Of all the C-suite roles, few have risen in importance over the past decade more than the chief information security officer (CISO): this role has moved from the C-suite in name only to a critical executive team member as more and more cybersecurity attacks have compromised major companies. Your CISO fights on the front lines against ransomware attacks, bears responsibility for data security amid tightening regulations, and serves as the key defense against some of the biggest existential threats your company faces.
Because this role can oversee such a broad range of functions—including risk, compliance, legal, privacy, data security, and more—one of the biggest questions CEOs have about this role is: to whom should it report? While the best reporting structure for a given company will depend on the specifics of their business, as this role has become more important, we’ve generally seen CISOs hired earlier and reporting higher up in the organization.
The best CISOs situate security as an enabler, rather than a blocker, of the company’s work. They also translate security priorities and threats into terms that executive leaders, boards, and employees can all understand. This makes it easier for the company’s leaders to prepare for shifts in the regulatory landscape and control the risk around employees, who are almost always the biggest security risk at a company. Where there is a breach, the CISO will need to manage not just the legal, security, and compliance risks that it poses, but also the risk to the brand in the court of public opinion. The public’s perception of how a CISO handles a breach can often be as important as how they actually handle it.
Like the best general counsels, the best CISOs also calibrate their risk tolerance to the business needs of your company. CISOs usually get only 1–2 “veto cards” a year when advising the executive team on security matters. The rest of the time, they need to find a way to make the secure route the easiest route forward.
Many growth-stage companies will have a vice president of information security—or something similar—in their engineering org as they’re scaling. These leaders build out the security team while also rolling up their sleeves and building some of the security architecture themselves.
Eventually, however, the engineering department won’t be able to address all the security needs as the company scales and will need to focus on product. There are are few signals that companies need to hire a CISO:
- The market pulls you. Enterprise companies will have a harder time landing bigger deals, because they don’t have the appropriate security certifications and prospects don’t feel comfortable giving them their data. When this happens, they’ll need someone to build out security functions as part of their core offerings. Consumer companies handling sensitive data—such as consumer fintech companies—will also likely need someone to coordinate security and compliance functions to manage and protect that data in order to win the trust of their customers.
- You’re preparing for an IPO. All companies preparing for an IPO need to designate a CISO who can implement the right IT controls, risk assessment, compliance testing, audit trails, and reporting functions in compliance with the Sarbanes-Oxley Act. This is typically when consumer companies handling non-sensitive data bring on a CISO. As we’ve mentioned, different companies organize security, risk, and compliance differently, but this executive typically is responsible for some critical element of this work.
Writing the MOC
We discuss writing a mission–outcomes–competencies (MOC) document in greater detail in The Hiring Process.
Any all-star CISO will:
- Run to fires and minimize damage
- Develop a detailed understanding of your company’s information security architecture and its dependencies
- Work cross-functionally across the company to implement key information security protocols that preserve the digital health and safety of the company
- Maintain a great customer experience while protecting customer data
- Ensure security objectives are sufficient to mitigate evolving risks
A world-class CISO of a large company might manage all of the following functions:
- Security engineering
- Application security
- Security operations
- Governance risk and compliance
- Privacy engineering
- Business information security
- Security product features (if at an enterprise company with a security SKU)
- Physical location security
- Emergency response
Archetypes and backgrounds
Once you have a clear idea of your specific business needs, you’ll want to focus on hiring a CISO who has the background and skill set to best address those needs. Below, we break down 2 broad types of CISOs that we see in the market: the enterprise CISO and the consumer CISO. Remember, these archetypes are helpful ways to match your needs with a candidate’s skill set. They’re not hard-and-fast rules, however, and it’s more important that you hire a CISO whose expertise aligns with the goals of your company.
The enterprise CISO
Enterprise companies operating at scale typically have more complex IT infrastructures, compliance requirements, and technology stacks than their consumer counterparts, which requires a CISO to implement and oversee a more robust set of departments and processes to manage these functions.
Often, these enterprise CISOs have a background either in engineering at a tech company or in risk management or security at a tech company or consultancy. This allows them to come in, build a security program, and then represent that program out in the world to help drive sales.
Since the emergence of cloud computing, enterprise companies need to validate the security of their software to potential customers. As a result, many enterprise CISOs have taken on a business-enablement function: they understand how building a great security program helps their company scale, and they integrate security as a key offering of their company’s product. Often, these CISOs are product-focused or own features or parts of products and speak to customers.
The consumer CISO
Unlike their enterprise counterparts, consumer CISOs don’t often interface with customers and chiefly focus on protecting sensitive customer data in compliance with major regulations, like GDPR. CISOs at consumer companies also navigate security breaches more frequently than their enterprise counterparts. Often, these threats are not significant from a security point of view, but they can still severely impact trust with customers. Consumer CISOs partner extensively across the org, working together with public relations and communications to manage reputational and brand risks, and with IT and engineering to reduce the amount of data necessary to run the product and company.
Like enterprise CISOs, consumer CISOs also typically have a background in engineering or security and have a demonstrated aptitude for handling external messaging for breaches.
Sample MOC
Setting up your CISO for success
We cover best practices in The Hiring Process, but we’ve included some recommendations below for what different members of your executive team may want to focus on when interviewing engineering leaders.
