top of page
Search

The Real Role of the Field CISO

  • phil7672
  • 6 minutes ago
  • 14 min read

We all need to advance our businesses and that is in many respects about selling. We also need to recognize that security and reliability are increasingly the path to sustainable long term customer success - which is your success. This is where the Field CISOs come in. 


There are many more people that are becoming, so called, Field CISOs and many more organizations that are creating Field CISO teams under a variety of structures and names. Let’s look at what Field CISOs are, why they exist, and what the common characteristics of great Field CISOs and teams are.  


Field CISO roles and teams are not new but have been especially growing in recent years. It’s not a particularly well defined role, but then again what in security is? So in discussing this there might be strong held opinions of things I’ve missed or underplayed. So be it. But I do have some experience here and built what I think (naturally) was the industry’s best Field CISO team in the form of Google Cloud’s Office of the CISO. Although, to be fair, my part in that was mostly to have the wisdom and foresight to ask Nick Godfrey to build and run the team, and between us to mostly stick to the guiding principle that the Field CISOs had some prior senior leadership experience in actual roles in enterprises, CISO or otherwise. 


The Purpose of the Field CISO

In simple terms the role of a Field CISO is to work with customers to build trust in their company and their products and services, to win, grow and sustain business by making customers successful. 


Organizations that have Field CISO teams are typically vendors of technology and security products and services. But many more organizations have substantial customer trust requirements and consequent need to support customers through pre-sales, onboarding, product / service configuration, through to dealing with audits and regulatory exams, and more. 


The larger organizations become, the more these activities need to be assigned to a dedicated role or team as opposed to consuming a large part of the time of the CISO and their direct reports. In my prior financial services role we had a number of teams that worked on many aspects of this and for certain businesses we had unified teams that did all of this in support of customers. We didn’t call them Field CISOs but they effectively were. 


The question of Field CISO role vs. having a Field CISO team of multiple people all doing the same thing or each specializing in various area such as audit support or specific product specialization is, naturally, simply a question of the scale of demand on such a role/team. 


The Activities of the Field CISO Team

So, what does a Field CISO team do? The following is a representative list:


  • Sales Support. Support the sales and product teams in developing markets, pitching customers and closing deals. In particular, articulating the security, compliance, privacy, resilience, reliability and other intrinsic risk mitigations that come built in or from add-on products. 

 

  • Post-Sales Support, Onboarding and Expansion. Once the deal has landed the team supports all the teams in the customer that will be involved in implementation and expansion, and supporting any future land-and-expand sales motions. This will typically be augmented by helping with default product configurations, scripts or other pre-built environments to ease secure-by-default adoption. This is to help customers achieve their intended outcomes within their risk management expectations.

 

  • Internal Advocacy - “Voice of the customer” (Shaping the Products). One of the most powerful, and distinctive, activities is to represent the customer back to the organization. In other words to advocate for what customers want or need based on dialog, observation and experience. Product, services and support teams are often quite good at this but can sometimes suffer from the confirmation bias of getting customers to agree to draft roadmaps. The Field CISO team, not just on security matters, if working well is a “trusted risk advisor” to customers. So, they are likely to hear and witness true needs that can be pushed into products. This is particularly important on secure-by-design and secure-by-default initiatives. This, at Google, led to our phrase of “ship with full safeties on.” This can also cause some inherent conflict in businesses that are a mix of technology and security products if the Field CISO (and overall CISO / Product Security) team is pushing for defaults that correctly obviate the need to purchase a security product. Big technology and cloud vendors are all over the place on this. Some do well by customers, others less so. 


  • External Advocacy (Shaping the Industry). This is another important activity especially when done from the perspective of the customer. In other words, you can generally leave legislative, regulatory and other shaping to other teams but where the Field CISO team steps in is to look at what might be affecting customers. This could be industry or geography specific, but is usually thematic. For example, big cloud and technology industry initiatives like the Open Source Security Foundation, Coalition for Secure AI, Post Quantum Cryptography Alliance, and more, benefit the technology companies but were set up with the equivalent goals of improving outcomes for everyone. There are lots of macro and micro examples of where Field CISO teams or their equivalents have shaped the creation of, or at least, the trajectory of these types of initiatives. 


