Hitch Partners' Michael Piacente on the Blueprint for Success in Cloud-Based Security Management

In this week's edition of Cloud Control, we're navigating the maze that is cybersecurity with none other than Michael Piacente, the mastermind behind Hitch Partners. From his early days riding the wave of enterprise data storage to architecting a top-tier executive search empire, Piacente's career is nothing short of remarkable.

Buckle up as we learn how the pro’s are adapting to a world where, indeed, software is devouring the planet 👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

You’ve had a long and impactful career, and are now Managing Partner and the Co-Founder of Hitch Partners - an executive search firm. Start by giving us a bit of your background. What’s currently on your plate at Hitch Partners? What’re your focus areas?

Answer 1 🎯

In summary I have nearly 20 years of experience in executive search; 10 years focus in CIO/IT leadership and the past 10 years focused on CISO/Security leadership roles. Prior to my executive search career, I spent 10 years in IT services primarily in the enterprise storage and managed data center infrastructure operations space.

We founded Hitch in an underserved niche where we had established relationships with a specialized security leader community. We discovered how little data there was around the space and began introducing security leadership specific compensation and trend data to the community.  After some time we started seeing a healthy flow of cloud-focused CISO and security leadership searches. Initially we were able to grow unencumbered as there was little to no competition concentrating on the space. It has been an 8 year journey with ups and downs but we are so fortunate to have a truly amazing, senior, and patient team. 

We have remained primarily focused on the most challenging and comprehensive CISO and security leader roles while expanding to Deputy CISO, BISO, CISO in Residence, Product leaders, CISO-flavored Board Advisors, and more recently helping to match vCISOs with fractional opportunities. We continue to focus on advocating and innovating the approach to CISO searches which we believe are among the most complex and nuanced executive technical leaders in business today. 

We have several exciting initiatives in process including the launch of our Ignite service which allows a company to utilize our deeper security community connections and search experience as a value-add kick starter service for an insanely low one-time consulting fee. This has become a great way for companies to start their search using our guidance and data while still being able to complete the search on their own. We are also close to introducing a new service focused on enabling companies to manage their own CISO search using our technology platform; more to come on that shortly. 

From a development perspective it is an exciting time for us but it is also tough to ignore that the CISO talent market has been under severe stress. The CISO community has experienced a significant downshift in the past few years with more CISOs actively seeking new roles than ever before in the history of the space.

Question 2 💭

You’ve helped land hundreds of security c-suite positions. How have you seen the demand for security leadership change over the years? Are there trends or shifts that stand out to you?

Answer 2 🎯

Over the past 10 years we have seen a remarkable shift in the scope, scale, and complexity of the security leader role. I would argue that there is no other executive level position that has seen as rapid of a transformation in such a short period of time as the CISO. Just about every component of the CISO scope, reporting structure trends, team structure, value proposition, and compensation structure has transformed since we began our business. As a result it has become one of the most nuanced and complex searches to recruit for. The majority of companies who attempt a CISO search, fail and/or spend a considerable amount of time, money and energy on the search. Yet, security leaders and in particular the CISO role is still a rather new function for many organizations. 

While CISOs have grown to become a critical component to many businesses with a shared passion for solving big problems, market realities and economic pressure have dealt a severe blow to the demand and need for CISOs today. 

So why is this and what is happening? First, this economic atmosphere has rendered the CISO vulnerable to global contraction of budgets and resources; whereas in past economic contractions the CISO organization and security leaders have been all but spared and even flourished at times enabling security organizations to grow unencumbered. However that period of ‘plenty’ is no longer and many CISOs have been forced to make impactful cuts and many CISOs themselves have been personally affected. In fact we calculate that near 35% of our CISO network (~5,200) has either reactively or proactively considered a job change in the past year. Second, there is a not so subtle growing numbness in the market as it relates to how companies view the investment in security programs. The increase of breaches and the public awareness of these breaches has had almost an adverse effect on how many companies approach the investment in their security program. Not that all companies are lacking effort but it is difficult to ignore that many companies today seem less likely to spend their limited funds investing in the right talent to build proper programs that will protect their critical applications and sensitive customer data. 

We expect that the SEC Final Rule will (over time but not immediately) change the approach many public and private companies take to building their security programs. We are seeing stronger efforts to quantify how the decision to not build an appropriately scaled security program can affect the bottom line; it is becoming more and more difficult for the Board and investors to ignore a poor security posture and hygiene. In addition, as software continues to eat the world (thank you Mr. Andreesen) many companies have graduated from having a primarily Corp IT and Compliance based approach to one with a heavy emphasis on Application and Product level security. This not only changes the complexity of the attack surface but it also affects the ability to develop, attract and retain talent to manage the growing complexity. Companies are seeking a leader that is both a truly gifted technical talent combined with a truly effective senior leader, business advisor, and sales enabler. As a result we are seeing new flavors of the CISO; new versions of the BISO; some focused on strategic product collaboration such as the Chief Product Security Officer; or the new version of a security sales enabler such as the Field CISO to CISO in Residence. 

One important shift that we would like to see improve throughout 24’ is a stronger emphasis on creating more opportunities for the diversity community. We are still at an appalling state of diversity representation; total of about 16%. Female leaders make up only 7% of the CISO population. We and others are trying to do our part to increase exposure to this problem however a global effort needs to happen from the community as a whole.  

