Facebook (with around 3 billion members) is the core product of its parent company, Meta Platforms Inc. Other platforms within Meta include WhatsApp (2 billion monthly users) and Instagram (2 billion monthly users). Meta oversees the operations of all three platforms. Guy Rosen is Meta’s CISO.

LinkedIn (with around 1 billion members) is owned by Microsoft but operates as a semi-autonomous subsidiary. Geoff Belknap is LinkedIn’s CISO.

Although there is considerable overlap in members and usage between the two, Facebook is still primarily viewed as personal social networking, while LinkedIn is primarily professional social networking. Together, however, they represent the most important social networks in the free world.

The route to being CISO

When today’s leading CISOs started their careers, there was either no or only an embryonic concept of cybersecurity. Belknap, for example, was a communications engineer helping to build the high speed networks that are the backbone of the internet, which in turn, birthed cybersecurity. 

As a child, he had the traditional ambition of becoming a firefighter or policeman — that is, he had an innate desire to help people. He was aware of the need for security in the networks he helped to build. It was perhaps this that made him migrate from pure telecoms to accept a position within a startup network security firm. 

“At that point, I didn’t know anything about security, but it was a lovely way to learn,” he said; “the people were very welcoming and shared their knowledge. It was a cool thing to do because as part of a startup you’re going a million miles an hour, trying to learn how to run a business and learn a space that you didn’t know before.”

It was after that, on joining another startup, that he moved into cybersecurity leadership. That startup was Palantir. He was asked to build a cybersecurity team. “It was a challenge, but a very rewarding challenge — building a security team and a security program from scratch.” Things just progressed. He became Palantir’s CISO, later became Slack’s Chief Security Officer, and then LinkedIn’s CISO. 

“When I started, there was no real security career path,” he added. This is the traditional route taken by many of today’s top CISOs: from a technology background, a growing interest in security, and taking the opportunities that life provides.

Guy Rosen’s route was somewhat different. He had an interest in security before the cybersecurity concept emerged. He learned coding at school in the UK, using BBC BASIC on the BBC Micro. Then, in his teens, he came across Schneier’s Applied Cryptography. “I got very interested in the space and that really led me down a path that would ultimately lead me to where I am today,” he said. So, he started his career in security; left it to work in consumer and mobile analytics; and eventually had his own company. He was co-founder and CEO at Onavo, which was acquired by Facebook in 2013.

“That’s how I joined Facebook,” he explained, although his work wasn’t primarily security focused. “For the first few years at Facebook I worked on connectivity initiatives, building products for people to use the internet around the world. It was eye opening. I learned so much about how to build products for billions of diverse users from everywhere around the globe.”

It wasn’t until 2017 that he came back to his security roots. “I became head of what we call integrity, trust and safety, marrying my new scaled product experience with my background in security.” In 2022 he became Meta’s CISO.

While Belknap and Rosen had different routes to CISO, there are nevertheless common factors: technology skill, cybersecurity interest, and opportunity. All this occurred before or while cybersecurity was developing into the recognized career it is today; and it is the same basic common factors in the career path of many of today’s leading CISOs.

It poses an interesting question for today’s emerging security leaders: can a technology background, a security interest, and unplanned opportunity still lead to a CISO position — or is a route through college, a cybersecurity-relevant university degree and a planned path the only route to the CISO position?

Belknap gave a common response voiced by many current CISOs. “I think there are still plenty of opportunities to accidentally fall into security and security leadership. What has changed is that this is no longer the only route possible — there are definitely paved paths available into the security career track and on to security leadership. That’s what’s great about security because we’re still so early in it being a real career for people.”

The place of the CISO

One of the effects of security being a new career is it is still searching for its organizational position and place within business. This is evident in its changing name — before it became known as cybersecurity, it was known as IT security. The implication is that security’s first role was to protect the company’s IT infrastructure. This in turn explains why almost all CISOs used to report to the CIO (and it remains the most common reporting structure today).

As cybersecurity expanded to cover all aspects of the business, the CISO role also expanded. In some companies the CISO/CIO role has reversed, with organizations either reversing the reporting order, or combining both roles under one person. The driving force is the CISO role’s expansion into all facets of the business.

The current CISO has emerged from under the shadow of the CIO to be a security technical businessperson integrated into the whole business. This raises two questions for the modern role of the CISO: should the CISO still report to the CIO; and could the CISO be a businessperson rather than a technical engineer? The CISO’s organizational position will vary from company to company, depending on size and vertical; but the need for business acumen is now pervasive.

