When Ian Schneller entered the workforce in the early 1990s, cybersecurity was just emerging as a function within companies. It was a dedicated function, and where it existed at all, it served principally in a technical capacity by thwarting attacks against the organization and, to some extent, against customers. âThat was really the role,â recalls Schneller, âdefending against that constant onslaught of attackers, protecting the organizationâs systems, information, and servicesâ¦still a very, very technical role that in many cases developed from somebody working inside of it, maybe a system administrator, maybe a developer, or someone with a very technical background.â
Since then, Schneller has risen through the ranks of security operations and now serves as CISO at Health Care Service Corporation (HCSC). In 2023, he became the first CISO to win an Orbie Award in the newly created CISO category from Dallas CIO. The achievement underscores Schnellerâs success in creating an innovative work environment and maintaining the integrity of sensitive information and systems across the company. As heâs risen, he has watched his field evolve. By 2017, 70% of Fortune 500 companies had employed a CISO, and the number is climbing.
Countless CISOs oversee large and sophisticated organizations that manage allthe activities that make for a secure enterpriseâactivities that involve more than just the technical aspects of defense, the aspects that, while still vital, are ânow table stakesâ¦not the end stake. Thatâs the beginning, the anteing up to play the game.â
Data backs up Schnellerâs view of how much the CISO role has changed. A recent Splunk survey, for example, observed that â86% of CISOs say their role has changed so much since they started, it’s almost a different job.â
Here are what Schneller believes are the five key tenets that CISOs need to embrace for the role as it exists today:
1. Recognize the scope of the CISO role
Recognizing how comprehensive the role is today, says Schneller, is the first tenet for becoming, or finding, a strong CISO. Early on, it was enough that CISOs protected their companies and customers, and mostly they could do so on their own. To defend the organization today, CISOs must coordinate with leaders across the enterprise and, in a sense, with every employee.
âItâs not a silo anymore,â says Schneller. âProtecting the enterprise is just one of the abilities they must have. They also have to be able to recruit talent, advocate for cybersecurity investments, assess acquisitions, protect the brand, and navigate compliance, which has expanded. In short, itâs about being a business leader.â
2. Grow responsibly
Schnellerâs second tenet, âgrow responsibly,â reflects the two attitudes that should guide modern CISOs. The attitude behind âresponsiblyâ is the more traditional and obvious: Safeguard the organization. âGrow,â however, acknowledges the evolution of the CISO role, its responsibility to enable and propel the companyâs growth.
âYour organization is under intense pressure to innovate as a means of growing,â says Schneller. â[That innovation] might be buying and integrating a new technology that will serve your customers. It might be building it yourself with your app developers. Whatever it is, theyâre under pressure to develop it. The CISO needs to be right there at the table as the strategy is being formed, understanding why [the innovation] is there and knowing that the company is going to deploy it with or without your involvement. The worst case is that you get in the way. When a product is ready to go, it should also be secure.â
Having a seat at the table, says Schneller, is the minimum. Just as important is understanding how the company intends to grow and building the partnerships that align the CISO and other leaders in a way that eliminates silos and ensures that security does not become an assumed part of the process. Security becomes cultural as it is tactical. âWhen the company is ready to deploy that new capability, it’s ready to go and it’s secure because the teams were jointly aligned.â
3. Protect your reputation
Schnellerâs third tenet is about striking a balance. On the one hand, protecting your reputationâor building it in the first placeârequires transparency, especially around security. Security has become so important, he says, that itâs become a hurdle to many deals: âWe hear this constantly in B-to-B, especially. CISOs will be asked to call the CISO or CIO of the customer so that we can kind of talk brass tacks about the security.â
Schneller emphasizes that this, too, is why modern CISOs must be able to navigate the entire enterprise and its business activities, not just the technical aspects of the job. âA big part of that is the executive presence perspective, being able to communicate the impact and have a practical means to help another stakeholder. And you must be able to work with the sales and legal teams adroitly enough such that you donât over-promise.â
On the other hand, transparency can work against you if not properly managed. âItâs really [about] understanding now that the rest of the world is aware of your security capabilities. For one, transparency can help bad actors discern something about your security posture. They might manage to do so, for example, by reviewing your companyâs scorecard, if it has one and has made it publicly available. Or perhaps those actors know something about the protocols by which your industry typically operates.â
In any case, says Schneller, you need to know those reasons. You canât defend what youâre not aware of. You should know the reasons bad actors might target your company in the first place. Did it just win a high-profile client? Did it just pass some major liquidity milestone? Donât just check security boxes. Think like the bad guy.