For a full view of the trends within the security leadership and CISO space please check out our Hitch Partners CISO Compensation and Trends report here. Our 2024 version of the report will be released in late February.

Question 3 💭

Given the uptick in demand for security executives, organizations are facing intense competition for top talent. Can you share some strategies and best practices for both companies and candidates to navigate this competitive landscape successfully? What sets apart a candidate as the ideal fit for a CISO role in today's environment?

Answer 3 🎯

A majority of companies (nearly 80% of those we interact with) are not calibrated and do not have an agreed upon definition of success for their incoming leader or security program as a whole. Once they can agree internally on the blend of priorities they would then need to follow a plan in order to establish a continued level of sponsorship for the leader and the overall function. Unfortunately this occurs less than 30% of the time. This lack of calibration and sponsorship is the undisputed reason behind why security leaders leave their roles resulting in a continued trend of short tenures. 

We recognized this problem early on and to help curb the trend we developed a process called Interviewing the Interviewers (or ITI) where we actively interview all of the interviewers and the executive team to understand their level of knowledge around building/maintaining a security program. We also learn more about their goals and metrics of success for the role/function. Finally, we capture the company’s narrative as it relates to security relevancy in order to guide the company on what we anticipate the reaction to be from the candidate pool. This process happens quickly and occurs prior to the company meeting the humans.  We find that investing considerable time upfront does help with calibration quality and leads to greater success and efficiency in the search.  It is by no means a perfect process but it has helped curb a massive challenge and disparity between what companies want, need, and expect to attract.

As we enter 2024, this lack of calibration and ability to narrate priorities will become even a bigger concern for two reasons. First, more companies will consider the hire of CISO-like positions within their company than ever before. The more companies that begin to explore without an effective roadmap will cause a strain on the already diluted market supply of security leaders as well as to their internal interview teams. Second, is that many companies have significantly slowed their recruiting engines (many are completely dormant) resulting in a lack of preparedness and rampant complacency when it comes to recruiting in general. Enter the most nuanced techno-business leader in history to your search list (i.e. the CISO) and the rate of success will continue to plummet). Companies who haven’t been through this and even those that have, should consider bringing in a security leader consultant/advisor or perhaps a vCISO to help them navigate what success will look like. They can even try our Ignite service as a valid kick starter program to help get them in the right direction…ok that will be my one and only shameless plug but, hey the process works 😊

On the candidate's side, anyone looking for a security leader role in 24’ (and likely beyond) should understand that they will be operating in a highly competitive market. I find that this is a surprise for far too many security leaders who have not tested the market for a new role in the past; I do not expect the leaders to understand the market nuances but they should be aware that this is going to be a tough road ahead. In addition, active job seekers often confuse ‘activity’ (i.e. the number of inquiries and calls they receive about new opportunities) with ‘quality opportunity’ and the reality of those positions coming to fruition. There are dozens of variables to consider. It is not unusual for candidates to explain that they have 6-8 live opportunities in process one week and then none a few weeks later. It can be frustrating and time consuming to these leaders. Also this is not necessarily a function of who they are and how they may have interviewed. Keep in mind that most companies are not internally calibrated; a company’s priorities shift as they meet more humans in the process.. This is also not unusual in search; however with the CISO or security leadership space, the gap between the start and the finish of a search is often wider than most other functions.

Another factor in the market today is how to get noticed. One of the better ways we’ve seen for security leaders to differentiate themselves is to focus on defining and promoting their personal brand; i.e what type of security leader are you and what are you doing to show focus in that area? The keys to success we see are to be extremely specific and hone in on your superpower(s). All too often security leaders try to be the generalist where they expertise in all of the areas within security in hopes that companies will recognize their breadth and depth; however this rarely works. This is a nuanced process and I will certainly offer to help your readers with what works best for their specific situation. 

It is also important to recognize that the security leadership community is possibly THE MOST collaborative community in business today. Security leaders do nothing but help one another solve problems including helping one another promote their colleagues for new job opportunities. I am fortunate to be invited on a handful of security leadership practitioner Slack channels and I can see the conversations back and forth about positions and the general lending a hand approach. Within the security leadership community the support system ecosystem is alive and well. This also serves as a bit of a warning to employers who haphazardly post their positions for a security leader/CISO.  Security leaders are discussing the quality of your roles; they are discussing their candidate interview experience from your company; and they are evaluating whether your organization has a strong story and is running a strong process.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Sellers can now resell third-party professional services in AWS Marketplace

2. Stream data into Snowflake using Kinesis Data Firehose and Snowflake Snowpipe Streaming (Preview)

3. Amazon ECS and AWS Fargate now integrate with Amazon EBS

4. Azure API management developer portal unveils enhanced features for increased developer productivity

5. Azure application gateway introduces support for TLS and TCP protocols

Top Articles and Resources of the Week

Articles

1. NIST releases version 2.0 of landmark cybersecurity framework

2. Huge cybersecurity leak lifts lid on world of China’s hackers for hire

3. AI can ‘disproportionately’ help defend against cybersecurity threats, Google CEO Sundar Pichai says

4. Tips on meeting complex cloud security challenges

5. 10 Cloud Security CEOs On Their Biggest Opportunity In 2024

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.