“I self-identify as an engineer,” said Belknap, “but I certainly don’t have academic training in engineering. I have a business degree. I think that’s a good combination for a CISO: practical experience in engineering with a business education.” He likens the tech/business combination to the role of the CFO who uses spreadsheets to convey business information. Technically perfect spreadsheets are of little value if they don’t convey the right information. 

“The CFO needs to understand that his role is not to build the best spreadsheet or financial model in the world, but to build a successful business that will grow — albeit with the help of excellent spreadsheets. The CISO role is similar. You use technology to build strong business applications, so you need technical skills; but let’s be honest, the CISO’s role is a business leadership role.”

Rosen added, “There’s probably no one right answer. It really depends on the specific company, how the organization is structured, and the different kinds of roles within it.” For him, the important part is not how the hierarchy is structured, but how the different teams within the organization work together. “We have thousands of engineers in the company. As the central team responsible for security, we partner with those engineers, and we ensure they learn how to use best practices as they build applications. We also have satellite teams that are embedded in different parts of the company — they’re also responsible for issues of security or integrity, but are closer to where the products are being developed and can be a part of that product development process.”

The SEC effect

The role and responsibilities of the CISO continue to evolve — and we may be at the beginning of a new major adjustment. Cybersecurity regulations are growing dramatically, but one stands out. On December 18, 2023, the SEC delivered its clarification on disclosure rules for ‘material’ security events (generally taken to mean events that would affect investors). This has been backed by a willingness to bring charges against individual CISOs thought to have breached those (and other) rules, such as Joe Sullivan, at the time CISO at Uber; and Tim Brown, CISO at SolarWinds.

The combination of increased regulatory scrutiny and personal liability imposes a new level of conditions (and stress) on the CISO position — and we have yet to see how this will pan out over this and next year.

Neither Belknap nor Rosen are complaining, and neither have a negative view. “Security is important,” said Rosen. “It used to be on the side, but now it’s so central, and so embedded into how companies operate, that oversight is necessary. It’s part of the job. Regulatory scrutiny is here to make sure that we as individuals and companies honor the obligations we have.”

Belknap takes a similar view, and parallels what is now happening in security with what happened in financial regulation following the Enron and WorldCom events of 2001 and 2002. Enron hid its debts while both companies inflated their revenue through, effectively, accounting fraud. These incidents led to a loss of trust in financial reporting, regulatory reforms, and increased scrutiny — leading to the Sarbanes-Oxley Act (SOX) imposing stricter rules on corporate governance and financial reporting.

SEC’s new rules can be seen as an inevitable regulatory response to the increasing losses through cybersecurity breaches, leading to a similar loss of trust in security reporting and instigating regulatory reforms and increased scrutiny. Both responses, SOX and SEC, are primarily aimed at poor or misleading reporting.

“I think we’re learning that accurate and effective security programs are important to the health of our economy, and we need to make sure that we have them; and that the people that are responsible for those programs have proper oversight and have proper skills and make proper disclosures,” said Belknap. He believes that this will create a more mature role for the CISO. “In the same way,” he continued, “that we saw CFOs and general counsels become broad business roles rather than simple specialist roles.”

But it won’t happen overnight. “Regulation is necessary,” he added. “I’m not sure that singling out individual CISOs is the best route, so it will influence CISOs and how they operate. It’s probably going to get worse before it gets better — but I think ultimately, this will be for the best in the long run.”

The security team

Building a strong security team is fundamental to a CISO’s success. “A security program succeeds or fails based on the people that are in the program,” said Belknap. “The CISO, as the leader of that program, has a big part to play — but really, the culture you build and the team that you build will govern how well that program works.”

Rosen describes it as a team of high functioning synergy. “People who can operate together, not just as individuals, but who can bring together different perspectives and experiences, and can grow over the course of their work by working together.”

For both, the key word is ‘team’ — integrated diversity in thought and action working together. Creating and molding that team is a skill in itself.

Burnout

There is one major and growing threat to the team: burnout. It affects both the CISO and each team member; but the CISO has the added responsibility of monitoring burnout for both himself or herself and everyone else.

“Security is a complex area,” said Rosen. “What matters is consistent good work over long periods of time. You don’t get those big launch breaks, where a new product launch is followed by a big party. Security is day after day, week after week, month after month, year after year, and it’s never done. I talk to my team about the importance of taking care of themselves, because this is about sustaining for that long haul. This is a marathon and not a sprint.”

He uses the P (priority) taxonomy, where work priorities are graded as P1. P2 or P3. “I tell the team; the only P Zeros are yourselves. P Zero is taking care of yourself, ensuring that you can rest as and when needed, because you are your own P Zero.”

