In this edition of CISO Conversations, SecurityWeek discusses the role of the CISO with two CISOs from the major crowdsourced hacking organizations: Nick McKenzie at Bugcrowd and Chris Evans at HackerOne. The purpose, as always, is to help aspiring new leaders better understand the complexities of the job based on the careers and experience of existing top tier CISOs.
We look at routes into the leadership position; its relationship with the business; building, running, and maintaining a security team; mentoring; and preparing for the future.
Getting started
Cybersecurity is a very new profession. If you want to be a lawyer, you go to a legal school. If you want to be a doctor, you go to med school. If you want to be a CISO, you go to… well, there’s no predefined route, possibly because there is no easily defined profession, and no easily defined role for the CISO. It differs between companies, verticals, and jurisdictions – and it rapidly changes over time.
That’s why we explore CISOs’ early career paths. For most current CISOs, cybersecurity either didn’t exist as a profession, or was a nascent idea just evolving when they started. In some ways, this hasn’t changed.
McKenzie studied Commerce and IT at university. He didn’t know what he wanted as a career, but those two subjects could cover a lot of opportunities.
The practical side of IT, in the labs, got his attention. “I loved exploring and tinkering with the hacking tools they had. It drove an obsession for me just to go bigger and deeper into the whole Blackhat side of the house – how to use password snipping tools, how to use exploits, how to write codes…”
While hacking caught his early attention, the duality of offensive and defensive cybersecurity guided his progress, and his commerce background took him into security with some of the largest financial services organizations: EY, NatWest, JP Morgan, Standard Chartered and more. “The early offensive interest,” he explained, “improved my defensive capabilities.”
In 2021 he joined Bugcrowd, and came full circle – reuniting his interest in offensive cybersecurity with his profession of defensive cybersecurity.
Evans read chemistry at Oxford (jargon alert: you don’t ‘study’ subjects at Oxford, you ‘read’ them). “Technically I am a Master of Chemistry, but it’s a skill or knowledge I have never used in my career.” About halfway through the course he realized that his passion was not chemicals but computers – both engineering and security. “I never looked anywhere else other than going into computers and computer security.”
Event: SecurityWeek’s 2024 CISO Forum at the Ritz-Carlton, Half Moon Bay
This was still the early days of cybersecurity, and there were few openings for a Master of Chemistry. “My opportunity was getting involved in open source. It’s something where, if you have the passion and the talent, you can just go and do it – you don’t have to ask anyone’s permission. So, I got into open source security.”
His day job was a software engineer. By combining his official job with his private passion, he was able to prepare for a career in cybersecurity even before a profession in cybersecurity existed, and he was able to grasp the opportunity when it came. “A company called Google was out looking for cybersecurity professionals. I jumped at the chance to be able to align my day job with my private passion.”
Google, he claimed, was so desperate for security engineers that they let him work remotely while staying in the UK. “I did that for about 18 months, hacking for Google from Bristol.” But he began to miss the social side of working on-site, “having people to bounce ideas off and having other colleagues nearby.” Google helped him to relocate to the US.
He still wasn’t a leader – but then Google decided to develop a browser. “Back then, it was a cool and interesting challenge – and there were few professionals with both software engineering and cybersecurity experience.” Maybe an Oxford degree was no encumbrance. Both Oxford and Cambridge differ from other universities by focusing on self-learning rather than academic teaching – hence the term ‘reading’. The degree demonstrates the ability for self-motivated learning. “So, I went over to that division to lead security for the nascent google chrome product. I built the team and culture and tried to make the browser secure for everyone who was going to use it.”
Today there is a very solid cybersecurity profession. There are cybersecurity university courses available for people interested in such a career. But both CISOs, and the majority of CISOs in this series, insist that the formal route (like med school for doctors) is not the only route. The requirement is exemplified in their own routes: a knowledge of computers, a passion for security, and the drive of a self-starter with a desire for continuous learning. With these attributes, anyone can still become a CISO.
The CISO role today (it will likely be different tomorrow)
The role of the CISO continues to change and is difficult to define. Nevertheless, we can focus on the current key points and attempt to predict its near-future evolution. For example, the position of the CISO in the organizational structure is undergoing a radical realignment. It started with the growing emergence and necessity for cybersecurity in the newly connected world. The security department grew from a desk in the IT department to its own department with its own ‘head’, the nascent CISO. But the CISO continued to report to the head of IT, the CIO.
