Director of Investments
While Chief Information Security Officers have an increasingly well-respected role within an enterprise, they are stuck in a perpetual game of tag, and can never become “it.” A CISO’s best day is a quiet one, but given the preponderance of hacker penetration on every major network, those days are few. While CISOs, and others in cybersecurity, recognize the Sisyphean nature of their cyber-rock-rolling profession, the broader community has still not accepted the victory in battle itself. According to the Ponemon Institute the average lifespan of a CISO at any given origination is just over two years (dated, though declining). It is a tough job that is highly compensated but the attrition rate weaves a tale of mismatched expectation.
The result of this CISO movement, and cross pollination across organizations is not all unhealthy, and surprisingly carries with it the seeds of opportunity. It is exactly the movement of CISO from place to place that creates the friction and dynamism needed to push innovation and technology forward. As many a salesman understands, there is no better time to pitch a new technology to a large organization, then when someone in leadership is new to their job. The CISO, in this case, is tasked with building, changing or managing a security stack (remember they are there because someone else was ousted). The motivation is to bring in new exciting products and strategies that take the organization in a new security direction. In the space created by the desire to change an infrastructure, and to use the cutting-edge technology, there exists an environment that is fertile for new technologies to take root into the established “Fortune X” network. At SCV we have noticed this trend to be especially true of the bleeding-edge tools we have identified for use in intrusion suppression. The CISO can correctly proliferate the assumption that hackers are already on their network and he/she uses an advanced suite of tools to track, and deceive that intruder. If the CISO becomes a champion of a product it gets deeply engrained in the security stack, and the success of the small start-up company becomes intertwined with an important, visible person. With the championing of a visible, if not vocal, security professional, it becomes easier for that star-up company to sell into more environments; the upward-spiraling prophecy fulfils itself.
For the CISO it is movement that greases the wheels of innovation. There too, are stable and more reliable methods of getting new-though-less-tested products into flagship accounts. To understand this, it is important to understand the role of law (and compliance with it), rather than technological best-practices. Within every large organization there are a suite of people that, like the CISO, attempt to keep their organization out of the news. Compliance officers, risk officers, legal counsel, are each in their own ways, securing a company’s network from damage, or penalty. What makes these officers different is they each have observable, discernible metrics for success. Whether it is FFIEC Information Security framework, ISO, NERC, NIST 853, RFC, ISA, IEC, IASME, or the many other compliance frameworks that exist, there are discrete checklists of requirements that certain technologies, or services can address. To be compliant and to be safe are related though markedly different. If a technology professes to tick a box it becomes an attractive tool to this more stable class of executive. Network penetration testing became mandatory for financial services institutions, and now whole services industries are stood up to comply. Threat intelligence feeds have become commodity because those subscriptions are no longer luxuries, but necessities. For those with defined and enumerated metrics for success, attrition is lower. To sell new technologies to these stable pillars within an institution, the process is about framing a solution in terms that address requirements. Or of course, having a say in re-writing the frameworks altogether.
Being an investor in cybersecurity technology is only helpful, success is only possible, if there is reciprocal investment by the users, implementers and cyber-operators within the customer-networks. When the investor’s vision aligns with the implementer’s vision and when incentives converge, there is growth and advancement in cybersecurity.