In this episode, we explore the evolving role of cybersecurity leadership with Todd Fitzgerald, author of CISO Compass and co-author of The Privacy Leader Compass. Learn how aligning security strategies with business priorities, fostering collaboration, and embracing innovation can elevate cybersecurity programs and drive organizational success.
Guest: Todd Fitzgerald, Founder & Chief Strategy Officer, CISO Spotlight
LinkedIn: https://www.linkedin.com/in/toddfitzgerald/
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of Soulful CXO, host Dr. Rebecca Wynn speaks with Todd Fitzgerald about mastering the art of cybersecurity leadership. Todd highlights the importance of aligning cybersecurity initiatives with business goals, ensuring the right balance between technical and strategic priorities. They discuss leveraging frameworks like NIST and ISO to create a clear roadmap for security programs and using risk-based approaches to build trust with executives and boards. Todd shares insights on fostering innovation by combining existing strategies, empowering teams through collaboration, and staying adaptable in a rapidly changing field. With actionable strategies and leadership insights, this episode equips listeners to elevate their cybersecurity programs and deliver business value.
________________________________
Resources
Todd Fitzgerald's book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers: https://a.co/d/6UFXDh0
Todd Fitzgerald's book, The Privacy Leader Compass: A Comprehensive Business-Oriented Roadmap for Building and Leading Practical Privacy Programs: https://a.co/d/ihMfAds
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Cybersecurity Leadership: Balancing Risk, Growth, and Strategy | A Conversation with Todd Fitzgerald | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn, and we are so pleased to have with us today. Todd Fitzgerald. He serves as a VP cybersecurity strategy and chairman of the Cybersecurity Collaborative Executive Committee.
Prior leadership roles include Senior vp, chief Administrative Officer, information Security and Technology Risk, Northern Trust Global ciso, grant Thornton, international Global CISO Manpower Group. he's authored books.
Number one, best selling, and 2020. Congratulations. Cannon Cybersecurity Hall of Fame winner, CISO Compass, navigating Cybersecurity Leadership Challenges top rated RSA speaker
he's won numerous awards and recognitions, including being named 20 16 20 17 Chicago CISO of the Year, and ranked top 50 security executives. Todd, it's great to see you again, my friend. Welcome to the show.
Todd Fitzgerald: Great to see you again, Rebecca always a pleasure.
Dr. Rebecca Wynn: Todd, I have to ask you, because you started out business administration, but then you found yourself leading technology groups and having [00:01:00] these great CISO Roles
how did that transaction from business administration and technology come about?
Todd Fitzgerald: Well, in college, I started as a mathematics major and then I, I got the calculus and realized maybe this isn't my thing. And then I went into accounting and I was an accounting major. And then I thought, well, do I really want to do this all day?
And so I, I went into business administration and got out of college and got a job as a computer programmer. So I, I've often thought of that as, you know, what, what is the thread between that and what I've come to realize? Cause I also spent a lot of time, it's kind of a side hobby of mine, looking at psychology and the Meyers-Briggs stuff and all the personality profiles I find that's fascinating and.
what I've come to learn is there's an analytical bent to that. It's, very logical. Math is logical. Computer science [00:02:00] is logical. And so all of those things connected to each other and, and I think I got into, Management because I, I think I, I always realized there was this, you come to this career point where you say, I, I was leading DBAs at the time and I said, you know, there's some really good DBAs and I don't think I could ever be as good as the best DBA I was working with.
So I thought, maybe my skills Lend more towards managing people. I've been doing that most of my career.
Dr. Rebecca Wynn: No, that's, it's always fascinating. My background's similar to yours. I was chem major. I. And I was always a math athlete and stuff along those lines, and then switched into business administration and then after a different career actually got technology.
But I agree with you, the analytics skills, the ability to be able to, to know what you don't know and be able to go ahead and see who has those unique skill sets that are more gifted in those areas than you, is [00:03:00] a great leadership principle that you don't have to know everything, but you need
to see that in your team and help pull that out.
Todd Fitzgerald: when you move into management space, the one thing I tell people is that you're going to step away from the technical side of things and you're never going to be as good as , the most technical person on your team, but you still have a responsibility to stay technical so that you can talk.
To the team and that , you keep that respect with the team. So I've always stayed technical, but I've always realized that was not my job. And that there were people that needed to be that way. And and so you move into this space where you're uncomfortable because you don't have all the answers, but you have to depend on other people that do have answers. I feel when you're uncomfortable, you're growing. every time I've been uncomfortable it meant I was learning something new you just gotta work through that till you [00:04:00] cross the stream and get to the other side you look back and say, wow, now I know this and didn't know that before.
at the beginning you always have that uncomfortable feeling.
