for “Field CISO”. Partly, this is because Field CISO is a new role currently without formalized responsibilities – a bit like the role of company CISO 20 years ago. And it is following a similar evolutionary process.
It’s not that cybersecurity didn’t exist before the arrival of the company CISO, but that the custodians went under various titles: information processing officer, data security manager, security manager and more. It was over time that these positions coalesced into the role of the CISO.
This is now happening with the role of the Field CISO. “Titles for similar roles I’ve seen include chief strategy officer, chief evangelist, and more,” comments Hannan. “But they don’t necessarily capture the exact essence of what we’re trying to do. My goal is to be an extension of company CISOs at various organizations, and gather data and intelligence from the field.” The only way you can do this is to be a CISO in the Field.
Rasheed sees the Field CISO role as becoming more popular within a range of organizations – almost as a career progression for existing company CISOs. “Several of my peers are company CISOs that have migrated into the Field CISO role. They find it a logical next step. Being able to take their knowledge, their experience, their expertise, and then apply that forward for customers, prospects, and clients, is a rewarding opportunity.”
Just as the original company CISO role had no clear career path 20 years ago, so is there no formal career path leading to Field CISO today. In both cases it is a combination of being in the right place at the right time, and grasping or pushing for the opportunity.
Hannan did a bit of pushing. “I’ve always been told you need to start doing the job that you want to have. So, I was already working with partners and clients and being an advisor, both from a NetSPI services and product perspective, and as a general advisor across the cybersecurity industry. I had been doing this for six to eight months and then had a discussion with our leadership team. I asked if there was a better title that more accurately captured what I was already doing. We did some research, and then we landed on title of Field CISO.”
Rasheed did a bit of opportunity grasping. He has always been interested in giving back or passing on his knowledge and experience. He likens it to the drive that takes some corporate leaders into education. “They decide to go and teach at a university level at a collegiate level, because they want to share their experiences. They want to give back to communities and to students and offer what they have learned, and share those experiences. So, I see that as an attraction point for me, which really kind of drove me to this – to be able to talk about my subject and share and help others.” When the opportunity for a Field CISO arose at VMware Carbon Black, he took it.
It is the same, and always has been, for all new-field career progression. You either recognize and grasp the opportunity when it becomes available, or you create the opportunity and then grasp it.
Field CISOs give advice. So, we asked them for the best advice they had personally received in their careers. For Hannan, it was effectively ‘follow the money’. Translated to the cybersecurity role, it is ‘understand how the business makes its profits’. “When you look at an organization, and you want to figure out how to implement a cybersecurity program,” he explains, “you need to start by understanding how money is made at that organization.” While your expertise might be cybersecurity, your ultimate purpose is to protect the profitability of the company.
“Usually,” he continues, “if you can truly understand the finances and truly understand the overall approach an organization takes to their business being profitable, that will then allow you to make more informed and acceptable decisions on how to approach the cybersecurity challenges.”
Rasheed highlights two pieces of advice. The first was VIP — an acronym for Visible, Impactful, and Proactive. “That drove me in my career journey, to continue to make sure that I’m out in front, that I’m making sure that I’m not mistaken, and that I am being proactive.”
The second piece of advice relates to the proactive element — stay ahead of the curve. “It sometimes feels like cybersecurity is moving at lightyears per second. — what was relevant last week may not be relevant today because of some maturity or change within the threat landscape. Constantly staying on top of developments is a key success factor.”
Advice should be given as well as received. Hannan adds to the advice he received — don’t just follow your company’s money, also follow the attackers’ money. “From a security perspective, the hackers go where the money is,” he adds. “When coming up with an attack scenario, they will want to go where they will get the highest return on investment for their time and resources. So, understanding the finances and then making sure you think critically about both internal needs and the external motivations of attackers and hackers will allow you to make better-informed decisions.”
Rasheed’s advice is to seek excellence in the marriage of business acumen and technical aptitude. “A CISO must be an astute person who understands the needs of the business, who has a compelling manner of communication, who is able to talk less and say more, to abbreviate and be succinct, and to contextualize the information in a manner that’s digestible to non-technical audiences,” he says.
But, he adds, “At the same time, the CISO must be able to pivot very quickly, and be able to have technical discussions with security teams, with partners and with vendors to analyze and understand the root cause of issues — whether they’re vulnerabilities or threats or the technical underpinnings of the security program.”
Future threats to cybersecurity
All CISOs need to be proactive in their approach to cybersecurity, being able to protect against current threats while being aware of new and evolving threats. This is especially important for Field CISOs, providing security advice to different customers in many different sectors. We asked our two Field CISOs what they consider will be the main threats over the next few years.
Rasheed doesn’t see radically new threats (apart, perhaps, from AI), but an increase in focus on currently used and successful threat vectors. Hacking smart devices is one area that will grow. “It’s already happening,” he points out. “We hear about what happens with cars and other autonomous vehicles. In the medical area there are loads of medical devices that can be vulnerable to hacking.”
Ransomware isn’t going away. “That’s another one that is here to stay for a while. It’s astonishing how many organizations in the mid-size area still do not have the full suite of adequate controls to fend off ransomware.”
Other areas we need to focus on now and in the immediate future include API security and third party/supply chain risk. “The development of APIs must become much more secure, so attackers cannot leverage the API vector as much as they currently do. Lastly, I would point to third party risk, which has been here for a while. Organizations always look to ensure their business partners are secure. But what about their partners’ partners, who may be less secure? They may be compromised, and now my partner is compromised, and all the data my partner has from me is also compromised. That threat is not going away.”
Hannan similarly doesn’t specify any new threats, but focuses rather on the scaling capacity that AI will bring to existing attacks. “There are going to be tools and technologies out there that help attackers accomplish their tasks exponentially faster than they would without those tools.” This is not new. “But now with the latest trend in AI-driven technology and large language models (LLMs), attackers are able to create exploits and also make attacks at huge scale.”
The attackers no longer need to have all the technical and coding expertise that used to be required for writing malware, they just need to be creative in their use of AI. “ChatGPT is just one example,” he continues. “You can ask it or similar LLMs to write you malware, and they will write you malware. You can ask them to write a very specific script that does a very specific thing on a particular target’s computer, and it will do that in a matter of seconds. In the past, it would have taken someone with programming and technical experience many hours,”
AI will dramatically reduce the cost of villainy, so the frequency of villainy will dramatically rise — and we need to prepare for this.
CISO Conversations: The Difference Between Securing Cities and Businesses
CISO Conversations: Princeton, Cal State and Ohio State CISOs Talk Higher Ed Cybersecurity
CISO Conversations: Raytheon and BAE Systems CISOs on Leadership, Future Threats
CISO Conversations: Intel, Cisco Security Chiefs Discuss the Making of a Great CISO