When and Why It Makes Sense
As the CISO role matures in enterprise settings and security executives level up their position from technology managers into more well-rounded risk advisors and business leaders, career progressions are changing. CISO is no longer the final executive destination for folks today, as security leaders seek to parlay their growing set of business skills into a broader class of executive positions in the C-suite.
Some of the obvious pivots by CISOs have been into chief risk officer (CRO) and chief information officer (CIO) roles. Another increasingly common shift has been into the chief technology officer (CTO) position. With the drum beat growing in both security and board-level business circles for secure-by-design in software engineering, product development, and technology architecture, filling CTO positions with former CISOs is looking like a great bet in the right circumstances.
While there’s not yet any statistical backing to prove out the trend, anecdotal evidence is mounting with companies like 20th Century Fox, Bank of America, and Fifth Third Bank elevating their CISOs to CTO roles in the past couple of years. This is also the path taken by credit reporting giant Equifax, which a couple months ago elevated its CISO Jamil Farshchi to a joint CTO &CISO position.
For his part, Farshchi says the transition was a gimme for both him and his employer of over six years. A veteran CISO with stints at The Home Depot, Time Warner, Los Alamos National Laboratory, and NASA, among others, Farshchi came to Equifax in the wake of its massive 2017 data breach. He was tasked to help affect deep organizational and technology changes to not only bring about a security program transformation but also support the business in its digital transformation efforts.
“In my capacity as CISO, my team and I have been deeply engaged in technology from the get-go. And because of the way the reporting line’s structured, I’ve been reporting to the CEO the entire time,” he explains. “So, fast-forward to a couple months ago when our previous CTO departed—he took another opportunity to become CEO at another company—I was asked to step in and take the reins for technology and expand my role into this space as well.”
CISOs Have CTO-Applicable Skills
Even before the Equifax promotion presented itself, Farshchi says he’d witnessed evidence of similar transitions happening across the security community. Not only has he seen friends move from CISO to CTO or head of product type positions—he’d also fielded feeler queries from CEOs and recruiters asking whether a CISO could make sense sense for CTO roles. In his opinion, that’s an unequivocal ‘yes.’
“A lot of the behaviors, a lot of the practices, a lot of the skill sets, the strategic thinking and so forth, that one needs to be successful in technology as a CTO are also the exact same qualities that one needs to be successful in security today,” he explains.
This is a sentiment shared by many in the security and technology leadership community today. According to Bob Zukis, a longtime cybersecurity and executive development expert who runs the Digital Directors Network, enterprise CISOs—the ones who are true business leaders rather than elevated tech practitioners—are a well-rounded bunch and many of them would be ready to hit the ground running with a transition to CTO.
” A lot of the CISO job naturally translates to a CTO role, from the strategic to the operational. They’re used to working cross-functionally, they’re used to working across the organization from a risk perspective. They’re used to operationalizing technologies. They deploy a lot of innovative technologies from a security function,” he says. “It’s just the context now changes to starting to select and deploy strategically technologies from a value-creating orientation as opposed to a value-protection orientation.”
The cross-functional expertise and experience is one of the biggest benefits CISOs bring to the table as CTO candidates, says Randy Watkins, CTO of MDR provider CriticalStart. CTOs usually cross a lot of domains and deal with a lot of complicated relationships between engineering, product teams, business groups and so on, whether they’re bringing tech-enabled products to the market or just supporting a lot of internal customers and business groups with business-facing applications and platforms.
“The CISOs have had to be cross-functional because they didn’t have their own budget, they didn’t have enough headcount,” he says, explaining that to get things done the CISO has to work with other IT groups, business groups and executive stakeholders to get things done and get security initiatives to stick. “So cross-functional is definitely a must-have strength of a CISO, and that’s a strength for any senior leader in an organization. It really kind of unlocks a pretty high ceiling.”
While he wasn’t himself a CISO, Watkins came from a security background and was a director of security architecture before moving into his role at Critical Start. Since the company is a security firm, his transition a few years ago was a very smooth one. Although he felt he has had to stretch and grow with regard to his skills and knowledge around product management—an area that some CISOs may similarly need to brush up on in order to successfully navigate a CTO position.
“The biggest learning curve was trying to understand the product management life cycle, understanding agile understanding waterfall, the benefits and drawbacks to each one of those,” he says. “Really building out timelines and deadlines and understanding sprint cycles and release dates and release kind of cadences, that was a pain. And I feel like that’s a lifelong learning process.”
Watkins says as CTO of a security firm, he is still pretty well connected to friends in the CISO community. He says the good thing that this cohort has going for them these days is that they’re increasingly becoming a lot more product savvy, which would help many of those who hope to vie for CTO slots in the future. He says this savviness has evolved for two reasons.
” One, because they’re usually getting pinged for consulting and getting pulled in by the VCs and the PEs to talk about their latest and greatest technology,” he says. “And, two, because they have to talk to manufacturers like us and they want to understand where our product cycle is falling in place and how they can interject more value into building our business. That does a lot to shift the flexibility and mobility of that CISO role.”
Security-Focused CTOs Support Secure-by-Design
Perhaps the best benefit CISOs bring to as CTO candidates, however, is the risk management mindset that they bring to the innovation cycle.
“It would definitely escalate the security conversation earlier in the innovation life cycle, which I think would be a very, very good thing,” says Zukis.
Watkins agrees wholeheartedly.
“I love any position where a security-oriented person moves into it because they bring an inherent knowledge and thought process around security—even when it isn’t a C-suite position but just a security person moving into a non-security role,” Watkins says. “It’s effective at intertwining the thought process of security in every little facet that they move into.”
This could do huge things for secure-by-design initiatives, which are often hung up by culture and incentive issues more than any other. A security-veteran CTO is much more likely to be intrinsically motivated to create better incentives for the engineering team to develop and create secure products out of the gate. More critically, a former CISO is more likely to be aware of the potential risks that a new product or platform would introduce at the earlies stages of planning.
“I think the secure by design should be benefited greatly from any organization that chooses to make a security person become their CTO,” Farschchi says. “They are going to have a strong eye on security and building it in from the get-go instead of the rush and bolt later on.”