Dr. Rebecca Wynn: Do you have a specific time where an epic failure brought you out on the other side? As a better person. I've had that many times. my most epic failures or learning lessons make me a better leader, a better person, you have to have those in your career or you'll never grow.
Todd Fitzgerald: I have been outsourced in my career. As I look back on it, in the IT industry, it's very common to, to, you know, changes in management. You outsource things seven times. I've been outsourced.
what's really great is I have been outta work about 15 weeks since I was 15 my job has changed over time because management was, moving things offshore I realized those are opportunities to look at a different type of job and grow
There was [00:05:00] one time I, I didn't get a promotion that I thought I was going to get I ended up. Leading external audits for three years in that organization. I got to see all the different audit firms. Y you know, all the, the big four audit firms, the smaller audit firms came in and I got to see how they did that work well.
Later I had the job as the global CISO for Grant Thornton, the number five audit firm in the world. I realized was it was the experience I had gained from knowing how all the o all the other audit firms were auditing, security. That was like gold because I understood what, what our business was.
And, and that really helped me. at the time I didn't get that promotion that I thought I should have had. There was a reason it was building experience I didn't know I needed down the road.
Dr. Rebecca Wynn: [00:06:00] I couldn't agree with you more.
You've changed companies quite a few times for, like you said, a variety of different reasons. And it's interesting when I speak to some companies, they seem to be going, you know, you weren't at one company for 10, 15, years. I would tell you, for me, that scares me when someone's only had one point of view of seeing things for that long period of time.
Do you think having four or five different places in CISO gives you a better perspective than if you'd only had that one perspective maybe for your whole career?
Todd Fitzgerald: Yeah, I've built a lot of experience because I have worked , in different organizations and I've seen different ways of doing things.
I would also say though, that even somebody that's worked in one organization for a long time, that. You can learn where you are and you can learn different things in that environment , if you take the time to do that. So you can always develop skills over time. when I look back I've had different jobs, but also two employers for 10 years and nine months each.
That must be my [00:07:00] expiration date
but I do, I think that you do grow but I don't think it's good that for people to, every couple years to go looking for another job.
I think it's important to find that job that is your sweet spot. maybe it's incident response. Maybe you love being in a crisis and, and you, and you wanna be in that mode. Well find that job that does that. Maybe you don't like that. And want to, you know, do something that's along the governance side of life.
You, you know, and you, and you like organizing things and seeing gaps do that kind of job, don't feel like you have to be the top CISO in, in the country. Because that's not what's gonna buy happiness in the long term.
Dr. Rebecca Wynn: I agree with you. You know, you mentioned on a tweet we finally get this right. when we talk about vulnerability management, why do you think we keep repeating bad [00:08:00] behaviors consistently in the vulnerability incident response field
Todd Fitzgerald: I think it has more to do with funding than anything else. CISOs know what needs to be done but it's how we get the right amount of funding to make that happen? that's a skill CISOs have to develop.
It's not just those technical problems. we need to be able to, to be, build, be able to address having the right frameworks putting those in place and being able to show metrics as to how well are we really doing in the organization. And having that y you know, I hate to use the theoretical, where we need to act like a business kind of thing.
, well, what does that mean? It, it means, We, we have to get down to, Hey, we have a serious issue here. Here's the numbers that show this. And this is an area we need to improve upon. And I think [00:09:00] that's what we need to do. I, I spoke at a conference that had a lot of small business companies in there and, and one of the poll questions I asked is, where does your CISO report and do you have a ciso?
it was interesting that almost 50% of the companies did not have somebody identified in that role. they were small companies but this is really scary and this is where the bigger companies really need to help the smaller companies, our supply chain and help them to become better.
Dr. Rebecca Wynn: Yeah, I agree I see that time and time I help firms out of ransomware attacks After they were bricked. But do you even have a security engineer on staff? do you have somebody to reach out to? no, you as a CEO can't be that person.
And your system admins generally are not gonna be that person you need at least. Have a fractional, do you have a, a vCISO? So do you have a collaborate that you can reach out to? So you can prevent these things [00:10:00] from happening. instead of being always reactionary and for some reason security, we we're always like the last ones to the party .
Todd Fitzgerald: I think it's always been seen as a cost item. things flipped a few years ago. five years ago it used to be why would they want my information?
