Cybereason CISO interview series: The case for hiring your CISO from within (and advice on how to do it)

CISOs aren’t like other managers. They enjoy the constant challenge of trying to protect their organization from the bad guys, said Quantopian CISO Jonathan Kamens. Read on to learn his thoughts on why, with the right mindset, learning security is easier than acquiring the institutional knowledge that only comes with working at a company for an extended period of time.

And be sure to check out part one and part two of Cybereason’s interview with Kamens for more information security insight.  

For CISOs, does figuring out what their business does mean going to different department heads and listening to them talk about what they do and what their needs are?

That's a hard question for me to answer because I've spent my career working for startups. I've worked with, at this point, seven startups. I don't have a lot of experience with how do you deal with it being a big company where there are a lot of different business units doing a lot of different things.

One of the things that I think me primed to be successful here is that I wasn't hired from the outside to be Quantopian's CISO. I'd already been here for more than four years. I was with the company when it was only, I think, five people. I was one of the first hires, which means I really do understand the company at a very deep level.

What worked for me is obviously not always possible for everyone. A career CISO is going to hop from CISO job to CISO job. However, looking at this from the point of view of the company as opposed to the point of view of the CISO, I think you're better off, whenever possible, hiring your CISO from within if there's someone that's been there for a while and is capable of doing the job.

Quantopian CISO Jonathan Kamens

I think you can learn to be a CISO, if you have a security attitude, if you have at least some background in security, far more easily than you can learn the ins and outs of a large business. If you have somebody who already knows the ins and outs of your business, I think it's going to be easier for them to transition into that security role than it is going to be for someone you bring in from the outside. That person may know security but doesn't know anything about your business and has to pick up the in-depth knowledge of your business that someone who's been there for years already has.

 

The person at your company already has the institutional knowledge and the security layer can be added.

Right, which is not to say I think you can hire someone from the inside to be your CISO that has no security background. I have, actually, 30 years of security background, so it's not like my boss said, “Oh, you go learn security.” That's also doomed to failure.

I don't want to make it sound like information security's easy. It's not easy. In order to do it well, you need to have a certain mindset and mentality about security that I'm not actually sure you can learn. I think it's just something that some people have and some people don't. If it's someone who has that kind of mindset and attitude about security, and they can grow into the specifics of the CISO role, that will work. If you're just picking some random manager who's never thought about computer security, and say, "Hey you, you're a CISO now," that's not going to work. That's a recipe for failure.

What is the security mindset a CISO needs?

You need to think that information security is incredibly interesting. If you're not passionate about how to do security, then this is not a role that you're going to do well in. Obviously, everyone should be passionate about their career. But I think there are some people who view this security role as no different than any manager who could step into a security role and learn what they need to in order to do security. It's not really like that.

Security is as much art as science. The art aspect of it is this idea of there's this constant battle between the bad guys and the good guys. And there are all these neat ways that the bad guys can get through your defense system. And there's all these neat ways that you can protect your assets. That’s an ongoing challenge and you just need to relish in that. If you don't, why are you doing this work?

If you work in computer security at the level where you're a decision maker about purchasing technology for your employer, then everyone is going to be trying to sell you something. There's a lot of snake oil in this business; products that can't deliver what they promise, products that are protecting against threats that are not nearly as bad as they make them out to be. They're just trying to use fear, uncertainty and doubt to convince you that you need their product when you don't. There are products where the investment is out of proportion to the benefit that you would get from it. You could spend a lot of money to mitigate risks, but the risks are not significant enough to be worth spending that much money.

To make intelligent decisions about what technology to purchase and deploy within your organization, you need to understand both the technology and the threats at a pretty fine-grained level. Or you need to be very good at hiring people who understand those things, are passionate about them, and are capable of making recommendations that they can explain in ways that you will understand. And you can trust their recommendations.

You can either be an extraordinarily talented manager and be very good at building strong teams of people with strong technical skills who can then make recommendations to you that you can trust, or you have those strong technical skills so that you are capable of doing these evaluations yourself. If you don't have either of those skill sets, it's going to be very challenging for you to be a successful CISO because you're not going to know who to trust. You're not going to know which products to buy. You're not going to have a good understanding of what problems you're trying to solve and which product will actually solve them.

There are plenty of stories about companies that spent a lot of money on security, but it wasn't deployed properly or it was the wrong technology for what they needed, and it just didn't work. You need to either understand the technology and the threat landscape pretty damn well, or you need to be really good at hiring people who do and can make recommendations that you can use.

The Cybereason series Stories from the Front Lines of Security Leadership presents insights from CISOs, security leaders and IT executives on topics including what’s required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers. Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.