HFA Leadership Forum: The Path to Becoming a Chief Information Security Officer

November 19, 2021

HFA Leadership Forum: The Path to Becoming a Chief Information Security Officer

The following excerpts come from an interview with HFA Leadership Forum

As a leading executive and board search firm, Howard Fischer Associates works with some of the top companies and senior executives throughout the nation. Our success stems from our belief that exceptional leadership is the most powerful competitive advantage a company can have in the global marketplace. The HFA Leadership Forum features interviews with some of these exceptional leaders, providing insight into their career paths, recommended best practices, and the industry trends that are worth paying attention to.

In the interview below, Girish Mirchandani, a Senior Principal at HFA, talks with Tony Spinelli, a former four-time CISO with First Data, Equifax, Tyco, and Capital One. Tony is currently on the Board of Directors of Peapack Gladstone Bank, a NASDAQ publicly traded institution; Per Scholas, a nonprofit focused on providing opportunity in overlooked communities and raising diversity in technology and cybersecurity; and the National Security Agency. Tony is also a faculty member at the National Association of Corporate Directors (NACD) and an adjunct professor at George Washington University’s School of Business.

How did you become a Chief Information Security Officer (CISO)? What was your path to your current position?

My path was not typical – most CISOs start in a computer-science-related field. I started in internal audit, which allowed me to establish a firm understanding of operational and technical controls, and I became interested in security, with an early focus on midrange systems and networks. At Ernst and Young, I moved to the security practice, which was small at that time, only 30-40 people nationally. The benefit was that I was able to experience a diverse set of challenges, from healthcare, to manufacturing, to finance, and I got to solve real problems. As a consultant, I had a strong set of experiences to pull from, and I was prepared to lead when the opportunity arose. So, I didn’t start at an enterprise as a security analyst and work my way up; instead, I saw the most challenging areas of each enterprise and was tasked to solve for the problem and the risk.

From Ernst and Young, I went straight to First Data as the CISO. I started with a small business unit and increased my responsibilities over time. Following that, I went on to Equifax, then Tyco, and Capital One. Today, I am focused on helping to mentor many of the best CISOs in the world, helping them to see the challenges of digital transformation and what that means for cybersecurity. I also sit on a nonprofit board and serve as an adjunct professor, where I teach higher-level courses focused on digital enablement, digital transformation, cloud migration techniques, agile delivery concepts, microservices architecture, software as a service (SaaS), robotic process automation, graph analytics, artificial intelligence, advanced risk management, cybersecurity, and public cloud security techniques.

What are some of the best practices of the top CISOs?

If you are not innovating, you are standing still. If you are standing still, you are falling behind. As a CISO, you have to think about innovation constantly because cybersecurity is constantly in “race condition.” When you close one risk or vulnerability, bad actors will find a new weakness and exploit it, so you have to stay one step ahead.

When you do build something that is innovative, refine it and share it with your network of other CISOs and be part of the virtuous cycle that enables learning and growth. To that end, I’d also suggest building a network and community with other CISOs. At Capital One, I hosted 60 CISOs and shared our cloud security program and approach, as well as how we were building cyber data lakes with open source technology to get deeper insights into our cyber risks. It’s a good idea to do meet and greets with other executives and peers every month, sitting down together for coffee or lunch. It’s important to ask for help, share ideas, and solicit feedback.

The best CISOs also prioritize diversity. The more diverse your team is, the better your results will be because you will have leaders on your team that see things differently and can provide you with insights and approaches that have not been considered. As a CISO, it’s critical to surround yourself with talented and diverse leaders who can challenge you and provide you with ideas and perspective beyond your own.

How can someone become a CISO? What skills do they need?

To start, you have to really understand that being a CISO is a 24/7/365 job. There is no off switch. You also should approach your work through a business lens, especially in the board room. If you can’t be strategic and talk about business growth and how cyber can be an enabling part of the equation, it’s less likely that your plan will be adopted. I’d recommend attaching your cybersecurity agenda with your business agenda. If you can tie in cyber with growth and how it can assist the business with entering new markets with reduced risk, you will be more successful than the typical CISO because you will have the budget and the team to support your vision.

Next, I would say that talent is more important than tools. Your job is to hire people who are much smarter than you – the best talent in the world. That will keep you safe in the long run. Then, you have to be a good leader to those people. CISOs worry way too much about products and tools before getting the right talent. Think of it this way, if you can hire the right talent with great skills, your required budget and spend on tooling should go down as your team can supplement product spend with core innovation and capability and provide you more balance between tooling and talent. I’ve seen many mistakes where significant budget is spent on tools, yet there is no return on the investment due to lack of talent to implement, configure, and run the products with a best-in-class operational mindset.

How should CISO success be measured?

You need to set up the measurement criteria. You have to think about your program in terms of maturity and risk management. I get excited about progress and growing the program by having real measurements and statistics to share. I am also a proponent of bringing in an outside consultant to validate, test, and find new risks – have a trusted vendor support this approach, see if they can successfully challenge your enterprise cyber program, and continue to raise the bar on your program operationally. Don’t be afraid of this type of exercise because you’ll learn a lot – and it’s better for you to find the risks and weaknesses than bad actors.

How do you see the CISO function evolving over the next three-to-five years?

The position has become too broad and too big for one person to manage effectively in a regulated enterprise. As a function, the CISO shouldn’t report to technology in every enterprise, cyber is a risk function and belongs in enterprise risk management over the long run. I’d also consider reporting to the CFO or CRO. From a delivery perspective, the CISO is a strategist, operator, and compliance officer more than they need to understand technology.

What advice do you have for aspiring CISOs?

One of the strongest trends that boards and executives are currently dealing with is the shift to digital. The challenge is that the failure rate is more than 90 percent, and the reasons often point to the lack of investment and capability in the cybersecurity program. When you are moving from everything on premise with physical servers to the cloud, software as a service, and mobility, nearly everything you do in your digital agenda is reliant on the cybersecurity program.

Start thinking about how cybersecurity can become digital. You need a strong digital and cloud strategy to support the business, and digital transformation fails without a high quality digital cyber program. Use open source, use cloud technologies, and embrace fully digital concepts. The best approach is to start moving your cyber program to digital and use test-and-learn concepts to educate yourself, your enterprise, and your team. For cyber, start pulling cyber event data, get deeper insights – not more alerts – and use that information to improve your decision making in a digitally focused approach.