The importance of cybersecurity has continued to grow, driven by costly breaches and regulatory requirements. The natural affinity between IT and security remains (the field was originally called IT security), but the CISO must now deal with the entire business and not just the company’s IT infrastructure. The strains between CISO and CIO grew (there is a potential conflict of interest between efficient and secure IT). This explains a new requirement for all modern CISOs: strong expertise in soft skills together with business acumen. It also highlights a fundamental question: to whom should the modern CISO report: the CIO, the CTO, the CEO, the CRO, Legal, or the board, etcetera. The answer depends on the type and size of the company. Evans, for example, reports directly to the CEO, and expects this to be a growing practice in company hierarchies.
In some larger companies, the CISO is just a title for someone owning security policy, with other frontline operational teams undertaking the work. “There are so many ISO titles,” comments McKenzie, “there’s BISO (business), there’s CISO (chief), there’s TISO (technical), and there’s CRISO (chief risk information security officer). It just comes in many, many shapes and sizes.”
He adds, “My actual role is CI&SO — I’m both the CIO and the CISO for Bugcrowd.” This is important. It highlights a growing tendency to reintegrate IT and security under one position, avoiding the potential complexities of the CISO reporting to the CIO. It’s growing, usually with the CISO adding IT to the security remit rather than the opposite, but still depends on the size and type of company concerned.
It is possible that this is an early sign of a new shift in the role of the CISO. The growth of cloud first strategies and remote working is reducing the owned IT estate and therefore reducing the reliance on a full-time CIO. At the same time, the security of both cloud and remote working increases the importance of security.
It still depends upon the nature, size, and operational nature of the organization. But these continuous changes in the precise nature of the CISO’s role highlights additional important attributes for the modern and future security leader: adaptability, a strong background in computer technology, and an understanding of user behaviors.
Building, molding, and managing the security team
A leader can only be as good as the surrounding team. It follows that recruiting and maintaining a strong security team is an essential part of the CISO’s role. This is not easy. The ideal candidate has a combination of qualifications and experience, but most youngsters seeking a career in cybersecurity must prioritize one over the other, when neither is easy to acquire.
Most CISOs cut through the issue, by-passing dependency on qualifications and certifications. “I personally have no certifications,” commented Evans. “And I worry that if you always look for certifications it could introduce biases and therefore lack of diversity into your hiring strategy.” Diversity in a security team is another issue that we’ll come back to.
“Certifications cost money,” he continued. “There may be a certain privilege level required for entry to get some of the more grandiose certificates. So, if I’m hiring an individual to make my company safer, I won’t reach out for certifications as my first tool of analysis — I concentrate on what people are able to do, not what they’re capable of demonstrating in a classroom environment.”
McKenzie takes a similar view. “I look for practical talent more than credentials or certifications. We put people through the wringer in testing them on their capabilities for different roles. We go for talent and diversity that is acutely aligned to the role we’re filling. We do hire university graduates, but I prefer to grow from the bottom up and grow talent into future leaders rather than hiring existing mid to senior people with a top heavy perspective.”
In describing what they look for in their security team, both Evans and McKenzie mentioned diversity. Diversity of thought, background, gender, ethnicity, religion, social background, and more is essential in cybersecurity for two reasons: firstly, the global criminal class already has that diversity, and secondly, a diverse security team will bring different approaches to problem-solving. “Diversity is critical,” said Evans. “Diversity of individuals leads to diversity of thinking and stronger results.”
Both CISOs have the advantage of global remote working — they can effectively recruit from any country not subject to sanctions, which automatically increases diversity within their teams. Both also take diversity inspiration from the success of global and diverse crowdsourced ethical hacking, which invariably finds bugs and vulnerabilities that have been missed by companies’ own necessarily less diverse in-house development and security teams.
Recruiting a team is only half the problem — it must be retained. There are two issues here: reward and encouragement; and health. The first is perhaps the easiest. The CISO must ensure the correct level of pay, and an acceptable career path for team members. The second is more difficult. The very nature of cybersecurity encourages mental health problems in practitioners, and these are less easy to spot and more difficult to treat.
Burnout is the headline mental health issue. “Security is a challenging field,” explained Evans. “There’s always something to do, and it’s always pressing and urgent. That’s not unique to security, but security has an added dimension: it’s an emotionally loaded field.” Mistakes can be both personally damaging and costly for the employer — and the pressure is always on.
