Michael Piacente: [00:00:00] The first thing that popped in my mind was, well, how are you securing all? This is your product code that you're now putting into this thing. We now call the cloud and how's this all working? And the answer was always the same. The first one was, Oh, AWS or this Amazon feature they have. It just automates it.

It's amazing. They take care of all the security for you. I'm a huge proponent of personal brands and actually studied a lot about how it all works. It's not something I thought I was going to be. I would say in every case, especially right now, where you have more CISOs on the market than there really have ever been since the advent of the CISO.

CISOs obviously in this economic downturn and taken a pretty massive hit. Many more of them are looking for work for most people who are not CISOs that other executives in the organization, the concept of a CISO and what that person should exemplify, what that person should basically be is very different.

It may be in the mindset that they just want someone to be low profile. We don't want to bring a lot of attention to our environment, to our brand. And I personally think they have that wrong, but yet they don't know yet. It's not their fault. They haven't been around the CISOs long enough to know what these amazing creatures really are right ?

Ashish Rajan: [00:01:00] To shed some light on the whole cloud native CISO and what does that really mean? I had Michael Piacente from Hitch Partners. They have been doing executive search for CISOs all across US for a long time. And to give you some example, he was one of the people who was talking to AWS when AWS was thinking about doing their own data center.

He was on the opposite side, negotiating them to actually remain in data center instead of building their own all that story and a lot more about how CISOs have evolved these days. What's a cloud native CISO in the first place. What are some of the responsibilities people are expecting from CISOs?

Also, my personal favorite for CISOs who have a personal brand, whether it's an act of finding a balance or between how technical can I be and whether I should be out there promoting and talking about what I'm doing or on the other side, should you completely become a celebrity CISO? Fortunately for me, I've been able to find a balance, but I definitely had a time and I have shared this on the whole episode, but I think it was worthwhile sharing.

That having a personal brand is definitely important, but finding a balance between whether you are still operational or technical and still putting [00:02:00] content out there definitely is super important as well. Like I think examples for this, for me are people like Phil, who's a CISO who is a CISO for Google Cloud Geoff Belknap who is a CISO for LinkedIn.

He's also a great candidate to look out for. Jason Chan, another one who's probably retired after being a CISO for Netflix for a long time. Another great candidate and a lot more exist who do share what they have learned and what they're working on, but at the same time are super amazing at CISOs as well.

I'm really fortunate to know a few of them as well. And this was a great conversation. I hope you enjoy this episode with Michael. I also hope if you know someone else who's trying to become a CISO, definitely share this episode with them because they would definitely find it valuable to know from the person who helps recruit some of these executives.

What are some of the companies looking out for? What are some of the compensation packages that you can expect? What is the difference between insurances? What are some of the gaps you should be asking for? At least if they're not filled out before you sign that contract to become a CISO for a company.

I hope you enjoyed this episode. And if you are someone who follows us or subscribes to our YouTube channel, thank you for doing that. It really helps us. If you're someone who's sharing your content with your friends and colleagues and family as well, who's probably in this [00:03:00] journey, thank you for doing that as well.

I will let you enjoy this episode and I will talk to you in the next episode. Peace.

Hey, what's up everyone, briefly interrupting the program for sharing something that would save your inbox and your phone from vendor spam. Now, as a CISO, I would get hundreds of pitches from vendors in my inbox and over voicemail. I get why they do it, but the endless stream is exhausting for both sides.

I recently learned about SageTap, who may have a better way of dealing with this complicated yet delicate relationship. Think of SageTap like blind dating for vendors and buyers. You get matched to meet with few relevant security vendors anonymously, meaning no spam or unwelcoming follow ups. You only reveal your identity to the vendors if their pitch interests you.

If you're tired of vendor spam, you may want to check out SageTap. io, your secret weapon for vendor discovery. Now back to the program.

Ashish Rajan: Hello and welcome to another episode of Cloud Security Podcast. Today, I have Michael or Mike for friends. I wanted to come and talk about the different CISOs that exist in the first cloud native world that we're living in.

But before we get into it, Michael, could you share a bit [00:04:00] about yourself? How'd you kind of ended up becoming a recruiter for the CISOs of the world?

