Of all the C-suite roles, few have risen in importance over the past decade more than the chief information security officer (CISO): this role has moved from the C-suite in name only to a critical executive team member as more and more cybersecurity attacks have compromised major companies. Your CISO fights on the front lines against ransomware attacks, bears responsibility for data security amid tightening regulations, and serves as the key defense against some of the biggest existential threats your company faces.
Because this role can oversee such a broad range of functions—including risk, compliance, legal, privacy, data security, and more—one of the biggest questions CEOs have about this role is: to whom should it report? While the best reporting structure for a given company will depend on the specifics of their business, as this role has become more important, we’ve generally seen CISOs hired earlier and reporting higher up in the organization.
The best CISOs situate security as an enabler, rather than a blocker, of the company’s work. They also translate security priorities and threats into terms that executive leaders, boards, and employees can all understand. This makes it easier for the company’s leaders to prepare for shifts in the regulatory landscape and control the risk around employees, who are almost always the biggest security risk at a company. Where there is a breach, the CISO will need to manage not just the legal, security, and compliance risks that it poses, but also the risk to the brand in the court of public opinion. The public’s perception of how a CISO handles a breach can often be as important as how they actually handle it.
Like the best general counsels, the best CISOs also calibrate their risk tolerance to the business needs of your company. CISOs usually get only 1–2 “veto cards” a year when advising the executive team on security matters. The rest of the time, they need to find a way to make the secure route the easiest route forward.
Many growth-stage companies will have a vice president of information security—or something similar—in their engineering org as they’re scaling. These leaders build out the security team while also rolling up their sleeves and building some of the security architecture themselves.
Eventually, however, the engineering department won’t be able to address all the security needs as the company scales and will need to focus on product. There are are few signals that companies need to hire a CISO:
We discuss writing a mission–outcomes–competencies (MOC) document in greater detail in The Hiring Process.
Any all-star CISO will:
A world-class CISO of a large company might manage all of the following functions:
Once you have a clear idea of your specific business needs, you’ll want to focus on hiring a CISO who has the background and skill set to best address those needs. Below, we break down 2 broad types of CISOs that we see in the market: the enterprise CISO and the consumer CISO. Remember, these archetypes are helpful ways to match your needs with a candidate’s skill set. They’re not hard-and-fast rules, however, and it’s more important that you hire a CISO whose expertise aligns with the goals of your company.
Enterprise companies operating at scale typically have more complex IT infrastructures, compliance requirements, and technology stacks than their consumer counterparts, which requires a CISO to implement and oversee a more robust set of departments and processes to manage these functions.
Often, these enterprise CISOs have a background either in engineering at a tech company or in risk management or security at a tech company or consultancy. This allows them to come in, build a security program, and then represent that program out in the world to help drive sales.
Since the emergence of cloud computing, enterprise companies need to validate the security of their software to potential customers. As a result, many enterprise CISOs have taken on a business-enablement function: they understand how building a great security program helps their company scale, and they integrate security as a key offering of their company’s product. Often, these CISOs are product-focused or own features or parts of products and speak to customers.
Unlike their enterprise counterparts, consumer CISOs don’t often interface with customers and chiefly focus on protecting sensitive customer data in compliance with major regulations, like GDPR. CISOs at consumer companies also navigate security breaches more frequently than their enterprise counterparts. Often, these threats are not significant from a security point of view, but they can still severely impact trust with customers. Consumer CISOs partner extensively across the org, working together with public relations and communications to manage reputational and brand risks, and with IT and engineering to reduce the amount of data necessary to run the product and company.
Like enterprise CISOs, consumer CISOs also typically have a background in engineering or security and have a demonstrated aptitude for handling external messaging for breaches.
We cover best practices in The Hiring Process, but we’ve included some recommendations below for what different members of your executive team may want to focus on when interviewing engineering leaders.
Behavior-based interviews are among the most useful ways to assess a CISO candidate. It’s useful to evaluate their experience with creating a security-forward culture, as well as with handling security breaches. These responsibilities are fundamentally cross-functional: creating a security-forward culture requires buy-in from everyone at the organization, while breaches are among the very few occurrences that bring together an entire company. Understanding how a candidate has proactively built a solid security feature, and dealt with it when it’s failed, is the key to understanding how that executive will build the corresponding infrastructure at your company.