And, and now. It's, it, it's the fact that you want your information and you needed to run your business, I can encrypt it or disclose it do a double extortion and get money from you every business now has to be.
On alert this could shut down their business. education has been happening. there's a tendency to, you know, say, well, we, we've outsourced this to our M S S P, they'll take care of it. But then, They don't have anybody in house that's watching the M S S P and making sure that that, you know, the right things are done.
we need that balance on both sides.
Dr. Rebecca Wynn: I've seen more recently when you [00:11:00] mentioned MSSP or some other tool they assume the tool innately of itself will protect them or that MSSP. Innately of themselves and they forget what is the purpose of them.
They're, they're augmentations of current staff and capabilities. that also goes through on not having some sort of framework that, that you are going by to actually as a guideline. I've spoken on cybersecurity framework, to small businesses
you've mentioned in tweets there's like 13 frameworks, there's 900 frameworks out there, but when people are trying to get to a baseline, Where do you think they should start? I think that's the key problem they don't have a baseline to aim for.
Todd Fitzgerald: one of the things that brought me to putting the CISO Compass book together was that, that there was no roadmap. Out there, there wasn't a book you could go to. There were, there were CISO type books that talked about somebody's career and, journey but it wasn't like, okay, what is it?
I'm a new ciso or I'm an experienced ciso. What is it I need to be [00:12:00] doing? And so what are all those components? And so when I was looking at that, I didn't want to create Todd's framework, you know, how do we know we're doing an effective job as a ciso? innovation is really taking existing things and sticking them together.
I found that, you know, the McKinsey seven s framework that I was familiar with where you've got system structure, style staff, shared values, I applied that to cybersecurity and then looked at all those activities that we do, and how is it that we can me, , how is it that we can measure that to say, Hey, we're this is, these are the things that we need to be doing as a ciso.
And then that becomes your roadmap. The frameworks tend to look at controls and what controls do you have in place, but not. All those other things about, you know, do you have the right staff and skills, you know, to run your program? Do you have the right processes in place?
And so that's what I put together. But
we have so many frameworks I wrote about 13 [00:13:00] frameworks I actually got bored of writing about frameworks.
And so I had to stop. The chapter somewhere. And, and the thing is, there's some really good ones I like nist. A lot of people have been adopting the nist. Why? Because it's a great communication tool for our executives. So I think that's a really good high level tool to use. And that is map.
To these other frameworks too. I like ISO because I, I look at that as at the process compliance level that tells you what you should be doing, but it doesn't get down into the detail of things. And then I would bring in the NIST 853 controls or the CIS critical controls.
Bring those in when you need the detailed controls to supplement ISO 27,000 those three levels of controls will get you there. And in provides the communication tool with management and you can see where your gaps are. You put together a three year [00:14:00] plan
Always have that three year plan available because there may be money at the end of the year that that becomes available. Well now you know where to spend it. and what to ask for.
Dr. Rebecca Wynn: That's why I've always liked HITRUST, cuz it tries to combine several things in once.
And I liked it when it brought in the COSO Framework. So the enterprise risk management that you also brought in, people in our field have a tendency to forget that it is a risk versus reward, you know, proposition it's not our job to make this the company a hundred percent risk free cuz no companies can work on risk free.
how do you advise people to balance that aspect out When they present to the board it is a risk reward proposition and we need to do it from that perspective when we present
Todd Fitzgerald: I think CISOs are getting better at that because I think if we look at the tenure of CISOs, , it is longer in organizations now, and I think it's because , when there is the breach that happens, the CISO isn't seen as the, you know, the person who, fell [00:15:00] down on their job if they've done their job right.
They've made the problem of security, the problem of. Executive management across the board that's the ownership of security and the security officer becomes the facilitator of that and, and if they've communicated the message that we can't eliminate that risk completely. We never will be able to.
But that we get to an acceptable risk level. one thing I like to do with acceptable risk is , when you have an executive that says, well, I'll accept that risk, put it in writing and have a paper form and have a, have a wet signature on that form, not, not just a email thing. You know, when you have to go through that act of you're signing your name, that you're going to accept the risk, usually you see a pullback well, okay, what do we need to do to mitigate the risk?
the conversation becomes different [00:16:00] conversation because. They really don't want to accept that risk. And so you get into that discussion and it may be that you have to have the business leader and the IT leader jointly accepting that risk. That can be a very effective way to work through that.
Dr. Rebecca Wynn: Todd, thank you so much for being on the show.
Todd Fitzgerald: Thank you very much. It's been my pleasure.