Michael Piacente: Yeah, thank you. And thanks for having me. Great to be here. I actually started in technology and IT. Started in the enterprise storage space for a company that competed and eventually sold technology to DEC and eventually sold the company to EMC, so kind of a dinosaur in that space.

I think I started working on VAX systems and Alpha 2100s, that was my first entree into the technology space. And I actually love it. It was an amazing experience. Got to work with some of the original computer scientists from University of Illinois, who created what we now use as RAID and all of the redundant array of independent disk technology.

So it was a very fun way to get myself acquainted into the space. Just so happened that the dot com boom was kind of the first big entree into where we would start using enterprise storage. And then that led into working within the managed services space for data center operations. I worked with two different companies, their company called [00:05:00] Sitesmith, which was one of the original managed service providers in the data center space.

And then eventually it was a co founder of a company called Opsource, which took it to the next level in the ASP, which we now call cloud space, kind of the beginnings of cloud before it was in production. And so I got to see the birth of the data center move from telling Amazon they probably shouldn't look at using their excess bandwidth to go build their own data centers and try to convince them to stay in our own data center.

They said, no, no, we're going to go, we're going to take this extra bandwidth and power and compute power and go build our own data centers and call it AWS. You can tell I was very wrong about that prediction. Oh, wow.

Ashish Rajan: You were there. Oh, wait. Okay. I'm wondering what the conversation would have been like as well when AWS would have been actually going to build our own, you're like, Oh, what?

Michael Piacente: Yeah, I remember the senior architect from Amazon books, I believe it was approached us because I was responsible for everyone in the data center and the data centers at the time. [00:06:00] This is a company called above net and they were looking to move out and build their own data center in Tukwila in Seattle.

And I just said, let's. I just don't know who's going to use that small, medium businesses. You know, you should stay. And so when they actually discussed the architecture, I was like, that's an amazing model, right? For smaller companies, obviously would never would have foreseen it being used as a household name in computing, pretty much running, you know, today's obviously didn't know Google and Microsoft and others were going to be in the playing field either. But anyway, so that's where I started. It wasn't until 2004 where I had an opportunity to get into executive recruiting, a friend of mine had invited me to start an IT practice within their finance and accounting search firm. And it was right around the time of SOX. So S O X, Sarbanes Oxley, and that was a pretty critical time for companies to figure out the IT component and the risk component of their organizations.

Kind of the first time a CIO. Was in the limelight. And so I spent about 10 years running CIO searches and [00:07:00] all that fell under the CIOs organization, including these wonderful individuals named CISOs. I saw the, kind of the birth of that in smaller to midsize companies. And there was obviously a movement going on in the enterprise side, on the banking side as well, so that we were kind of seeing that intersection happened before our eyes.

So that's kind of how I got into this whole fun time.

Ashish Rajan: Oh, and why specifically cloud native CISOs? I mean, now you're even more hyper focused on cloud native CISOs now.

Michael Piacente: Yeah, yeah. Thanks for asking. We run about half enterprise searches. I would say mid size enterprises under about 10 billion. And we have a pretty strong model for cloud native.

The thesis was that we started getting calls around, this is with my original company I was mentioning. About 2009, 2010 from software companies on both the West and East coast of the U S saying that they, I remember one specifically, which I won't mention the name, but it was a large software company saying we were looking for a CIO, a new CIO.

And I would say, well, what's the pain and where are we starting? You know, what's the scope of the CIO? And the [00:08:00] answer was, well, we sort of lost track of our software licensing costs. And I was like, that is a very interesting reason to want a CIO of all the top 50 reasons that wouldn't have been one, I guess.

And it turns out that the company's products were being pushed forward so rapidly that the development teams, engineering teams got tired of waiting for IT to procure compute power and storage. And so they went out and maxed out their company credit cards, about 30 of them, company credit cards on this thing that we now call AWS.

And these are engineers. They weren't really managing the licensing they would build. And then they would build into another environment. And the first thing that popped in my mind was, well, how are you securing all this? This is your product code that you're now putting into this thing.

We now call the cloud. And how's this all working? And the answer was always the same. Every time we talked to a company like this, the first one was, Oh, AWS or this Amazon feature they have, it just automates it. It's amazing. They take care of all the security for you. Again, this [00:09:00] is 2009. I said. Oh, wow.