4. Protect your ecosystem
Underlying all of this is an important truth: Your firmâs cybersecurity relies not only on your own defenses, but on those of everyone in your ecosystem, especially since many of those players will have at least some degree of access to you and your customersâ information. âIf that ecosystem isn’t secure,â says Schneller, âa breach outside of your virtual or physical laws could affect your company or your customers directly.â There is perhaps no better example of this than the Cambridge Analytica debacle. By the time the dust had settled, Meta had paid nearly $6B. That says nothing of their non-monetary damages. To this day, the breach haunts their brand.
How do you influence a company that you donât run? âConcepts of collective defense are very important here,â says Schneller. âHow do you work within trades, utility sector organizations to jointly and collaboratively raise defenses across the sector?â Again, this harkens back to pillar one. Itâs yet another reason that a CISO must be capable beyond the technical aspects of the job.
5. Cultivate your security talent
Schneller encourages his audience to consider the gap between the demand for cyber talent and the supply of it. âRead any kind of public press,â he says, âand though the numbers may differ a bit, they’re consistent in that there are many tens, if not hundreds of thousands of open cyber positions.â In February of last year, according to Statista, about 750,000 cyber positions were open in the US alone. According to the World Economic Forum, the global number is about 3.5 million, and according to Cybercrime magazine, the disparity is expected to persist through at least 2025. As Schneller points out, this means companies will struggle to attract cyber talent, and they will have to seek it in non-traditional places.
There are many tactics for attracting security talentâaligning pay to what matters, ensuring that you have clear paths for advancing careersâbut all this sums to a broader point that Schneller emphasizes: branding. Your organization must convey that it takes cybersecurity seriously, that it will provide cybersecurity talent a culture in which they can solve challenging problems, advance their careers, and earn respect, contributing to the success of the business. Donât assume that cyber talent knows that your company values these qualities. âIf you’re in a big bank,â he says, âpeople may not think of you as a place to develop a cyber career, but in reality, they have large cybersecurity teams.â
Where to find talent in the first place? What are the non-traditional sources? Schneller favors two. The first is the military. âIâm a huge fan of veteran recruiting. Veterans have a large degree of training and experience in cybersecurity and can do great things for your organization.â Many business leaders have praised veterans as employees, and some companies like Sophos even run their own military veterans cybersecurity program. In 2023 alone, the military invested $11.2 billion in cybersecurity programs.
The second resource is high schools and community and associate colleges. These institutions mold plenty of graduates who have all the skills and ambition they need to excel in cybersecurity. What means much more, reminds Schneller, is the right certification or, more generally, the right education, which you can help to shape and thereby develop your talent before it ever arrives at your door. âI encourage CISOs to find your local colleges and sit on their advisory boards,â says Schneller. âShape that curriculum. Help mentor the students.â
With every passing year, cybersecurity moves faster, and grows more complex and sophisticated. Bad actors find new vulnerabilities to exploit and use new tools to exploit them. The CISOâs organization, then, will become proportionally more sophisticated and complex, and thus the CISO will manage to steer the organization only by leaning heavily on the above tenets. âThe CISO must be an enterprise leader,â says Schneller, âa c-suite executive who can navigate the entire breadth of the firm.â