  • Driving Transparency. This is an element of all the activities. That is being as transparent as possible about posture, vulnerabilities, incidents, threats, and more. It’s worth calling out as an activity in its own right since it needs explicit focus especially if you are a new Field CISO or team and need to culturally change the organization. For example, it takes work to get everyone comfortable that post-mortems of incidents or close-calls will be openly published and contain tangible lessons rather than air-brushed corporate-speak descriptions of events. 


  • Research, Training and Education. There is a constant need for customer specific training on all security and risk related topics. This is often specific to the technical details of the products and services used. A big role of the Field CISO team is to boost brand and trustworthiness by delivering useful content on a variety of topics to many personas. These could be research reports, guidebooks, threat research, bug bounty / vulnerability disclosure analyses, specific briefings for CISOs, CIOs, and Boards. It also includes content from conferences and regular podcasts. For example, (and yes, I’m biased) the unparalleled Cloud Security Podcast and the awesome Google Cloud Threat Horizons regular report. 


  • Convening Communities. For many, but especially for large organizations, running a CISO Customer Advisory Board (CAB), CISO customer community and other events is a vital role of the Field CISO team. This is one of the prime means of enacting all the other activities, especially product advocacy. The main thing though, except for small product-specific companies, is not to have a CAB be only about particular products. Rather it should be to advance a whole platform, and above all be something that CISOs want to attend for education and professional collaboration. Working with other Customer Advisory Boards is also important. In my prior role I focused on our CISO CAB but I also got massive value from the CIO/CTO CAB where security was always a top priority. 


  • Tactical Tools and Solutions. Not everything customers need can immediately be available in your company's products, services, or platform. In fact, the Field CISO team often finds the “sharp edges” on products, the platforms or combinations of products that customers need to solve business problems. While many of these can be advocated back to product teams it can take a while for them to emerge from the product pipeline. So, many Field CISO teams directly, with the customer or third party help produce some tactical tools and solutions to fill those gaps. I’ve seen many great security products or features actually be built as direct copies of what was prototyped in the field as a tactical support for customers. 


  • Consulting and Strategic Advisory. A big part of a Field CISO role is consulting for a customer. This often should be short-lived since as companies grow there should be a professional services team or a range of re-sellers and consulting partners to fill the resource gap with customers. The Field CISO team, especially for the largest customers, can use their experience and perspective to be a “free” strategic advisory group that can help beyond the product or services the customer is using. 


  • Audit and Regulatory Support. Customers in most industries, but especially the regulated ones, are subject to regular audits, examinations and certifications. As a supplier, or a larger technology/cloud provider, to them you will both have to represent controls in your products and services and help customers pass that through and also arrange evidence of controls in their configuration of the product. Many organizations deal with this in a simple way by maintaining certifications for their products (e.g. SOC2, ISO, PCI, etc.) But as your product and services get more complex you will likely need to support customers in their audits and exams, and respond to questions from them. It might even include sending people to help the customer in their processes. Some organizations use the same team that is supporting their own audits and certifications to do this. However, I’ve found at a certain scale it makes sense to push this into a Field CISO team so that this activity can be intertwined with other customer facing activities. For example, an audit response team in a GRC function might be great at helping a customer through an audit. But, a Field CISO team immersed in product advocacy will more likely see the need for this help as a failure of product design and push for a change such that the customer has less toil in evidencing conformance to whatever examination they are being subjected to. 

 

  • Organization Alignment (Business to Customer). All companies inevitably “ship their organization charts”. Some are worse than others, but all do it. A big part of the Field CISO team, over and above a customer account team, is to help join the dots between all the internal teams. 


  • Organization Alignment (Intra-Customer). The opposite of this is to help navigate all the different teams inside a customer. A Field CISO team is uniquely positioned to help combine the perspectives and align customer’s teams across security, audit, risk, compliance, legal, IT, and the Board. I’ve seen Field CISO teams run project workshops that get many of these teams together to agree on requirements, project sign-off stages and more. Of course, this is self-serving as it achieves the goal of quicker onboarding and expansion which drives revenue. But, given the customer wants to benefit from your product and/or service it’s also immensely valuable to them. Sometimes this may also feel like being a bit of a “marriage guidance counsellor” between some functions. For example, a CISO team driving a vendor to eliminate old vulnerable versions of software that are still depended on by a CIO team in that same customer who won’t move off it needs delicate handling. 

 

  • Help? The Field CISO team should provide excellent help - for anything. Customer account teams can and often do this very well. However, a great Field CISO team or person can become so trusted as to be the first point of call for many questions. Don’t push back on that. Simply get better at being a good router of the non-Field CISO related questions. Again, lots of questions are a failure signal that documentation, defaults or designs need to be improved to quench the root cause of those questions.  


  • Help! Finally, the Field CISO team needs to be ready to support customers in a security incident or other failure. This support might be needed for incidents in general irrespective of whether it’s an issue on your product or service. Depending on your scale you will, over time, likely need a customer incident response team to manage what could become a regular occurrence even if it is just to help them with logs and other data to support their incident response related to other exposures. In some cases for especially large companies there are dedicated incident response teams and services that handle this. Even in that case the Field CISO assigned coverage of an impacted customer should offer to help as a strategic advisor to the CISO or incident commander during an event. 


Characteristics of a Great Team

A great Field CISO team is one that does the above activities really well. But the teams that truly excel do this with some distinctive approaches. These are what I’ve seen as the most important:


  • Credibility and Breadth of Experience. Not all Field CISO roles need to have been CISOs or other security executive roles specifically. For the larger Field CISO teams with incident response and audit support roles, for example, the organization structure can be quite diverse. But, overall the largest proportion of the team should be people that have been security leaders, mostly CISO, BISO or other senior organizational leaders in customer organizations. This lived experience brings a degree of empathy with customer pain points. It also brings camaraderie with customers that increases trust which in turn helps with successful development and delivery of all the Field CISO team’s activities. 


  • Expertise and Product Knowledge. Broad and deep security knowledge is vital but it also needs to be augmented with knowledge of the security aspects of the products and services your company sells. It’s also important for the larger organizations and especially platform providers that the Field CISO team understands and can explain the underlying platform controls even down to the “silicon”. 


  • Constant Adaptability. In any role dealing with customers, but especially Field CISOs, you need to do what is right for the customer. Put the customer first and do what it takes. This means constant adaptability, tuning activities for what is needed and tactically responding well to as many Help! and Help? requests as you can. At the same time though, take the signals that force adaptability as signals that your products, services, and the Field CISO activities might need tuning to reduce the need for constant adaptation. 

 

  • A Learning Organization. As a follow-on from that, the great Field CISO teams are learning organizations. They have strong opinions, they advocate for what they believe but they don’t hold their truths to be always self-evident. They remain humble to know that if signals are coming from customers, even just one, that it can be something to respond aggressively to. 


  • Geographically Aligned. Depending on scale and resources you might not be able to have a presence in all the geographies that your customers are. At least, though, get a few people in each major region (Americas, EMEA, APAC) with some flexibility for people to travel around to support customers. 


  • Industry Aligned. This can often be more important than geographic alignment, depending on the nature of your product and services. Having specific coverage for, say, finance, health, energy, telecoms, and government is important. This is so you can have people with the expertise, industry knowledge and lived experience of those sectors. Some of the best Field CISO teams have multiple people with experience in multiple industries and geographies. 


  • Protects Confidentiality. Of course, protecting customer confidentiality is paramount. This isn’t just protecting their work from the outside world but also shielding knowledge of their work even within your own organization especially if you are supporting competing companies. 


  • Take the Customer’s Perspective. While the team’s job is to advance their company’s commercial goals, it most effectively does this by constantly taking the customers perspective. Even if the customer might be misinformed or going in the wrong direction (objectively not subjectively), taking their perspective will help inform how to influence them to change stance. The team connects people and products to help fulfill the customers’ goals.


  • Supports Customers' Roles Differently. It is important to take different perspectives of the different roles in a customer. For example, helping a CISO and CIO/CTO drive product adoption at pace and scale will need a radically different approach to working with the customers' audit and legal teams who might need a high degree of translation to their concerns and goals. 


  • Built to Scale. As the team matures it will need to scale. A great team quickly becomes in demand and not each member of the Field CISO can do all things. For example, if a big source of team demand is on audit and regulatory support then it’s more efficient and effective to build a specialist sub-team for that the customer-aligned Field CISOs can call upon. The same goes for other specialist activities like solution building, training and so on. 


  • Rotate People. Fortunately, I never had to deal that much with Field CISOs leaving to become CISOs again, at customers or otherwise. Although, I did want to openly support that as Field CISOs becoming CISOs of customers, or even better, potential customers can be a significant commercial strength. It also helps keep the team fresh with the latest lived experience especially if those roles are back-filled with CISOs or other security executives. In the future it might even be worth, for many if not all of the Field CISO team roles, to be time bound and to force rotation after some period of time such as 3 or 4 years. 


  • Results Driven. Naturally, everything needs to be results driven. But measuring the results of the Field CISO team can be difficult. Yes, you can measure activities like engagements, solutions, artifacts, community event feedback scores, etc. But, measuring actual outcomes is trickier. For example, sales wins in which the security team did well supporting that can be claimed as part of a revenue contribution goal. It gets tricky because it's hard to measure how crucial that contribution was to the win. I’ve seen some teams use variants of net promoter scoring (NPS) effectively and other toil-related measures like how customers need to use audit support decreases as the Field CISO drives product security and compliance by design work more effectively. 


Characteristics of a Great Field CISO

A Field CISO has to deliver the activities well and be a solid part of a wider team. But what are the dominant characteristics of great Field CISOs as individual talent contributing to that team? 


  • Competence. As a subset of the essential characteristics of the overall team (if there is a wider team) they need to know security, other related risk domains like privacy and compliance and the products and services their organization sells. They also need to be current on adjacent impacts and opportunities of new technologies like AI. 


  • Humble but Value Proving. As part of serving the customer they need to build solid relationships with the CISO and many other leaders and team members. This involves listening…..really listening, and then being focused on delivering what the customer needs. Not just what they say but what you intuit they need. This requires humility backed with undeniable competence. A Field CISO who wants to appear to be the smartest person in the room (even if they are or not) is going to fail to build true collaborative relationships with the customer. 


  • Bridge Cultures. The culture of their own company with that of the customers organization, at multiple levels. I’ve seen plenty of cases where Field CISO to CISO team relationship is amazing but both sides end up having to marshal conflict resolution between vendor product engineering and the customer’s own infrastructure teams. 


  • Boardroom Bilingual. Field CISOs need to be “boardroom bilingual”. They can talk to Board, C-suite, business line executives, CISOs, and CIOs/CTOs. The best Field CISOs have days where they’re in an in-depth engineering discussion, dealing with a regulatory exam for the customer, then talk to the CFO about risk, and finish in a customer’s Board room. 


  • Lived Experience and Empathy. They have the lived experience that builds empathy with the customer in an actual operating role. In my experience, while there are some former consultants who are great Field CISOs they tend to be the exception due to that lack of lived experience vs. supporting experience. Related to this, is the need to be seen to be acting independently. That is, they represent the customer and manage the tension with other commercial goals. 


  • Communication Skills. They have excellent communication skills. Writing, presenting, listening, talking, and influencing are core competencies. It even goes beyond this to include how to run meetings, design workshops, Board discussions, mediate contract issues, handle incident communications, and more. 


  • Run Toward Problems. They run toward all problems the customer is having, not just the security ones. I’ve seen plenty of examples where Field CISOs and Field CTOs cover for each other and play off each to do the right thing for the customer. 


What Not To Do

This is the hardest part to be definitive about. To some extent it’s basically don’t do the opposite of the things you need to do. But, for me at least, the two cardinal rules of what not do are:


  • Don’t be a recruiting agency. There’s a fine line here. Yes, if a customer has a CISO vacancy and you inevitably know some good candidates then it’s good to help but not if it means acting like you're recruiting from one customer to another customer. 


  • Don’t go round the CISO. In fact, don’t go round any leader. There might be situations where there is a block in the executive chain of command that your company has an issue with. For example, a business unit wants to do something that objectively is fine but a security leader is blocking it. You have to help support that security leader to get to a better place, not be part of some process that undermines them. Yes, fine lines at play here in some situations but there’s always better and high integrity ways to handle these situations. 


Bottom line: Field CISO teams or roles are becoming more common as a construct to more explicitly manage and develop customer trust. The essential attributes of success are, of course, sheer competence but also a huge amount of customer empathy from having real lived experience of being in a security leadership role before being a Field CISO. 

Recent Posts

See All
Organizational Politics & The Security Program

I first wrote the original of this post over 4 years ago. Having seen a new spurt of discussion about organization politics in various on-line and in-person forums I thought it was time for an update.

 
 
Cybersecurity’s Need for Speed & Where To Find It

As we talked about in the last post , a world going through a massive AI-driven transition means speed becomes vital. This is the speed of adapting to change and the speed of dealing with a world of t

 
 
Subscribe for updates.

Thanks for submitting!

© 2020 Philip Venables. 

bottom of page