We're going to build a business right here. Yeah. That's an opportunity. Yeah, exactly. Exactly. And honestly, that was our original thesis. The model was predicated on cloud adoption. We thought by 2020, we would be in a fully cloud native world would be dominated by the cloud. And of course we didn't calculate the complications for cloud migration and integration with legacy systems.

And so obviously we're now seeing the beginnings of that now with, you know, 2023, 2024, we're seeing how it affects almost all of our enterprise clients have a split between a cloud native or cloud first environment and their legacy on prem environment based on the application suite. So it's really fascinating thing, but when we first started, there was very little known about this special creature called the cloud native CISO, right?

Ashish Rajan: Yeah. I was going to say, what is a cloud native CISO? I was going to ask that.

Michael Piacente: Yeah. Well, it was funny because we, we first had to find them and, and then we had to [00:10:00] figure out how to evaluate them as leaders

Ashish Rajan: and probably make them believe that a cloud native CISO as well.

Michael Piacente: Exactly. And really try to tie together, by the way, there was no compensation data, there was no data at all. And so we found them the first few, and I know you've talked to a few of our friends in this area, but we maybe found 30 or so these, what we call these high consequence data providing cloud native environments.

We were fascinated by how they built their teams, how the business reacted to partnering with them. We noticed that they had a certain composition, right? They were builders first. They built small to mid sized teams that were very technical. I think our initial search is maybe 15 to about 70 person teams.

They were transformation on their own way, right? We hear this, are you a transformational CISO today? And I would argue that a cloud native builder is very much transformational. They took something that wasn't there before, no evidence of a program at all. And suddenly it's there and they've convinced an entire organization this is the way it should work. They're always managing much more than security too , they were [00:11:00] managing IT. And they were managing physical infrastructure and they were managing infrastructure, the DevOps side, and even some privacy. And that's still true today. Most of our cloud native CISOs and CISOs in general, most of our searches result in IT falling under the CISO scope, about 90 percent of our searches today. They're also extremely product first. And I mean, to the level that they often, the initial cloud native CISO often was very deep in software engineering speak. And even in background, they spoke like they acted like they made decisions like software developers.

And that was easy for the software teams that usually they were dwarfed in size. So that the security team was very small and they would have these 150 person engineering and development teams that they have to contend with they had to build immediate trust, immediate connection with the language.

They were also ready for crisis, which I thought was really fascinating. They weren't tied into any sort of red tape. In fact, when the pandemic hit as a great example, they were the most prepared in these companies [00:12:00] to look around the corner and say, okay, how are we going to run this entire organization remotely and how we do it safely?

And so they were ready, they were ready to, to take the charge. And you saw a huge leapfrog in the CISO's stature from that. They're also highly collaborative. And I know, you know, a lot of the same individuals that I know. I mean, it is, they're always, always helping each other. The birth of CISO Slack channels has become, I think I'm on five or six, I'm sure you're on 10.

They're extremely community first. They're loyal to a fault in some cases. And I love that. I love that you can work with others. They're always looking out for them. In fact, one of the biggest, both positives and negatives of our business is all the CISOs know one another. So they'll always recommend them.

And even, even though they might recommend someone like us, they're always gonna recommend their friends first. And by the way, that's the way it should be.

Ashish Rajan: Maybe worthwhile calling out, its different roles that exist as well these days. Because to your point, Cloud Native CISO, but a lot of people would not even be aware that CISO is probably not the only thing that exists in a organization. There's Deputy CISO, Head of [00:13:00] Security, Fractional CISO, all of that. I mean, you don't have to kind of go into a deep explanation, but I guess in general, like when you come across people who probably hear CISO I wanna be CISO Mike.

And you're like, actually, have you considered the other paths? Because you may or may not have enough experience. So what are some of the different types of executive roles or leadership roles that exist in security?

Michael Piacente: Yeah, but by the way, on that comment, I always try to look at if someone wants to get into the CISO organization or CISO role I'm the first one to try to evangelize how do you get there as opposed to talking them out of it because, yeah, I'll look at the characteristics of their background, what may be tied in, you know, have they codified risk in a digestible format anywhere in their previous background, have they translated, you know, heavy technical challenges into digestible business terms?

