CISO as a CTO: When and Why It Makes Sense

As the CISO role matures in enterprise settings and security executives level up their positions from technology managers into more well-rounded risk advisers and business leaders, career progressions are changing. The CISO job is no longer the final executive destination for folks today, as security leaders seek to parlay their growing sets of business skills into a broader class of executive positions in the C-suite.

Some of the obvious pivots by CISOs have been into chief risk officer (CRO) and chief information officer (CIO) roles. Another increasingly common shift has been into the chief technology officer (CTO) position. With the drumbeat growing in both security and board-level business circles for secure by design in software engineering, product development, and technology architecture, filling CTO positions with former CISOs is looking like a great bet in the right circumstances.

While there is no statistical backing to prove the trend yet, anecdotal evidence is mounting, with companies including 20th Century Fox, Bank of America, and Fifth Third Bank elevating their CISOs to CTO roles in the past couple of years. This is also the path taken by credit reporting giant Equifax, which a few months ago named CISO Jamil Farshchi to a joint CTO and CISO position.

For his part, Farshchi says the transition was a "gimme" for both Equifax and himself. A veteran CISO with stints at The Home Depot, Time Warner, Los Alamos National Laboratory, and NASA, among others, Farshchi came to Equifax over six years ago, in the wake of its massive 2017 data breach. He was tasked to lead deep organizational and technology changes to not only bring about a security program transformation, but also to support the business in its digital transformation efforts.

"In my capacity as CISO, my team and I have been deeply engaged in technology from the get-go. And because of the way the reporting line is structured, I've been reporting to the CEO the entire time," he explains. "So fast-forward to a couple months ago when our previous CTO departed — he took another opportunity to become CEO at another company. I was asked to step in and take the reins for technology and expand my role into this space as well."

CISOs Have CTO-Applicable Skills

Even before the Equifax promotion presented itself, Farshchi says he had witnessed similar transitions happening across the security community. Not only has he seen friends move from CISO to CTO or head of product type of positions, he also fielded feeler queries from CEOs and recruiters asking whether a CISO could make sense for the CTO role. In his opinion, that's an unequivocal yes.

"A lot of the behaviors, a lot of the practices, a lot of the skill sets, the strategic thinking, and so forth that one needs to be successful in technology as a CTO are also the exact same qualities that one needs to be successful in security today," he explains.

This is a sentiment shared by many in the security and technology leadership community. According to Bob Zukis, a longtime cybersecurity and executive development expert who runs the Digital Directors Network, enterprise CISOs — the ones who are true business leaders rather than elevated tech practitioners — are a well-rounded bunch, many of whom would be ready to hit the ground running with a transition to CTO.

"A lot of the CISO job naturally translates to a CTO role, from the strategic to the operational. They're used to working cross-functionally. They're used to working across the organization from a risk perspective. They're used to operationalizing technologies. They deploy a lot of innovative technologies from a security function," he says. "It's just the context now changes to starting to select and deploy strategically technologies from a value-creating orientation as opposed to a value-protection orientation."

Cross-functional expertise and experience is one of the biggest benefits CISOs bring to the table as CTO candidates, says Randy Watkins, CTO of MDR provider Critical Start. CTOs usually cross a lot of domains and deal with a lot of complicated relationships among engineering, product teams, business groups, and so on, whether they're bringing tech-enabled products to the market or just supporting many internal customers and business groups with business-facing applications and platforms.

"The CISOs have had to be cross-functional because they didn't have their own budget. They didn't have enough headcount," he says, explaining that the CISO has to work with other IT groups, business groups, and executive stakeholders to get things done and for security initiatives to stick. "So cross-functional is definitely a must-have strength of a CISO, and that's a strength for any senior leader in an organization. It really kind of unlocks a pretty high ceiling."

While he never was a CISO, Watkins came from a security background and was a director of security architecture before moving into his role at Critical Start. The company is a security firm, so his transition a few years ago was very smooth, although he felt he has had to stretch and grow with regard to his skills and knowledge around product management — an area that some CISOs may similarly need to brush up on to successfully navigate a CTO position.

"The biggest learning curve was trying to understand the product management life cycle, understanding agile, understanding waterfall, the benefits and drawbacks to each one of those," he says. "Really building out timelines and deadlines and understanding sprint cycles, release dates, and release kind of cadences, that was a pain. And I feel like that's a lifelong learning process."

Watkins says as CTO of a security firm, he is still pretty well connected to friends in the CISO community. The good thing that this cohort has going for them these days, he says, is that they're becoming a lot more product-savvy, which would help many of those who hope to vie for CTO slots in the future. This savviness has evolved for two reasons, he adds.

"One, because they're usually getting pinged for consulting and getting pulled in by the [venture capital and private equity companies] to talk about their latest and greatest technology," he says. "And, two, because they have to talk to manufacturers like us, and they want to understand where our product cycle is falling in place and how they can interject more value into building our business. That does a lot to shift the flexibility and mobility of that CISO role."

Security-Focused CTOs Support Secure by Design

Perhaps the best benefit CISOs offer as CTO candidates, however, is the risk management mindset that they bring to the innovation cycle.

"It would definitely escalate the security conversation earlier in the innovation life cycle, which I think would be a very, very good thing," Digital Directors' Zukis says.

Watkins agrees wholeheartedly.

"I love any position where a security-oriented person moves into it because they bring an inherent knowledge and thought process around security — even when it isn't a C-suite position but just a security person moving into a nonsecurity role," Watkins says. "It's effective at intertwining the thought process of security in every little facet that they move into."

This could do huge things for secure-by-design initiatives, which are often hung up by culture and incentive issues more than any other. A security veteran CTO is much more likely to be intrinsically motivated to create better incentives for the engineering team to develop and create secure products out of the gate. More critically, a former CISO is more likely to be aware of the potential risks that a new product or platform would introduce at the earliest stages of planning.

"I think secure by design should benefit greatly from any organization that chooses to make a security person become their CTO," Equifax's Farshchi says. "They are going to have a strong eye on security and building it in from the get-go, instead of the rush and bolt later on."