CISOs: Gain a Keen Edge by Adopting a VC Mindset
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
The world of cybersecurity is fast-paced and dynamic. The risks are high, and so is the likelihood of failure – which could bring about the downfall of your organization. To meet the rising challenges, you need to adjust your mindset.
The venture capitalist (VC) world offers an instructive metaphor: it’s similarly fast-paced, with a high risk that early-stage investments will fail. CISOs can benefit from thinking like successful venture capitalists. VCs are not looking at what has already happened in the market; they are trying to look ahead and anticipate what will come next. VCs are also not looking to achieve small, incremental gains; they're aiming for major wins. In the same way, CISOs won’t succeed by looking at incremental improvements, like complying with a standard framework or by responding to what has already happened to other companies. They must look forward to boldly meet what's coming next – which just may force them to go where no CISO has gone before.
Think Like a VC
Venture capitalists often deal with highly unstable environments that include competitive investments and markets that are just starting to form. The chance that a VC will be successful (i.e., achieve at least a 3x return) on an early stage investment is in the 10-15 percent range. The potential for failure is large. To succeed as a VC, you must help the management teams of your investments de-fang the risks and threats their companies face. You must also be sure they take advantage of synergistic inflection points in your market that can dramatically advance the probability of success.
Amazon CEO Jeff Bezos has a related philosophy. Bezos’ "Day 1" concept
includes the tenets that you never stop acting like a startup, you're never too big to fail, and it is always Day 1. Day 2 is the long exit ramp into corporate oblivion. When asked about Amazon's future at a company all-hands meeting last fall, Bezos replied “I predict one day Amazon will fail
. Amazon will go bankrupt," according to a CNBC story. Distilled, Bezos is saying that the entrepreneurial spirit is driven by the fear of failure — a key ingredient to success. This applies to both startup businesses and enterprise security organizations. You don't want that fear to transition to complacency.
Like VCs, CISOs also need to make big strides. No VC would ever take an incremental approach. They're not looking for 10 percent improvement; they're looking for a 10 times return on their investment. Similarly, as a CISO you should be driving significant change and looking for big opportunities to improve your cybersecurity program that get the equivalent of the VC's 10x return. You need your entire organization thinking proactively about the current threat landscape. You want staffers to be highly attuned to the things that are most important to the organization.
To jumpstart this, you adopt the VC mindset: Regardless of how large it may actually be, your company is small and could be disrupted or destroyed tomorrow. You stay hungry. You continually challenge assumptions. You're laser-focused on the business outcome. You're constantly aware that your business could be seriously damaged at any time. You are always at least a little bit uncomfortable. That's the way they think in the VC world – everything's at risk.
Cybersecurity: Evolve or Fail
Does the sun revolve around the earth? Copernicus transformed earth science by asserting the opposite was true. CISOs, you need a similar Copernican shift in thinking that leads you away from compliance
to become like a VC, highly proactive and forward-looking. You should devote cycles to continually evaluating the top risks to your organization, prioritizing those that can have the worst consequences. Once you've identified the vulnerabilities with serious repercussions, focus on how to mitigate those weaknesses and the fallout from them. That means creating an environment that builds cyber resilience
. It means taking a longer view toward building or buying major improvements in the areas that matter most. Embrace the reality that your business could encounter a serious setback or even fail because of your actions or inaction.
CISOs should be actively seeking to institutionalize the VC mindset. You should be driving cultural change
, communicating the best thinking, and getting visibility into how the organization is doing. How do you foment situational awareness? What's the best way to measure success in cybersecurity? How do you ultimately build a smart cybersecurity culture that actively focuses on resiliency? It's about driving significant change, taking giant steps, and being aggressive. Cybersecurity execs need that sense of urgency that you see in the venture community.
Many CEOs are looking for a way to gain an understanding of how well their enterprises are performing. How many companies have an effective way of measuring organizational performance? The CMMI Cybermaturity Platform
gives enterprises the ability to establish a shared, common understanding of the cybersecurity capabilities in place
and provides a way to evaluate the state of your capabilities to show what you still need. Having data analytics like that could take some of the pain out of being uncomfortable
. And it could help CISOs target the right "10x" improvements.
For more information on this topic, check out Doug Grindstaff’s appearance on “The CyberWire Podcast.”