Like if they've done that somewhere in their career, whether it was product or engineering or IT or risk, you see a lot of management consultants focusing on so backgrounds and then great, my job is to [00:14:00] enable them and to get there because as many times as people are excited about being CISOs, there's also a real thing called CISO burnout, which is kind of balancing those coming into the industry versus those leaving. And so I feel it's my job to make sure I enable everyone to become a CISO.

Ashish Rajan: Fair enough and what are the different kinds?

Michael Piacente: Yeah. I mean, we're seeing a lot of different variations and I would say that it's highly nuanced, right? So you do see this transformational CISO that comes in as the organization is transforming, let's say, and as example.

On topic that we were just talking about. If the company is moving more towards cloud services, you might see someone coming in, that's a little bit more technical, a little bit less on the IT reporting structure and more on the development and engineering and product reporting kind of lines. They may have worked more collaboratively with product to enable them to get the products out faster, out safer.

And so in doing so, they kind of transform the company into really a product first safe environment. And how do you get your security out there in a [00:15:00] digestible way? How do you sell up to the board, right? So it's very transformational across the way. We've seen that the hero syndrome post breach or even during the breach coming in and really saying, okay, these are the things we need to remediate and this is what this all means. How do we negotiate our position? And so again, I would argue that those are transformational too. You're transforming the way the company views risk and even if it's in its present state.

And we also see there's obviously a huge contingency of enterprises that have IT enabled CISO, so CISOs that are reporting under the CIO structure. is still by our numbers around high thirties, low forties percent wise, as far as organization is still having that structure and that's very important because everything runs through it IT enterprise. We're also seeing, you know, variations of the CISO there's many more versions of that, which I won't take time to do, but we're seeing a BISO, a business information security officer, which is a variation and that is someone that's. Well, it depends on the definition, [00:16:00] but the one that we've seen the mostly , is that individual, that executive leader that is almost acting like the CISO, someone that's going to basically take the message and integrate that message within the entire organization.

So someone's running the operational components of the CISO's organization. And then someone's running the business effects and the business risk translation. So every organization understands what needs to be done from an education and awareness perspective. And a BISO is uniquely responsible for that, making sure that the entire organization understands the CISO's world from a business terms perspective, they're extremely effective. You see this more and more, we're seeing a virtual CISO or an interim CISO or a fractional CISO extremely popular right now. We have a whole matching service that we've had to build. We decided to build based on this, which is 80 percent of the companies that approach us actually don't need us full-time CISO, interestingly enough, and we only run 30 or 40 searches a year. It's a pretty small number, but we are approached by 150 to 200 companies [00:17:00] a year. And my competitors might like to say we lose that many searches. We don't we lose maybe five or 10 searches to competitors. The other a hundred plus that approach us really didn't need a full time CISO and so a virtual CISO or an interim CISO is a great option, which is someone that comes in and builds the beginning structure of a security program and usually starts with compliance. So we need X to be done in order to sell to this industry or to have a validation and then it moves from maybe more technical problems and eventually kind of expands.

So there's a variety of, I'm probably haven't covered all of them, but there's a variety of other CISO variations that we've seen kind of grow up in the last few years.

Ashish Rajan: Awesome. And I think that also means that depending on the kind of experience people have, they all have an opportunity to become a CISO as well, but whatever the kind may be.

Michael Piacente: Yeah. And it's all nuanced, right? So one thing about the cloud native CISOs is that we thought they were just fascinating. They can work circles around a technical challenge as a nuance, but they weren't traditionally very [00:18:00] strong on GRC. In fact, they didn't even have a passion around it. We had to find those that had passion for getting GRC right.

They had limited customer exposure, which others like a BISO would have a phenomenal record around customer exposure. They didn't have any board reporting experience, whereas an enterprise IT, you know, a CISO that was reporting under a CIO would come right out of the gate with a much stronger board presentation story.

So every, all these little pieces, they're all nuanced depending on the trajectory of the person's background.

Ashish Rajan: I think probably worthwhile also calling about is the compensation package as well. I think a lot of conversations that I end up having with different CISOs usually around the fact that, Oh, there's only a base salary.