Mentoring

Being a mentor is part of being a CISO. Few of today’s leaders would claim to have succeeded without the beneficial advice of one or more mentors earlier in their careers — and it is important that the tradition continues from current CISO to team member (and potential future CISO). We can peek at this process by looking at the advice received by today’s CISOs, and the advice they would give to their own mentees.

Belknap said the best advice he ever received is that executives are just people too. “They may be people with a higher status or better brand than you, but they’re just normal people. It’s when you learn to engage with them as normal people that you can have those difficult conversations and build better relationships. It’s much easier to build empathy, bi-directionally, when you realize that everyone’s just trying to do their best. You just have different jobs.”

Rosen claimed the best advice he ever received was to hire people better than himself. “Of course, we all feel that we are unique and irreplaceable — but, the truth is, there are other amazing people who can do some or all of our jobs. And, naturally, in order to grow in our role as a security leader — we need to take on more areas/problems, which means we need a team of people who will help us ‘scale’ so we can have the bandwidth to take on new security projects.” It becomes a bi-directional learning process, also leading to a stronger and mutually more empathetic and supportive team.

The advice Belknap gives to his mentees is to understand that you cannot do things on your own — security is a partnership with the business. “There is very little in this information security space that you can do on your own. Even if you’re the CISO, you cannot steer the entire security outcome of the company by yourself. So, it is a business of relationships. And if you’re going to be a leader in security, you must be able to build relationships with your partners, whether they are executives or whether they are leaders in other parts of the business.”

It’s really an extension of the advice he received — success comes from successful relationships. “Building that relationship,” he continued, “requires you to build trust with people who don’t do your job and don’t inherently value it at the same level that you value it. Getting them to value it does not involve you yelling at them or sending them links about how scary something is — it involves you building common ground and recognizing the importance of each other’s work and why elevating the security of that enables them to do their work better. I think part of that is recognizing that they’re just people trying to do their job, just like you are, and that you don’t necessarily value their work at the same level that they do. Understanding how to build a relationship and how to build common ground is one of the most important things anybody in security can learn outside of, well, some technical skill.”

Rosen’s advice similarly results in understanding the business problems, but is tackled from a different direction. “Gaining experience in using and building the products that your company creates is essential,” he said. From the users’ point of view, “It gives you a kind of humility on how to design things for a range of users when you realize the range of their mental models, their capabilities, and their comfort with technology.”

Of course, this differs from company to company and from product to product, but the principle is clear: when you understand how the product is used in the real world, and by whom, you can better understand what security guardrails need to be built in. It is at this point you can mobilize the internal relationships you have fostered through Belknap’s advice to ensure the company builds the most business proficient and secure product possible.

Future threats

Given the nature of major social media organizations and the scalability of artificial intelligence, it is no surprise that both Rosen and Belknap are keeping a watchful eye on gen-AI. Rosen notes the potential benefits from it being used to scale and strengthen defenses, but adds that it simultaneously increases risks with malicious groups leveraging the same technology.

“Interestingly,” he commented, “the majority of current concerns about gen-AI relate to problematic online behaviors and content that are already understood by our industry and society at large — but as security professionals we are certainly looking for the unique ways in which these technological advances can be used by both attackers and defenders.”

Belknap also notes the benefit of gen-AI in reducing toil and aiding better defensive decisions. “But I think if you turn that coin to the other edge, you see that it also makes the attackers’ jobs easier. They can attack more people and in more ways than they could before. Personally, I’m not worried about some sentient AI discovering vulnerabilities and exploiting them in ways that I never thought about… I’m worried about companies with programs that aren’t as mature as ours, or that maybe don’t have access to the people and the resources that I have access to. Some of these companies may tend to think, ‘I know this problem exists. I’ll address in the next five years because it’s going to be a while before anybody gets around to exploiting that.’”

For Belknap, the response to the AI threat should start now. “I think introducing AI to the attackers accelerates the need for people to master the fundamentals of security. I think there is a lot of good that can come from AI, but I think it changes the calculus of decisions that everyone has already made. It is going to force everybody to go back to the table and maybe make some different prioritization decisions.”

Learn More at SecurityWeek’s CISO Forum

Related: CISO Conversations: Jason Rebholz and Jason Ozin From the Insurance Sector

Related: CISO Conversations: Three Leading CISOs in the Modern Healthcare Sector

Related: CISO Conversations: CISOs of Identity Giants IDEMIA and Ping

Related: CISO Conversations: Three Leading CISOs From the Payment Industry