Security Vendors Need CISOs Too!

I remember saying those words while at a security conference several years ago. I was sitting with peers, and we were discussing recent moves within the security community by vendors. It was remarked that as the current CISO for Webroot, did I consider myself a real CISO. Of course, I was shocked; what do you mean, did I consider myself to be a real CISO? Did I no longer qualify as a senior security professional because I now worked to protect a cybersecurity vendor? Was I now a fake CISO?

At the time of this conference, I was working for a security vendor that had a large part of the SMB and MSP market as customers for their various security products and services. My job initially was to build, manage, and lead the Office of the CISO and its teams. However, over time that job would change as I also assumed other duties and worked with Operations, Dev, Engineering, Marketing, Sales, and Product Development. Of the five CISO roles that I have served in over my career, the 2.5 years with Webroot were some of my best professionally as I stretched to understand and support a fast-growing innovative cybersecurity company. This diverse experience provided the business insight I rarely achieved from my other roles, and I would find this experience matured my view on how to develop and lead corporate-focused security programs. To make my case why I believe accepting a role as CISO for a security vendor is just as challenging and rewarding as a non-vendor, I will describe some of the experiences and challenges I discovered while serving as the Global CISO for Webroot Software.

1. Security Vendors are just another business — As the CISO at Webroot, I would, at times, have to try and justify to my peers why I accepted my CISO role. The view from many was that it was a lesser job, that it was beneath my capabilities and that I wasn’t working as a real security leader. Of course, nothing could be farther from the truth. Security vendors are just like any other product/brand-related business. They make mistakes and don’t follow basic cyber hygiene like other companies, and they need someone to keep them honest. I feel security companies need a CISO and security program even more so than other companies just because the nature of their job is security, so they should be setting the example and doing it correctly. As the CISO for Webroot, when I worked with auditors for our ISO 27001 certification, they didn’t tell me we are going to give you the benefit of the doubt about your controls because you are a security vendor. I felt they looked harder and expected us to be a standard for our community, and honestly, I was ok with that scrutiny because of my next point, brand.

2. The Importance of Brand — One of the first lessons someone learns when working for a product company is the importance of brand. This lesson is even more impactful when it’s a cybersecurity company. As the CISO for Webroot, I learned that because of the brand and how customers perceive it, I couldn’t purchase specific products or services if they came from competitors — even if they were my first choice. I also learned that my reputation as a security professional was now associated with the company and its products. In effect, I became part of the brand, and because of this association, I was expected to use my company’s products within my evolving security stack. One last point that explains how critical a brand is to cybersecurity companies. If the security company has a breach, the effect on the brand and business operations can be substantial. Now I know everyone says incidents happen, and no one is one hundred percent effective. However, that is the standard security companies are held to, and the stress on a security vendor’s CISO is pretty intense, and there are no margins for error.

3. Business Context is Critical — As with any organization, understanding how it runs and what data, services, technology, and people are critical for business operations is crucial for a CISO and security team to be effective. This insight is even more essential because of the impact the security program may have on current product sprints and production schedules. To build trust with the various product development teams and the departments that generated revenue for the company, I had to engage them and be open to their ideas. Working at a security vendor where many of the software development team members are conducting security research and are incredibly knowledgable about security topics is challenging, and sometimes I wouldn’t say I liked their ideas. However, if you expect to operate in this type of environment and grow your security program, you must build partnerships with these business units and their teams. While I was the CISO at Webroot, I felt these relationships paid dividends into my security program because their knowledge of the business helped tune my security controls for maximum coverage with minimal disruption. The critical concept to remember here is that even though I worked for a security vendor, it was still like any other business. As the CISO, I was required to understand my organization’s business/operational risks, assess and document immaturities, prioritize the findings, and finally partner with stakeholders to remediate and monitor the results without adversely impacting the business.

4. Product Research and Marketing is Fascinating — Working for a security vendor as the CISO, your customers expect you to use your products, in effect, to eat your own dog food. There were numerous times I felt my security program, and its teams were lab rats for testing a new feature or the beta version of a new service. All I can say is, as the CISO, this commitment is expected of you, and you get used to it, and through experience, you begin to accept some disruption to current projects and initiatives. Once you embrace the fact that you and your security stack are part of the product team’s research and marketing outreach to customers, it becomes exciting. I enjoyed the process because I felt my teams and I was providing data and feedback that helped the company and its customers. It was refreshing to have some input into how they built a better security mousetrap. Honestly, that is an opportunity many CISOs wish they could have to be able to work with product teams and help create something that works. Now couple that product development experience in assisting the Marketing team develop ideas on evangelizing how the product can be used to help customers — now you are having even more fun. As a CISO for a security vendor, this knowledge about products and the importance of marketing helps you professionally grow as an executive and provides a broader understanding of how your security program serves the company. I truly enjoyed the experience and, to this day, look for opportunities where I can partner with vendors and continue to help tune our community’s security ecosystem.

5. Sales and Speaking with Customers — This is an opportunity many CISOs don’t get unless they work for a product company, and that is to work with Sales teams and speak with Customers. During my time at Webroot, I reported to the CFO and was part of the C-Suite. To me, the experience was enlightening as I had a front-row seat to observe how a company was run. I got to watch sales meetings, and I developed a significant respect for those people who work in what I believe is one of the hardest jobs on the planet. At times I would partner with Sales teams when they were at conferences or speaking to customers. I honestly think I was just a pretty face because they did all the work; they were terrific. In speaking with customers, I was privileged to hear how many of our MSP and MSSP customers were using our products to solve problems, and I had the opportunity to bring ideas from them back to our product development teams. This lifecycle of product-marketing-sales-customers I found provided both myself and my team a deeper understanding of our mission to protect Webroot and more profound respect for the non-security teams who were our partners.

6. M&A and the Boards Final Say — My final experience, while not unique to security companies, was one of my company being acquired. As the CISO, I was tasked to assist with the due diligence of the acquisition, which is a very similar process that is followed by non-vendor related companies. This M&A project required me to meet with the acquiring company’s security leadership team. In those meetings, senior members of both organizations discussed the security architectures, binding regulations/laws, and current projects. I presented Webroot’s recent ISO 27001 certification and its ongoing initiatives to remediate several findings. By the end of three months’ work, I was able to see the whole process of how my company was acquired, and unfortunately, I find out the new board has selected to keep their young CISO — ongoing relationships trump 15 years of experience. A final key point to remember is that boards have the final say, you may want to argue your case, but they will do what they feel is best for the business, so be professional and move on to your next role.

As we finish our discussion, I think it’s essential not to segregate the men and women who serve as CISOs into specific business or vendor type security leaders. Cybersecurity, its lifecycle, and many of its fundamental concepts and best practices are relatively the same no matter the industry, country, or organization. Now I am not naive to suggest there are no differences in laws, regulations, scale, or culture that impact CISO roles. However, many of the threats, business risks, and challenges CISOs face are relatively the same such as lack of funding/resources, recruiting and retaining quality teams, and executive sponsorship, to name a few. It is my hope in describing the various experiences of my position at Webroot that our community gains a better understanding of those who serve in security roles at vendor companies and realize we are all security professionals.

In closing, I will state for the record that I feel there are no real or fake CISOs; there are just professionals who step in to lead, and I wish them and their team luck and much success. With that, I am going to open it up to our community. I am interested to hear about other unique security experiences that are vendor-related.