Like I think, I read somewhere there's a three stool approach, but a lot of people don't even know that there's more than that usually for companies, especially cloud native companies as well. But I mean, some of the examples of what get people, I mean, obviously there's the whole benefit of working for us gets you health benefit and all of that, I meant more in terms of like, is salary the only thing people should expect as part of the contract they're signing? [00:19:00]

Michael Piacente: Yeah, actually just taking a step back on that. It's a total package now. So let me, before I get into that, though, I can, we first started our journey we noticed that there was only a handful of companies that actually knew the worth and the value compared to other executives in their organization about this cloud native CISO. And that sort of put us on a path. To say, well, we should just go ask them what they're all making and come up with a, with eventually would be a survey.

We actually started tracking them. The first thing we had was a map. If you go back, you know, eight years, we had a map that showed where the concentration of the cloud native environments and what they were being paid just from base salary. Right. And then that morphed into our first survey, which we had about a hundred or so participants.

And now this past one we had over 720. I think we're expecting over a thousand, this 2024 version, but it's not even a a compensation survey anymore. It's become more of everything a CISO needs to have, or anyone that wants to be a CISO should be aware of as they're negotiating. And that, to your point, base [00:20:00] salary obviously is there.

And actually, I will say base salaries have held pretty steady on the CISO. High consequence CISO environments, but you also have a variable bonus structure, which of course, every company does, whether it's industry regulated, or if it's public or private, smaller or larger, you know, that range from 15 percent to 40%, as an example, 40 percent of the base salary, that is, and it's paid out either one time a year, usually, you know, beginning of February to April in the U S as an example, or it can be paid out over time and in chunks.

But it's a variable bonus. You also have long term incentive plans, which is, you know, a larger organizations. We typically see this. We just completed a search that had a significant LTI component as part of their compensation. You have equity, right? In the form of either options or RSUs options, meaning that it's not put a value on it other than, you know, what the private market has said.

And then when it goes public, obviously you're going to see the conversion. Of course, you have taxes on that too calculate in, and then the RSUs, which are a little bit more straightforward, [00:21:00] but they're getting refreshed every year. By the way, all the benefits that you mentioned, healthcare, life insurance, childcare, you know, stipends for travel.

We've even seen a couple of, you know, back in, not so right now in 2023, but 2021, we saw a few, you know, jet share capable offers. These CISOs were moving all over the place every week traveling. And so it just made more sense to put company jet share, things of that nature, but there's a lot to consider.

And then there's the whole protection piece of a CISO. Now I've had several instances where, you know, famous instances out there where the CISO candidates trying to figure out how they're going to protect themselves professionally, personally. Can we make sure that we're on the DNO policy, directors and officers.

And so that is something that we looked at two and a half, three years ago. The percentage of companies that allowed their CISO or had their CISO on D& O insurance was super small. And our last report showed that it was, I think I have the numbers right, it was 39 percent or 37 [00:22:00] percent on private companies and upwards to 42 percent on public companies.

So , it's come a long way since we started tracking that. We expect those numbers to continue climbing as a must have for a CISO. There's also. If you're a private company and you might be an acquisition target, having a double trigger clause, which allows for an immediate resolution and acceleration of your equity during an event, not just an acquisition event, but then your second trigger is your company's now says, well, the scope of your CISO role is now you're going to be a senior manager of incident response for this larger entity, which is the second trigger, which triggers your equity to forward vest.

Either, you know, fully or halfway to keep you, keep you whole. And so there's lots of different areas that we see right now in the whole compensation and negotiation piece. Many of our CISO friends have retained legal lawyers, right? To make sure that they can draft a viable employment contract or to make sure that they have the right language in the offer letter, things of that nature.

So it's become kind of a cottage industry in a way just to negotiate the CISO [00:23:00] package these days. Yeah.

Ashish Rajan: It's really interesting how that one incident changed the way people approached the responsibility that they had.

Cause I have had so many conversations where cybersecurity insurance as an organization, how many times a CISO is being involved in that conversation, they don't even know the scope of what's involved in a cybersecurity insurance as well. That was really interesting for me. This whole corporate liability insurance as well, like, I mean, these are things people kind of focus on the whole, Oh, I'm going to do the best job as a security person.

There's the whole liability insurance side and the DNO or the director and officer insurance thing was really interesting. And I believe it's a US only thing, there's probably equivalent is coming for other countries as well. Do you see people asking for it now?

Michael Piacente: The D N O insurance. Yeah. The d n o, yeah. Director. I'd say in our searches, nearly a hundred percent ask for it. ? Yeah. I would think so. Yeah. It's gotten so common and other, it's not just d n o assurance, but indemnification is another one. Making sure that they have right to legal counsel that can support them.

