A Career CISO’s 7 Observations on Public vs. Private Sector
How different is being a government Chief Information Security Officer from having the same role in the private sector? A CISO with experience in both worlds offers seven insights.
In my career as a CISO, I have built security programs and teams for the U.S. military and the federal and municipal governments, and I have advised numerous cybersecurity startups. With that said, it’s the last 18 months as the Global Chief Information Security Officer for the cybersecurity company Webroot that I have found to be the most challenging and rewarding.
I knew that in taking this position, I would be stepping into not only a new phase of my career but also into a side of our community many of us don’t see. Having the opportunity to lead an internal security program plus provide insight into product efficacy and review new technologies has been educational. This journey has helped me develop some observations that I find unique to the private sector. Working as a CISO for the federal government and a municipality, I approached each role with a very different mentality from that of a CISO in private industry. I don’t believe that either side is better than the other, just that each requires specific soft skills and experience. The truisms to follow are insights I have collected over the last year and a half and are based on a new appreciation for the dynamic roles CISOs fill today to meet their company’s needs. I had previously thought that no matter where I worked, “cyber is cyber,” I should be able to build and lead a security program without any significant problems. As you can imagine, it wasn’t that easy, and I found that I needed to adjust how I viewed risk. I needed to make changes in how I aligned my security strategies to support the company; these changes have been crucial for the success of my department and my teams.
Cyber does not equal revenue, but it has value
When working for the government, this was never an issue. Cybersecurity is a directive or an executive order that the organization is mandated to follow. My job as a CISO was primarily chasing down discrepancies and fighting “shadow IT.” I never worried about revenue; we were the government, so funds were always there. Yes, there were years when the budget was lean, but as CISO I was focused on making sure we had the checkboxes on our assessments completed. In private industry, I have found there is this magical word called “revenue.” All companies in the private sector are chasing it, and if your company catches enough of it, then you have room to get things done. Of course, in the private sector as a CISO, you face the truism that you and your security teams don’t generate revenue. However, I advocate continuously that my security program does have value; it's just different from that of a sales team or a software development team. Cybersecurity is all about the management of enterprise risk. The value a CISO and security department provides to the company is the continuous management of this risk so the business units that directly generate revenue can focus on being innovative and helping the company meet its strategic objectives. So my value is risk management as a service: We support the business units so they can focus on what the business needs, and together we are all successful.
Cyber is a continuous service, not a one-off purchase
I have always looked at a cybersecurity program as a long-term investment. In the government, I found that cybersecurity is accepted as a necessity due to the environment being a constant target. As a government CISO, you and your security program are part of the organization's broader mission, but that same organization doesn’t always remember that you need funds to maintain your program. As a government CISO, it was harder to evangelize the need for your security program and the management of risk. At times, it appeared the assumption was, “We have a CISO and security team, so we are secure.” In the private sector, the CISO is more visible than in the public sector. Couple this visibility with the expectation that the security program should enable the business, not get in its way. I found this challenge to be exciting; I approached it with the view that my program and security teams are service oriented and proceeded to map all the various stakeholders we served as a department and how we helped them and their teams. I used this information to develop a “value story” that I evangelize to my stakeholders, executive leadership and board on how cybersecurity is a continuous life cycle of processes aligned with managing risk and providing resiliency. To be an effective CISO in the private sector, you must get all stakeholders to see the worth of your program, and to do that, you need to understand the business and how you can support it. This is not easy; many see security as the group in the basement that no one talks to and rarely needs. With the risks we face today, this must change. The CISO must be involved, and everyone needs to know their value story.
Corporate culture is an asset, so use it
In the federal government, the various organizations and commands I worked for had long histories of success. Senior government workers were happy to tell you that we had a mission to accomplish — but with that in mind, I never experienced a vibrant business culture. While working for a municipality, there was more of a sense of urgency to serve the local citizens, and many senior employees had the oral history of how things should be accomplished. Both these environments where group-focused organizations that moved slowly and rarely accepted change in large doses. So when I came to the private sector, I was hoping for something very different, and that’s what I found. Over the last year and a half, as I organized and led my security teams, I have had the opportunity to work with many diverse groups. I have found in private industry that corporate culture is very active and moves at a fast pace. I was surprised at how quickly an organization can make changes and realign whole departments or dissolve a department to refocus assets rapidly on a new product or service or to manage an issue. I find this refreshing; as a CISO, the world I operate in moves at a fast pace, so to me this feels appropriate. The task of a CISO in this type of environment is making sure the security program is still relevant after the dust settles from any recent changes. The approach I have used for this is to get actively involved in the changes and to have my teams partner with the groups who are restructuring for new projects. It is better to be part of the process, support it by managing risk and be a member of the team rapidly moving to achieve new objectives.
