A conversation with Todd Fitzgerald, chairman of the executive committee of Cybersecurity Collaborative. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Todd Fitzgerald: Fitzgerald is vice president of cybersecurity strategy and chairman of the Cybersecurity Collaborative Executive Committee. He built and led information Fortune 500/large company security programs for 20 years. Fitzgerald was named 2016–17 Chicago CISO of the Year, ranked as a Top 50 Information Security Executive, and authored four books, including #1 best selling and 2020 CANON Hall of Fame winner “CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.” He has held senior leadership positions at Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines.
What makes a successful security leader?
Fitzgerald: A successful CISO recognizes the historical perspective of cybersecurity and why we perform the activities we do to protect the information assets. I believe this is so important that I devoted a chapter of "CISO COMPASS" to the subject, highlighting five phases of CISO evolution and their implications over the past 25 years. The CISO in demand today is the person that one, understands data privacy and security regulations thoroughly; two, is aware of current major company initiatives; three, knows where their critical data is; four, knows how it is being protected; and five, regularly reviews numbers one through four and applies current thinking and emerging technologies to continuously enhance this protection. In other words, the CISO must be part strategist, technologist, auditor, and business partner rolled into one — and involved.
What internal and external priorities should today’s security leaders focus on?
Internally, the CISO should constantly be asking which processes are being done manually and automate those. Cybersecurity resources are too expensive and scarce to dedicate them to mundane, repetitive tasks. Externally, the CISO should be learning by reading the details of at least one other major incident some other company has experienced and ask themselves if it could happen within their own company, and then put forth an investment plan to mitigate the risk.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
Individuals usually have a bias of self-preservation — “What is in it for me?” To bring others along, examine security from the perspective of the stakeholder, not from a security vantage point. How can you improve the stakeholder’s processes? Can you enable a new business process that impacts their operating needs? Working remotely during the pandemic was a great example: Show incremental value and build trust for larger initiatives. Do not expect this trust right out of the gate. It must be earned through on-time, effective delivery that helps the business, repeated over and over.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
As a side hobby I immerse myself in leadership books — Myers-Briggs, DISC Profiles, Enneagrams, etc. — anything that helps me understand people better. The soft skills represented in these books are essential. I learn from other leaders and attend their presentations. Soft skills will have a greater impact on the CISO’s long-term career than technical skills. Learn from other CISOs. I am still a work in progress.
What do you value about Cybersecurity Collaborative’s Executive Committee?
As the chairman of the executive committee, I’m privileged to work with a diverse group of 15 very talented, successful CISOs with varying backgrounds and industry experiences. I find that CISOs and their delegates in the Collaborative are eager to share their knowledge to help other CISOs and appreciate the support they receive in turn. We are in this together to help protect our companies and our nation through collaboration, task forces, sharing content and connecting with other CISOs. The process of collaboration and helping others succeed is very rewarding.
How does the Collaborative compliment ISACs and other government cybersecurity programs?
Government programs tend to be more focused on detailed threat intelligence and managing cybersecurity at a technical level — a very important need. The Collaborative, in contrast, also discusses relevant technical issues. It excels in sharing a wide variety of strategic and tactical information with CISOs to protect their companies and develop their own careers. I believe both aspects are critical to leading a successful security program.