So the d and o insurance is only [00:24:00] applicable if there's no criminal or suspected criminal activity. That's where the Uber position became tricky because as far as I know, there was protection under DNO, but then they claimed it was criminal. And so it was nullified. And I think there was another one like that recently as well.

You know, that's not good enough for us, right? Like we're putting your personal and professional livelihood out there and someone else is going to define it as something. So there's all kinds of protections. We're excited to continue to track this because it is such a huge thing you mentioned the cyber insurance, right? So that's another area of scope creep for the CISOs. If you would ask me three years ago, how many CISOs are involved in negotiating their cyber insurance, it would be a very low number. And so we're actually going to track that this year because we know that CISOs almost all CISOs that we're talking to are involved in the scope negotiations, the renewals of the cyber insurance program or cyber insurance policies because they're the only ones that between them and the GC who also understands is they're one of the only ones that understand how to [00:25:00] negotiate these properly, you know, and understand what's going on at the layers below in order to get policy. So it's fascinating what the CISO has to know these days.

That's why we always say the CISO, maybe the GC have the only view of people, process and technology in the organization today. You know, a company that obviously has a CIO would fall into this category, but those that don't have CIOs and newer, you know, smaller companies, the CISO is the one that they look to and it says, what's going on in our organization.

It's fascinating. It's fascinating what they have to learn.

Ashish Rajan: Do you feel the cloud native CISO, the roles and responsibilities are different compared to what they used to be? Like, now that there are a lot more companies trying to be cloud native cloud first, has the roles and responsibilities changed dramatically as well in the kind of candidates you see, or at least the kinds you look for?

Michael Piacente: Yeah, that's a great question. I would say that in a cloud native situation or even cloud first, they've had to show that they have a greater level of maturity and evidence and [00:26:00] experience in the area of governance and risk and compliance in the area of customer enablement, channel enablement, in other words, speaking with customers, speaking with partners and being more comfortable with that.

They've had to get much stronger on presenting to the board, the executive teams, they were a little bit long winded. I'm long winded. I know how that is. So I can recognize it right away when I see CISO that might need to kind of codify this a little bit for digestible means. But so, you know, we've seen this change.

We've seen this evolution with these CISOs again, some of the CIO reported CISOs are stronger in those areas and less in technical areas. So there's always a give and take, right? But yeah, we have seen this change. I would still say that the fact remains that the challenge in any CISO role, whatever nuance they're coming from, whatever industry is that they need to understand how to the technical components that they're supporting and building.

I hate to say it's as simple as that, but that's really what it comes down to. The more technically focused CISOs [00:27:00] struggle with the business alignment in a format that everyone understands, agrees with, and can take action on. The more business aligned CISO struggles with how to understand what's really going on at the code layer with all these different environments that they're now supporting where they may have legacy applications have been there for 20 or 30 years, and then they have a brand new cloud native environment running on GCP or AWS or Azure.

Defining and trying to figure out that concentration and that translation is really the nuance. That part has not changed. Depends on which way you're coming at it. The problem hasn't changed.

Ashish Rajan: Awesome. And also I guess another one to call out over here is that the cloud native CISOs are probably out there speaking in conferences and other places as well, building people who are building their personal brand as well.

What's the importance of personal brand for a CISO career path? I mean, I guess I'm a bit biased being a content creator myself now from a CISO role, but I'm curious if you feel there's a value for other CISOs or people wanting to be CISOs building a personal brand out there on the internet.

Michael Piacente: Yeah. Well, [00:28:00] one thing we'll have to work on your personal brand. That's a little bit weak. Right. So , I appreciate that. No, I actually, I love what you've done and others in the space. I actually, I'm a huge proponent of personal brands and actually studied a lot about how it all works. It's not something I thought I was going to be, my team and I were actually going to be trying to add value, but it's, I would say in every case, especially right now where you have more CISOs, on the market than there really have ever been since the sort of advent of the CISO.

The CISOs obviously in this economic downturn have taken a pretty massive hit. Many more of them are looking for work. And one of the things that we noticed is CISOs are extremely, for the most part, very humble. Very humble about participating and they love to participate within their own community.

It's actually one of the things I'm probably tougher on most CISOs is to say, you know, CISOs need to stop entertaining other CISOs because they're amazing at it. And like I said, the community is always behind them, but they need to break the windshield a little bit and go outside and talk to the business owners and make sure that they understand [00:29:00] what's going on, but yeah, personal brand is critical.

Most CISOs that are in this space and then focus on all these things we were talking about have very little time for our self promotion, building artifacts that someone, and it's a new world, right? We don't use resumes. We haven't used resumes in eight years.

When a client asks for a resume, we build something else to tell the story. And it's because most companies, well, there's a lot of reasons for that. That's a whole other podcast, but one of the big reasons is when I'm talking about a CISO, the first place they go is LinkedIn. And they want to see what's this person talking about?

What's interesting to them? What are they passionate about? Are they too passionate? Are they more of a celebrity CISO or are they still an operator, right? Are they talking about things that are applicable to us? Do they have a following out there at other CISOs? Okay, what's the extent of that following?

And so these are the things that companies are looking at first. They're not looking at the resume first, at least our clients aren't. And so that's a big deal when you're looking at, okay, now you have this person that's done amazing work. built several security programs from scratch, maybe transformed, maybe a one or two have been in multiple environments [00:30:00] and yet seemingly no one knows who this person is.

They've been under the radar. I know who they are. My colleagues and my competitors know they are, but the clients don't see it because they see a different kind of persona. And so what we're really just trying to build artifacts, try to build a voice, something that's kind of captures who you are as a CISO, whatever that brand is, it could be as wide or it could be as narrow as you want.

And that's what we try to help them with. And it's really an interesting part of the job.

Ashish Rajan: Yeah, I would say I definitely feel, and it's funny, there's a dark side to it. I think you and I have spoken about this in the past as well, where being a celebrity CISO also means that the number of opportunities kind of suddenly reduces because not every company out there is open to entertain.

I guess it's different levels to it, at least the way I saw it. People who do blogs as content, I think they're in the safe category because it's just a, It's just a blog. Who cares? The moment you move into audio and video, suddenly you're like, Oh, wait, you actually do pop that that's considered actual media.

You come on news, you come out of the podcast. Yeah. Suddenly it's like, and I shared this with you in the past, [00:31:00] but I don't think I've shared in the podcast. But in the beginning when the podcast started to get popular, I was looking for other CISO jobs and I was just basically being shut down and going, actually you're a great candidate, but it's just too popular for us.

We don't really want, you say something on the internet or you say something somewhere or we get like some kind of repercussion for it. Do you feel it's like a slight, I guess, a balance to be found there as well?

Michael Piacente: I think there definitely is a balance and it is yet to be discovered.

And part of this is that. For most people who are not CISOs, the other executives in the organization, the concept of a CISO and what that person should exemplify, what that person should, you know, basically be is very different, maybe in the mindset that they just want someone to be low profile, we don't want to bring a lot of attention to our environment. To our brand. And I personally think they have that wrong, but yet they don't know yet because they haven't been around. This is, it's not their fault. They just, they haven't been around the CISOs long enough to know what these amazing creatures really are. Right. So there's all kinds of examples. I always use them, you know, to call out one person.

I always use the Mike Johnson [00:32:00] examples of past placement. You know, he did an amazing thing of constantly calling out vendors, you know, who would send them, you know, unsecure links or whatever, and he would just. Call him right out on LinkedIn. And what that did was you kind of thought if you were a non CISO, are you sort of like, who's this guy that's like constantly calling these people out. He did it with great entertainment too. He was very professional. But what people didn't realize is that was a massively successful recruiting tactic from him. Yep. He was up against Uber at Lyft and he had to hire a massive team very quickly to compete because his business was saying, go compete.

And yet people were saying, that's the person I want to go work with. This guy's kind of like a Robin Hood out there. And right. I want to go be like him and I want to go work for him. Like that was at a massively successful campaign. There's so many examples like that. But to your point, if the untrained eye is looking at a CISO who's promoting, you know, a function or themselves or something. Yeah. They'll get thrown into the celebrity category. It may not be taken seriously, and that's unfortunate.

Ashish Rajan: It is. And I think to [00:33:00] what you said as well, I see a lot of people want to go down the path also because it makes recruitment so much easier.

