CISOs taking a leap of faith
- 29 May, 2014 01:54
If we're lucky, We'll all have a chance once in our careers to take a risk and use our skills and experience to do something we truly love. Sometimes the career risk is low, but sometimes it's truly a leap of faith--one that offers potentially big rewards as well as the risk of major setbacks.
Tammy Moskites took one such leap of faith. The former Time Warner Cable CISO had plenty of experience at traditional enterprises, including The Home Depot, Huntington National Bank, Nationwide and Aetna. And when she got word that there would soon be a major restructuring at Time Warner Cable, she realized that her role as CISO would be eliminated.
[Smaller cities look to compete in a growing InfoSec job market]
Forewarned of her upcoming unemployment, Moskites went on the lookout for new opportunities, and decided to do something completely different. During a conversation with Jeff Hudson, CEO at certificate and encryption key security firm Venafi, she temperature-checked the idea of moving from being a security executive for an the enterprise--a role she had always played--to working on the vendor side of the business. "I know my role is going to get eliminated with the restructuring, and I'm very excited about the opportunity to possibly make a move to the vendor side," she said to Hudson.
"He kind of laughed at me," Moskites explained months after the fact. "And he then asked, 'Are you serious?'"
She was. And Hudson took her up on her offer.
We are seeing more CISOs take chances today, and now that there's near zero unemployment for seasoned security managers, it seems there is plenty of wiggle room for them to do so. Those who have been in security for a decade or more have usually built security programs from scratch. They've helped organizations recover from breaches. They've mentored new professionals. They've seen what works well and what doesn't. And now they are ready to try new things.
Moskites is not entirely new to the vendor side, as she also sits on the board of advisers for Box and Qualys. And if you talk to her for 5 minutes, you can tell she's not only passionate about the opportunity, but also a believer in the need for more secure treatment and management of certificates and encryption keys.
"Three out of every four organizations don't have security processes in place to manage the SSH keys," she says. "Once these keys are in place, they remain in place forever. It's a huge risk."
Many of the same motivations inspired Eric Cowperthwaite to recently leave his CISO position at Providence Health and Services to join Core Security as vice president of advanced security and strategy. Cowperthwaite had been CISO at Providence Health and Services for seven years.
[10 tips to attract women to infosec jobs]
"I hope to bring my experience as a CISO to the vendor community, and to instill some sense of the difficulties of the CISO's job and how to best help them and what they're trying to do," he says.
"I think the trend is for more of us, when we find something that we really believe in, to use that as an opportunity to go out and talk to our peers and help educate them about why we are so passionate and how it can help them," Moskites says.
However, Cowperthwaite wasn't completely sanguine about making such a big jump. "I did not want to be perceived as selling out. From my perspective, it's genuinely about finding what I think is a very innovative set of intellectual property that can help drive organizations to a more secure place," he says.
Cowperthwaite was also concerned that he might have trouble getting the ear of the engineering team at Core, which he needs to do to discuss market needs. "Would I actually be able to be a voice of the market into engineering? That's an extremely important thing. Engineering teams are smart as hell, but they rarely, if ever, know what it's like to be a practitioner. I think it's important to rejuvenate vendors with people who know what it's like to be a practitioner," Cowperthwaite says.
None of this surprises Stan Black, CISO at Citrix Systems. Black says that hiring managers' demand for experienced security professionals is quite high. "They're looking for people who have actually made some mistakes and worked in large-scale environments, those that have credibility and can talk about any topic," he says.
[Why security professionals need to get more creative with penetration testing (and how to do it)]
And what's in store for those CISOs that decide to move to the vendor side of the industry? Black says their new positions may be quite rewarding, offering many new hats that enterprise CISOs don't not typically get to wear. And he would know: Black has considerable experience working as a CISO at numerous software and security vendors, including EMC, RSA and Nuance, before joining Citrix this fall.
However, before making his most recent move, Black established a set of criteria for any position he chose. "I knew I didn't want to report to the CIO ever again. And I wanted join a company that possessed four key traits: They had to have integrity, a positive culture, a heritage in technology, and a strong vision. I love working with technology, personally. It's something I really enjoy and has to be a big part of what I do," he says.
In his position at Citrix, Black reports to the COO, who is also the CFO. "I am truly enabled to do my job. And to put my foot down, when it is appropriate, to protect our company and our customers," Black says.
It's quite a challenge to help Citrix develop its products securely, keep its customers secure and keep the company itself secure, but Black also finds it quite rewarding. "In addition to being the corporate CISO, I provide oversight for Citrix products, where my job essentially is to define one framework and one set of standards and get everybody on board with a common vision," he says.
[HOCO CISO program breaking ground with "virtual" CISOs]
To achieve these goals, Black says that he has to engage with many aspects of the business, including sales, marketing, internal audit, design, engineering and business leaders. "It's more of a question of who don't I work with," he says.
When it comes to internal Citrix security, Black works closely with the physical security and safety teams. "We're running a converged security program, and the person that runs that--the physical side and the safety side--we're working incredibly well together and we're merging our two worlds together so we have visibility into our entire supply chain: products, services, people and data."
Given CISOs' ability to add value to all those critical areas, it's no surprise to learn security vendors are snapping them up.
"Security companies often don't realize that their products aren't doing what security people need. I have sales people calling me constantly saying, 'This widget will make you more secure. You don't understand how important this is to you.' Most of the time they don't have a clue what is important to me," Black says.
But that's exactly the kind of value that both Cowperthwaite and Moskites hope to provide to their new employers.
"Vendors need to hear the honest truth and help them understand practitioners. They really do. The fact that there's this chasm between vendors and practitioners and nobody trusts each other across this chasm is unacceptable. There is immense distrust across that boundary," Cowperthwaite says. "If I can help them breach that boundary and establish more trust, then I'd consider the mission a success."
[Security analysts evolving from security administrators]
Helping to build that trust, both with the vendor community and within the company's own infrastructure, was one of the things that attracted Moskites to her new position--plus she still gets to do what she's always done as CISO. "I am still a security officer at Venafi. I'm still doing the day-to-day securing of the company, writing security policies and procedures, but on a much smaller scale than at Time Warner. But only now as part of my job I actually talk to people about things that I'm passionate about. And that's very cool."
George V. Hulme is a freelance security and technology writer based in Minnesota.
