There are organizations that seem to have disproportionately created a large number of leaders who have gone on to be CISOs or other security executives across many other organizations. These “CISO factories” include Salesforce, Google, Goldman Sachs, Lockheed Martin, @stake, Yahoo, and quite a few others. 

Let’s take a look at some of the characteristics of these types of organizations. You might not need all of these, but definitely need many, to kick start the flywheel of your own talent development machine. 

1. Modern Defensible Technology. They relentlessly modernize their technology stack for defensibility. They prioritize investment in their overall infrastructure to build security in, not just have the security team bolt it on after. The CIO/CTO and CISO have a close partnership and other leadership recognize the value of investing in technology overall, not just cybersecurity. There is a strong engineering culture where practices such as reliability engineering, system engineering, blameless post mortems / failure analysis, and strong software design techniques are valued. Executive leadership recognizes this level of investment as a strategic advantage because of the wider capabilities it brings to their business / mission. 

2. Long Tenures. They have long tenured leadership in the business and IT who are in it for the long run. They know they’ll be around for the positive or negative outcomes of their decisions related to security and resilience and so they prioritize appropriately. This long tenure, also in the CISO role, is vital to sustain the multi-year efforts that transformation often needs. Indeed, there’s a strong correlation to how that CISO has created an environment where other leaders can grow and be exposed to other Executive and Board leadership. There’s also a paradoxical side effect here that if the CISO is long-tenured then rising stars in the security team might have to leave to become CISOs in their own right in other places rather than being able to rise to that position in their current organization. Other factors on this list also reinforce long tenure, in that if you don’t have the right investment, tone at the top, the sense of mission and some kernel of a team to kick start the talent flywheel then people are unlikely to stick around. 

3. BISO Structure. There are business unit CISOs (so called BISOs) or other embedded / federated structures where emerging leaders can gain CISO-like experience before becoming a full enterprise CISO. The full embedding of security leaders into business units or whole subsidiaries also creates a sense of ownership in those businesses which in turn advances the security mission and provides essential training in executive presence for those BISOs. 

4. Leadership Development Programs and Rotations. They have formal rotations across roles at both technical and managerial levels e.g. AppSec, SecOps and more, so that leaders become more fully developed and ready for multi-faceted CISO roles. They have overall corporate and CISO function specific leadership development programs focusing on business and other strategic skills. This includes building substantial networks with other corporate executives and rising stars. Internal programs are augmented with external programs e.g. Security 50 (Next CISO), Executive Womens Forum, Cyversity or others focused on skills and also ensuring all sources of talent are developed. There are long-lived and sufficient talent development programs from junior hires to inbound senior lateral augmentation from other technology teams.  

5. Technical Leadership, Mentoring and Excellence. They have strong technical mentoring programs and a culture of overall technical excellence where Fellows, Distinguished Engineers or other technical leaders also care deeply about security and take substantial personal accountability in addition to the CISO organization. There are strong programs to train junior engineers in the skills required to lead large programs beyond technical practices e.g. budget, quality, program management needs.  Leaders at all levels, including the CISO, have substantial technical/engineering ability as well as being effective business leaders. They also, to a large extent, need to have broad and deep (“full stack”) knowledge to be highly effective which in turn creates a dynamic to create strong security leaders. 

6. Tone at the Top. There is a strong and continuous tone at the top from the Board and Executive leadership about the importance of security investment. There is a culture that expects security issues to be escalated for serious debate if they cannot be mitigated at other levels of management. The Board has the ability (even distinct from direct expertise) to exercise their oversight effectively. Governance is reasonably well developed with at least an effective Internal Audit function and perhaps, additionally, an effective independent enterprise risk management function. 

7. Investment. The tone at the top is complemented with resources in the ranks to sufficiently invest in security (and broader IT) outcomes. In doing this the organization has sufficient size and hence capacity to develop and grow talent as well as regular stretch goals that build competence at multiple levels and disciplines. For many organization’s there is also a connection with their overall R&D spend. In different industries this might be categorized differently but the principle remains that the organization is willing and able to place large bets on improving security.

8. Clear Sense of Mission. The organization is a big target which amplifies the mission and engenders skills through continuous threat intelligence collection, security program improvement and detection/response vigilance. Equally important is that the organization has a sense of a wider mission for people, society, national security - not just for their own organization. Leadership, and not just the CISO, instill that sense of mission and stewardship in all staff. Industries and organizations with complex threat environments breed these leaders. Dealing with opportunistic attacks vs. a focused and persistent nation state adversary creates an almost Darwinian-like situation where strong leaders have to emerge and are supported in doing so. These organizations also have to solve for multi-faceted risks across physical, fraud, insider risk, resilience and so on which creates a need for mature and collaborative leadership.  

9. Attention to Detail. Leaders care about the details and seek, often from first principles, to understand why something happened, what are the headwinds facing change, and to challenge preconceived notions of issue resolution being infeasible. They give their teams space (not micro-managing) but can still get into the weeds to drive tactical improvements as well as create the strategic initiatives that inspire big leaps forward in the level of defense. This sets a strong standard of behavior across the organization to avoid working only on assumptions. Use of the 5 Y's is routine. 

10. Iconic Moment. There was a defining, perhaps iconic, moment - a breach, a significant near-miss or other event that permanently seared the importance of security into the corporate memory. More so, the CISO organization builds on this by having that iconic moment educate new leaders in the wider organization. These “never again” moments become a corporate touchstone. 

11. Industry Leadership. Leadership positions in important industry initiatives. The willingness and ability to solve problems on an industry-wide scale. For example, ISACs, and other consortiums, not just for security but also for driving security into wider business initiatives in those sectors. This provides a further platform for the leaders in that organization to develop skills and deliver ambitious goals which further develops their capability.

12. Don’t Rely on Regulation. It’s tempting to think that highly regulated organizations create such security leaders. I think where that is the case it is more correlation than causation. A highly regulated bank, say, might also instinctively prize protecting its customers and itself as an essential part of what they do. Another, similarly regulated bank, might simply go about checking the box of compliance if they haven’t internalized the need for security. That, latter type of organization doesn’t tend to create relatively significant numbers of security leaders. The fact that there are many organizations who have historically been less regulated, but nevertheless have been powerfully motivated, that are themselves “CISO factories” would also reinforce this. Organizations that take pride in their risk, safety, or other security-related culture and processes overall also tend to prioritize security.  

It’s worth considering whether the organizations that are “CISO factories” do so for their own sector/industry type or whether the leaders they create are truly portable. It’s certainly the case that more of such leaders from tech are successful in tech, banks in banks and so on. But there are cases of cross over. When such cross-overs are successful it’s usually either because the individual themselves had some prior multi-sector experience or that their prior organization in one sector was unusual, for example a bank that was more like a tech company or a defense organization that was particularly well risk governed and applied R&D effectively. 

Bottom line: there are a few organizations by luck or by planning that have lined up a sufficient number of these talent development practices to not only improve their own security but to create a supply of security leaders who are in CISO positions across many industries. A big part of our future talent development is not just developing individuals but to also create the conditions in organizations by which such talent can emerge. This list is at least a start on doing that. Assess your own organization against this and see what you need to do more of. 

Thank you to a number of people from some of the organizations I’ve named for providing their input to this post. In particular Heather Adkins, Jim Alkove, Royal Hansen, Rohan Amin, and Pat Opet. Their input on some of these points doesn’t imply endorsement of all and, of course, errors/omissions/craziness are all on me. But, above all, thank you to all the leadership they and many others have shown in not just driving forward security in their organizations but also setting an example for the industry and for helping create so many leaders who continue that work across many more organizations.