Instead of trying to, I guess you, people may have tried harder hiring internally, you're looking for a SOC operational lead or anyone, you basically, you put a tweet out there or you put a post out there. Suddenly there's just hundreds of applicants responding. I think the positives are not as highlighted enough.

I feel the other part. I think someone said, and I'm grateful for the companies that have worked with me as well. They looked at it as an opportunity to have brand awareness for their organization as well, because the CISOs are out there talking about them. I'm the CISO so and so. Somebody's like, what is that company?

And I'm like, Oh, there you go.

Michael Piacente: Yeah, absolutely. You know, and it's all how they are perceived as technology leaders out there. I mean, one of the great examples is now retired Jason Chan at Netflix, you know, built one of the most incredible, and , he's so humble that what he built was a culture of empowerment and go be yourself and learn these different things.

And that's people wanted to work there. [00:34:00] So that's for the best. And so that's what companies don't understand. It pains me to talk to CISOs that are on the market for the first time or thinking of making a change. And I talked to them about their experience and they said, well, I really can't hire the best of the best.

It's not just a money thing. You know, the compensation is not, it's that my company won't let me go out and promote our program. They want to remain low profile. And so it's hard for me to get people to the best security architects and engineers, and especially they're moving towards the cloud and it's more complex they really can't compete.

And it's because they've been kind of shuttered a little bit. And that's sad, right? Because the company doesn't realize they're actually doing a disservice. Right. I'm sorry to say, maybe I'm wrong about this. Cause I'm not a professional hacker, but I don't think that the really strong bad guys are sitting on LinkedIn, waiting for you to announce what it is you're doing on your security program.

That's unfortunately not how they work.

Ashish Rajan: Right. Yeah. I also want to say, maybe to your point about the trajectory, that is kind of like my last question as well. I also feel that there is a unknown path as well once people become a CISO because you almost feel [00:35:00] like you're top of the hierarchy for security.

I guess from that perspective, once you hit the CISO mark, what do people end up going on to do after that? Like is there like an example of things people do after becoming a CISO for different organizations?

Michael Piacente: Yeah. Well, I mean, I think that's a great question. You know, CIO, CTO are some of the kind of C level paths that we've seen.

CIO in a enterprise or even a growing fast growth startup, CIO sometimes is seen as, you know, a step above. Sometimes it's parallel. Sometimes their counterparts as well. CTO is another one. We just saw recently a couple of new CTO promotions, which is all of technology, kind of like a president of technology, because again, if you think about who has the best view of all the technical components, all the risk components, components, and all the operational components in a company, a CISO is extremely well trained for that.

They have to know everything that's going on and the risk associated with it and be able to communicate it. So a CTO is a great path. We've also seen a lot of CEO founders, right? A lot of CISOs recognize, I could [00:36:00] probably think of a couple dozen, and we try to advise them as well, CISOs that turn into entrepreneurs, and I think that's a fascinating move as well.

That's you see, and some of them are successful and some of them struggled to, or maybe they're on their second option or opportunity. So, but it's really fun to watch them grow from an operator to an entrepreneur and everything in between. So there's a lot of different options right now that we're seeing.

Ashish Rajan: Yeah. Well, thank you for sharing that as well. I mean, I obviously have a lot more questions, but in the interest of your time, but I'd love to kind of have this conversation again, especially in the whole cloud native CISO space as it kind of grows. And I was going to send a share a link of the survey that you guys did for the compensation package for CISOs.

I'll leave a link for that. I'll take that from you.

Michael Piacente: Yes. That'd be great. Actually. We have our new survey being launched next week. And it's anonymous, so people can participate and not have to worry about whether their compensation is being thrown out in the internet somewhere.

So, but yeah, that'd be great. Really enjoyed the conversation and thank you so much for having me.

Ashish Rajan: No problem. And where can people find you on the internet, by the way, if they wanted to connect with you and maybe get a CISO job,

Michael Piacente: sure. LinkedIn's [00:37:00] best, you know, just my name and then, or you can look under a modern CISO I think is our tagline.

Also our website, hitchpartners. com has easy ways to get to us. We'll be ready and accessible. Awesome.

Ashish Rajan: Thanks for that,

Mike. And I look forward to having more conversation with you, but thank you so much for your time. And I'll see everyone else on the next episode. Thanks everyone.

‍