Prevention is better than cure. It’s more difficult with a remote workforce because it’s more difficult to spot the early signs. Both Evans and McKenzie seek to be proactive with frequent online meetings and gatherings to maintain the human connection, a flexibility in attitude, and the insistence on a reasonable work/life balance. “We try to manage the issue with time-in-lieu or time that can be spent with family to try and just balance that work/life situation,” said McKenzie.
“We don’t want anyone to burn out, including me,” added Evans. He also insists on flexibility so that team members have adequate family time, can make doctors’ appointments as necessary rather than when possible, and “we have digital tools and technologies to ensure that we’re all connecting regularly, meeting people all around the company, including weekly events where everyone shows up — and of course, the occasional in person event.”
Mentoring the team
Mentoring the security team is an important part of being a CISO. Firstly, it improves team expertise, and secondly it encourages individual career prospects — making a good team stronger and keeping the team together and energized. Fundamentally, it comes down to advice. We can glimpse CISOs’ mentoring stance by looking at the advice they received in their own journey, and the advice they would give now.
For Evans, the best advice he ever received was the old classic: know yourself. Applying it to his own career, he expanded, “So if I was to know myself, it would be to know that I just like going and looking into things that seem interesting. The few times in my career that I’ve made choices based on other factors have usually been wrong turns from the path. So, know yourself when making choices. I’ve had a really enjoyable career, and I wouldn’t change anything about it.”
McKenzie said the best advice he received was to hire people smarter than himself (received from his boss at JP Morgan). The advantages are twofold. Firstly, it makes for a strong team, and secondly a bi-directional learning element can strengthen the CISO. “With this approach, you’re not going to lose,” he said.
While mentoring his own team, Evans added, ‘stay curious’ and ‘stay tenacious’. “Cybersecurity remains a rapidly evolving field,” he said. “Trying to keep up with and ideally stay ahead of technology is hard. So, you’ve got to stay curious about what’s going on. Read things and dive into things that seem interesting; and make sure you’re always diversifying the things you’re exposed to. It will make you better, more experienced, and more capable in what you’re doing.”
For the combination of curiosity and tenacity, he uses a hacking example. “All the best hackers tend to be curious, which means they’re always looking to learn to stay on top of things. But the best hacker is also very tenacious. If you don’t find that bug you were looking for on day one, well, you turn up on day two and try again; and maybe on day three and four. If you stay tenacious, and keep applying your curiosity, you will find things. So, stay curious and stay tenacious.”
McKenzie’s advice is, “Don’t punch for a title — like CISO — just because it sounds good.” You may get there, but equally you may miss something that would be personally more fulfilling. “There are so many routes to becoming a CISO, so explore them all and understand the disciplines that are necessary. People are different. You may find something unexpected that you’re comfortable with and you love. And that would be great.”
An eye to the future
While we’ve discussed the complex aspects of being a CISO, the underlying purpose is simple: to protect the business from cybersecurity threats. Understanding what happened in global cybersecurity last year is useful, but not as important as being able to select, predict, and prepare for what is coming. An eye to the future is essential — even if the future is primarily an extension of aspects already occurring.
McKenzie focuses on three areas: supply chain attacks, greater use of zero day exploits, and compliance. None are new, but he expects expansion in all three areas. “On the supply chain side, there’s going to be more, and more second, third, fourth party type of attacks to get within an enterprise. Attackers piggybacking off associations, relationships and integrations will persist — it’s just going to become the norm with more high-profile attacks.”
These attacks will continue to use zero days. And the availability of zero days will continue to grow with the increasing business digitization and commercial use of new technologies such as AI, all creating a larger attack surface for the threat actors.
Neither is his third concern new, but is rarely expressed so forcefully: compliance is becoming a threat. “Every country is coming out with some new form or derivative of a security notice, and guidelines and new strategies with a new binding, operational directive, and on and on. This creates complexity for the team, particularly if you have a global CISO role. It creates control complexity, much like a pile of spaghetti, where you need to untangle it and then make calls about which controls are essential and more important than others.” Complexity, as we all know, is the enemy of security.
Evans takes a more philosophical view of future threats. “A part of the CISO’s job is always to predict what’s next, what’s coming. Pressed on this, it would be easy to fall back with an answer involving something around AI or some other new technology. But I always answer this consistently: the biggest threat to me and my organization over the next year is the one that comes out of left field and slams us from the side that we weren’t expecting.” The task is to know the unknown, and be ready for the unknown.
More CISO Conversations:
