The Rise of the Field CISO
Time for Security to learn from Infra & SaaS Companies
In security there is a lot of crazy stuff happening right now. Palo Alto is saying that CISOs are having fatigue with point solutions and that platformization is the only approach. Crowdstrike is saying that is “fugazi” and selling a single-agent architecture and modules natively built on top of the same architecture is the better approach. Regardless, one thing is for sure, there’s a lot of noise in security.
What can companies do to stand out from the noise? Well they can take a page out of the playbook from Developer Tools and SaaS Applications.
They can hire a Field CISO.
What is a Field CISO? - They are a former security leader who has been in the shoes of the customer, leading security at an org previously. They can empathize with the customer’s pain and clearly explain the ROI vs other products in the area. We’ll dive into some more specifics below.
In Developer Tools, this concept has existed for awhile. Developer Relations (DevRel) are developers who understand the pain that they and other devs are going through. They not only help new and existing devs to understand the product and how it’s used, but also the best dev rel folks help showcase new use cases, best practices, and even workflows that the product they’re advocating can help with. All readers probably know or have heard of Kelsey Hightower who crushed this role.
In SaaS, this is a newer category but growing fast. Product Evangelists is the term being used but we need a catchier shorthand (“ProdEvan” doesn’t have the same ring to it as “DevRel”). Similar to dev tools, Product Evangelists showcase the product, workflows, use cases, and generally share best practices in that specific area. One of the most prominent is this area is John Cutler who used to work at Amplitude and is now at Toast. Plenty of other companies like Notion, Airtable, etc have utilized product evangelists.
What both DevRel and Product Evangelists do is form an expert relationship with the audience of potential users (who are likely to be your champions in a deal process). They aren’t trying to sell the product directly but rather show the value which then leads to increased sales, brand recognition, and retention/engagement.
So let’s get back to security.
In the current state of security, the closest we get to DevRel and Product Evangelists is Threat Researchers. These are the folks who are finding new vulnerabilities, explaining exploits for the masses, and sometimes share best practices through newsletters. Right now many of these folks don’t necessarily have a product they’re helping advocate directly, they just enjoy helping others and sharing breaking events. Matt Johansen is one of my favorites in this category. I learn so much from his explanations of different breaches. He’s currently Head of Security at Reddit.
This post is my plea to change this. We need to normalize the role of Field CISOs. I still feel like some in security think of it as a strange job. They’re not sure what to think of it. But in this world of constant noise, all sorts of companies saying they scan and remediate vulnerabilities, do CWPP, have XDR capabilities, these acronyms and words are losing value. We used to know what a product did. Now when you look at a security companies platform, you’re not really sure from the messaging where it fits into the stack and what specific problem it’s the best at solving. This is the perfect fit for Field CISOs.
They can come in and be the expert who is able to show the workflows, speak to the pain they experienced in this area running security internally, and get to help others in terms of getting them to adopt great products that actually solve that pain. Karl Mattson is a great example. He led security teams at many different financial institutions including a long stint as CISO of City National Bank. He gained the respect of everyone in the field during his time there and now has become a Field CISO. I don’t think there’s a single person who would not take Karl’s call and believe him when he speaks to the value of the product that he supports.
This is what the security field needs more of. And no this does not just mean hire anybody for this role. You need someone with domain expertise who has earned trust in the domain and now wants to help others. Otherwise, you will lose the trust of customers and put this hire in a bad spot themselves.
A great Field CISO is not easy to find, but if you do find the right person, they can help you break through the noise at a time when security is about to get a whole lot more confusing with everything being AI-enabled. The acronyms are about to get even crazier! Customers will need a trusted resource and Field CISOs are a strong potential solution to this issue.
Lately, I’ve helped a few CISOs find new roles and I can say it’s been awesome to see many startups embracing this concept and the CISOs themselves being open to this role.
Who knows maybe the acronym “FISO” will become security’s “DevRel” :)
Feel free to reach out to me (on Twitter or LinkedIn) if you’d like to talk about the subject more!