Building a security-first culture often places the CISO in an adversarial position with respect to their peers, mostly because they’re asking their fellow executives to do things they don’t want to do, like comply with certain regulations. CEOs and other interviewers should assess how the candidate partnered with other leaders and teams to develop an effective risk-mitigation strategy, whether they implemented compensating controls (i.e., safeguards), and whether they acted as part of the company. If your candidate says that they threatened to resign at the first sign of resistance and demonstrates throughout the interview process that they don’t accept resistance as part of the job, that’s a red flag.
When a large-scale breach occurs, it plays out in two dimensions: legally, and in the court of public opinion. How did the candidate respond to a past breach? What was the outcome?
A common failure mode for CISOs is breaking things in order to fix them. We recommend digging deeper into self-described “hacker” candidates. Are they team-oriented, collaborative, and willing to compromise?
Because the CISO can own so many different functions, we’ve seen companies take diverging approaches to its structure in the organization. Some break the role apart and align its different responsibilities to various parts of the organization. Application security experts may report to the CTO, for example, while a more narrowly focused CISO may report to IT for corporate security, and privacy and compliance may report to legal.
Other organizations have a centralized security team, with the CISO reporting directly to the CEO. We’ve seen this in larger organizations where the CISO is managing the risk appetite of the entire organization and is less involved in embedding security into the engineering org.
There’s no “correct” reporting structure for CISOs, but it is the CEO’s job to connect them to the right power centers to succeed. Most candidates will likely want to report to the most senior executive possible in order to ensure that they have the latitude they need to operate effectively. So regardless of where you have the CISO report, communicate the structure clearly to your candidates when they’re interviewing.
Thanks to Zane Lackey and Phil Venables for contributing their hard-earned wisdom and expertise to this guide.
We’ve drawn insights from some of our previously published content and other sources, listed below. In some instances, we’ve repurposed the most compelling or useful advice from a16z posts directly into this guide.
The Chief Security Officer In (and Out of) a Crisis, a16z podcast with Joel de la Garza, Joe Sullivan, and Das Rush
Migrating data to the cloud has expanded the responsibility of CSOs and CISOs and given them a seat at the boardroom table. In this podcast, we sit down with former CISOs and CSOs from Box, Cloudflare, Facebook, and Uber to discuss crisis management, SaaS and cloud vendor responsibilities, and how the role will change and evolve over the next 5 years.
2020: Why a Bad Year was Good for Security, Joel de la Garza
On its face, 2020 was a down year, but not for security. Remote work and economic uncertainty accelerated some security trends. Here, de la Garza highlights the latest trends in security technology and teams, as well as rising threats that any CISO should be prepared for.
Security When the Workforce is Remote, a16z podcast with Joel de la Garza and Das Rush
When there’s no longer a gap between work and life, security professionals must be prepared to protect the company, its assets, and its data. In this episode, de la Garza breaks down the current security risks, how to defend against them, and the broader security shift taking place.
The Reporting Line of Security Teams/CISOs, Phil Venables
Companies can’t expect one leader to shoulder the entire weight of its security practice, which means the CISO’s reporting line may not matter as much as you might think. Here, Venables discusses 2 very distinct archetypes to help you better define the type of CISO you might be looking for, and how that affects and informs their reporting line.
CISO: Archeologist, Historian or Explorer?, Phil Venables
To minimize dependencies in your application stack, your CISO must have the right skills to discover them and modernize your application architecture to ultimately reduce dependencies. This requires your CISO to do an insanely deep dive into your company’s tech stack.
Cybersecurity in the Boardroom vs. the Situation Room, a16z podcast with Sonal Chokshi, David Damato, Herb Lin, and Matt Spence
Are you focusing too much on the worst-case scenario, or are your efforts better spent focusing on basic metrics and security hygiene? In this podcast, experts share their views on the term “cybersecurity” and offer practical advice for security in the boardroom.