You need champions; they are your customers
The idea of “champions” for my security program when I worked for the federal government never occurred to me. Cybersecurity was mandated, so everyone had to listen to me (not a very good way to grow a security program). As a CISO for a municipality, no one had to listen to me, but I still was tasked with protecting the organization. In the municipal environment, I found that I needed to meet my peers, better understand their issues and devise plans on how my security program could support them — but they still didn’t have to listen to me. It was this new view of how security should be there to “help” that changed my whole approach to being a CISO. Fast-forward five years to today; as Webroot CISO, I look for champions. These are peers or subject experts who are customers of my department whom we support and, in the process, we are an integral part of their team. As CISO, I believe in supporting teams like DevOps, Operations or Financial Services. I can show them the benefits that security teams provide, and they can be successful and meet their agile goals. To be efficient at this, the CISO must offer services that are needed to help each team achieve its objectives. This approach is providing cyber as a risk-management service: talking to our customers to understand their needs, and then actually providing the service they require. Once completed, we accept feedback to improve our services and train the teams continually. I believe this helps demonstrate the worth of my security program, and my department gets the satisfaction of helping our company accomplish its strategic objectives, which is pretty cool!
Revenue overrides security controls, so a contingency plan is a must
As a CISO in private industry, you continually assess the impact your security program has on the organization and its ability to conduct business. You are aware that any security operations that interfere with revenue are bad — that a mature security program should support operations, not hinder them. This is where having champions is essential; they can help you understand the impact that security controls have on services and help select other alternatives so you can still reduce risk without interrupting revenue-generating activities. In the private sector, I have had to adjust to the idea that revenue generation may supersede my security control suggestions, and this is why having a contingency plan of alternate controls is important: It allows you to demonstrate the various avenues you have to manage the company's risk hazards without jeopardizing business opportunities. Having different ways to address identified risks builds trust in my team's ability to remediate concerns. It also provides a proving ground for them to flex and get creative in using policy, processes and technology to look at hazards and think creatively about how they should be managed.
Leadership teams have a sense of immediacy
As a CISO for more than a decade, I have presented to executive teams consisting of admirals, mayoral staff, city council members, CEOs and corporate board members. My discussions with federal and municipal leadership teams were very similar. We had issues that needed to be addressed, and my security program is required to manage them. However, having the budget to handle those issues was vague, and it was a wait-and-see approach because other problems were of a higher priority. As a CISO in government, you got used to being at the back of the line and getting creative in how to solve problems, because at the end of the day, the mission and need for security were still present. In private industry, the discussions with leadership and the board are more immediate, and the ability to make a change and respond to hazards can be just as fast. To me, these discussions are refreshing because I can describe my company's current security state and the initiatives I propose to address any immature issues. In these discussions, I can get immediate feedback on ways that I have selected to move forward. Of course, as the CISO, I now must execute my plans and provide data showing that the expenditure of resources aided the company — or have a good reason why it didn’t. The ability to make a change and be held accountable is very immediate on this side of the cybercommunity, which I believe to be a good thing.
Be willing to compromise; small wins are fantastic
In government, much of the organization is aligned in units that sometimes don’t work well together. That is unfortunate, because cybersecurity is not a field intended to be stand-alone; it’s a field of multiple domains of skills and technology that touches all divisions, departments, business units and teams. As a government CISO, I operated with a mandate to make sure all employees were following the security directives assigned to the command. There was little room for negotiation; you were either compliant, or you were on a list. As a municipal CISO, I found that approach was a nonstarter because nobody really had to listen to you. I didn’t have the “mandatory directive” stick with which to drive compliance; I instead had to become an advocate for why following security was good for the organization and why compliance provided better services to our citizens. In private industry, I have taken that approach a step further: I have put compromise and collaboration in my CISO toolbox and use them when working with peers. In a government setting, when I was dealing with my command’s risk, it was a black-and-white approach, you were compliant, or you were not. In the private sector, I find the risk picture is grayer because companies have more room to accept their risk and take advantage of opportunities. Having this view results in allowing me as the CISO to collaborate with my peers and come up with ideas to solve problems. I find I can accept not getting everything I want for my security program; I can take small wins as long as the risks are understood and we as a team accept them and move forward. Having this flexibility allows CISOs to create mature security programs that address the needs of their company.
The last year and a half has been fantastic; I am enjoying working in a cutting-edge environment with three amazing teams. There are not many CISOs that have this type of opportunity, so I am acutely aware of how blessed I am to be here, and I learn something new every day.
I know many CISOs on the government side who may never have a chance to cross over, and I wanted to show them that there are many similarities in our roles. I would urge them that, if they’re given a chance for professional growth in the private sector, they should jump in and go for it. As a community, we need more people to accept new roles and grow professionally. This growth allows room for individuals to move up and take their first CISO opportunity.
Gary Hayslip is vice president and chief information security officer for Webroot and, with partners Bill Bonney and Matt Stamper, co-authored the CISO Desk Reference Guide Volumes 1 & 2.