Are we inadvertently putting security leaders in a box?

For the purpose of offering our audience a comprehensive perspective, would you please provide an introduction of yourself, Todd?

I’m a cybersecurity leader with over 20+ years of experience.  I’m a 4x Chief Information Security Officer and have been the CISO in sports streaming (DAZN), asset management (Pension Insurance Corp), fintech (Sokin) and maritime data (Lloyds List Intelligence). In addition, I have advised numerous CISO’s and organisations on cybersecurity.  My most recent project was working with the private equity group Montague. 

I’m an award-winning cybersecurity author of ‘Cybercrime: protecting your business, your family and yourself.’ It is a book about the psychological methods cybercriminals use. I’m also a regular speaker, podcaster, and writer on cybersecurity topics. 

I have collaborated with leading cybersecurity groups like the Information Security Forum (ISF) and Chartered Institute of Information Security (CIISec). As a member of cyberclub.london, I have invested in numerous early-stage cybersecurity startups and have advised some of them.

I have Certified Information Systems Security Professional certification (CISSP) and an MBA graduate from Trium MBA – a joint MBA by HEC Paris, the NYU Stern School of Business, and the London School of Economics.

What is your relationship with InfoSec People?

My relationship with InfoSec People primarily centres around a long-standing professional collaboration with Benjamin Craig, the owner of InfoSec People (Head of Contract back in the day). This partnership has spanned several years focusing on cloud security, and our collaboration has evolved into a valuable connection.

One key factor is understanding the motivations behind a contract CISO’s transition to a permanent role. What factors influence this decision, and how do they impact an organisation’s security posture and leadership structure?

The government has introduced regulations that have had a significant financial impact on contractors, which include interim CISO’s.  This has caused their income to reduce 20 – 30% in some cases.  It is no longer as financially beneficial as it once was for many CISOs to be interims. 

This has made some contractors re-evaluate their roles – permanent roles are now more attractive, and some interim CISO’s are moving back to these roles.

Beyond financial incentives, what personal and professional motivations might lead an interim CISO to transition into a permanent leadership role within an organisation?

There is a misconception among organizations that interim CISO’s will not stay long at a company because their interim career shows a continuous number of short-term positions.  This is not true.  The reason there are so many different short-term roles is the nature of the contracts themselves – they are short.  If the contract were for longer term, then most likely the CISO would have stayed longer.  Most interim CISOs would have no problem moving to permanent roles if they chose to do so and would be just as committed to making it successful as they are with their contract roles.

In what ways does the flexibility of an interim CISO lead to quicker adaptation to changing threat landscapes and emerging technologies? How does their fresh perspective influence strategic decision-making within an organisation?

Having more CISO positions than a typical perm CISO, an interim can bring a wider range of experience and depth to the role.  Since they have worked at many companies, they will have seen the good and the bad.  This can make it advantageous to have them – this is particularly true for difficult roles.

How can organisations implement practices that attract seasoned professionals and promising talent, ultimately raising the overall quality of candidates being considered?

First, pay CISOs what the market demands.  If you pay poorly, you will attract those types of candidates.  Second, give a CISO the authority and correct level in the company to actually make a difference. 

For those aspiring to step into leadership roles within the cybersecurity domain, what advice would you provide to navigate the challenges and expectations that come with the role?

Communication, Communication, Communication – it can be a challenge for security people to transition to leadership, but if they master communication, it will be easier for them. 

We’re always eager to receive advice on how we, as a company and other recruitment organisations, can enhance our operations. Todd, could you share a valuable piece of advice with us that we could incorporate into our recruitment process?

It’s the little things that matter. Returning calls/email from candidates matter, whether or not you have a role for them.  Lots of recruiters (many big names) do not do that – it’s disrespectful to the candidates.  For sure, when these candidates are hiring themselves, they will remember the recruiters that returned their messages and they formed a relationship first.

Todd’s extensive experience as a cybersecurity leader, combined with his role as an author and speaker, highlights his deep expertise in the field. His insights on the evolving landscape of interim and permanent CISO roles shed light on the motivations and considerations that cybersecurity leaders face. Todd emphasises the importance of recognising the value that interim CISOs bring, particularly their adaptability and fresh perspectives. He also provides valuable advice for organisations seeking to attract top cybersecurity talent and underscores the significance of effective communication in leadership roles. Moreover, his advice on the recruitment process emphasises the importance of treating candidates with respect and building lasting relationships in the industry. Todd’s wisdom serves as a valuable resource for both individuals aspiring to leadership roles in cybersecurity and recruitment organisations looking to enhance their operations.