How have they built a security-first culture?
Behavior-based interviews are among the most useful ways to assess a CISO candidate. It’s useful to evaluate their experience with creating a security-forward culture, as well as with handling security breaches. These responsibilities are fundamentally cross-functional: creating a security-forward culture requires buy-in from everyone at the organization, while breaches are among the very few occurrences that bring together an entire company. Understanding how a candidate has proactively built a solid security feature, and dealt with it when it’s failed, is the key to understanding how that executive will build the corresponding infrastructure at your company.
Building a security-first culture often places the CISO in an adversarial position with respect to their peers, mostly because they’re asking their fellow executives to do things they don’t want to do, like comply with certain regulations. CEOs and other interviewers should assess how the candidate partnered with other leaders and teams to develop an effective risk-mitigation strategy, whether they implemented compensating controls (i.e., safeguards), and whether they acted as part of the company. If your candidate says that they threatened to resign at the first sign of resistance and demonstrates throughout the interview process that they don’t accept resistance as part of the job, that’s a red flag.
How did they manage a breach?
When a large-scale breach occurs, it plays out in two dimensions: legally, and in the court of public opinion. How did the candidate respond to a past breach? What was the outcome?
- At a high level, the CEO will want to hear a strong diagnosis of a problem, a well-laid out strategy for addressing that problem, and clear evidence that the CISO can partner with other teams to execute on that strategy.
- Engineering and product leaders will want to hear your CISO candidate point to examples of applying Dev(Sec)Ops approaches or site-reliability engineering approaches to a breach. How do they get results even when there’s conflict?
- PR and communications leaders should pay attention to how the candidate comports themselves and the language they use. A big part of a CISO’s job is to communicate clearly and effectively, in a way that keeps stakeholders and customers calm. Think: does this person communicate in a way that makes me feel informed and equipped to address a crisis? Can I trust this person to give me the information I need to do my job?
Can your candidate work collaboratively?
A common failure mode for CISOs is breaking things in order to fix them. We recommend digging deeper into self-described “hacker” candidates. Are they team-oriented, collaborative, and willing to compromise?
Who will they report to?
Because the CISO can own so many different functions, we’ve seen companies take diverging approaches to its structure in the organization. Some break the role apart and align its different responsibilities to various parts of the organization. Application security experts may report to the CTO, for example, while a more narrowly focused CISO may report to IT for corporate security, and privacy and compliance may report to legal.
Other organizations have a centralized security team, with the CISO reporting directly to the CEO. We’ve seen this in larger organizations where the CISO is managing the risk appetite of the entire organization and is less involved in embedding security into the engineering org.
There’s no “correct” reporting structure for CISOs, but it is the CEO’s job to connect them to the right power centers to succeed. Most candidates will likely want to report to the most senior executive possible in order to ensure that they have the latitude they need to operate effectively. So regardless of where you have the CISO report, communicate the structure clearly to your candidates when they’re interviewing.
Thanks to Zane Lackey and Phil Venables for contributing their hard-earned wisdom and expertise to this guide.
Further reading
We’ve drawn insights from some of our previously published content and other sources, listed below. In some instances, we’ve repurposed the most compelling or useful advice from a16z posts directly into this guide.
The Chief Security Officer In (and Out of) a Crisis, a16z podcast with Joel de la Garza, Joe Sullivan, and Das Rush
Migrating data to the cloud has expanded the responsibility of CSOs and CISOs and given them a seat at the boardroom table. In this podcast, we sit down with former CISOs and CSOs from Box, Cloudflare, Facebook, and Uber to discuss crisis management, SaaS and cloud vendor responsibilities, and how the role will change and evolve over the next 5 years.
2020: Why a Bad Year was Good for Security, Joel de la Garza
On its face, 2020 was a down year, but not for security. Remote work and economic uncertainty accelerated some security trends. Here, de la Garza highlights the latest trends in security technology and teams, as well as rising threats that any CISO should be prepared for.
Security When the Workforce is Remote, a16z podcast with Joel de la Garza and Das Rush
When there’s no longer a gap between work and life, security professionals must be prepared to protect the company, its assets, and its data. In this episode, de la Garza breaks down the current security risks, how to defend against them, and the broader security shift taking place.
The Reporting Line of Security Teams/CISOs, Phil Venables
Companies can’t expect one leader to shoulder the entire weight of its security practice, which means the CISO’s reporting line may not matter as much as you might think. Here, Venables discusses 2 very distinct archetypes to help you better define the type of CISO you might be looking for, and how that affects and informs their reporting line.
CISO: Archeologist, Historian or Explorer?, Phil Venables
To minimize dependencies in your application stack, your CISO must have the right skills to discover them and modernize your application architecture to ultimately reduce dependencies. This requires your CISO to do an insanely deep dive into your company’s tech stack.
Cybersecurity in the Boardroom vs. the Situation Room, a16z podcast with Sonal Chokshi, David Damato, Herb Lin, and Matt Spence
Are you focusing too much on the worst-case scenario, or are your efforts better spent focusing on basic metrics and security hygiene? In this podcast, experts share their views on the term “cybersecurity” and offer practical advice for security in the boardroom.
* * *
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.