What a Field CISO Actually Is

What a Field CISO Actually Is

ciso field-ciso cybersecurity security leadership

Reading time: 9 minutes

Ray Heffer

What a Field CISO Actually Is

I am writing this on a flight home from the Atlanta CISO Executive Summit, a Gartner C-level communities event where I spent the day yesterday leading a boardroom session on cyber recovery with a room full of sitting CISOs. In case you were wondering if I had nothing better to do! Field CISO roles have multiplied across the industry in recent years. Almost every security vendor of any size now has at least one, and plenty of technology companies have built entire teams of them. I have been a Field CISO for four and a half years now, and for a role that travels as relentlessly as this one does, that counts as a long haul if I say so myself! The growth of the role is exactly why it needs defining, because the understanding of what it involves has lagged well behind the hiring.

What prompted this article was a LinkedIn post by a CISO, who wrote that he is tired of Field CISOs who are really glorified pre-sales people, the kind who arrive armed with polished slide decks and product evangelism. I agree with him! The people he describes exist, and his frustration is earned. I do not know him personally, although in a small twist of irony, his company was one of those whose security architecture I reviewed for a large deployment back in 2017, during my time at VMware. His post also confirmed something I have seen for years: this is one of the most misunderstood roles in security.

What is a Field CISO?

A Field CISO works for a vendor and advises customer security leaders as a peer. The job is to understand the customer’s business, their constraints, their regulatory environment, and their actual problems, and to bring strategic perspective to those problems. Some of that perspective comes from the Field CISO’s own operating background, and much of it comes from the position itself: a Field CISO talks with security leaders across different industries every single week, and a good one carries insight between those conversations in a way no sitting CISO can.

When someone holding the title arrives with a slide deck and a product roadmap, you are looking at a sales engineer with a cool job title, and this is entirely the fault of the vendor, not the person trying to do the job. Sales engineering is a real and honorable discipline, but it is also a different beast.

A Role I Have to Keep Explaining

Field CISOs are, for the most part, solo practitioners. We build our reputations individually, customer by customer, conversation by conversation, with no institutional shield behind us. We have no budgets to wield and no security teams to lead.

The educating runs in both directions. Externally, customers need to understand what we are there to do. Internally, the challenge can be just as constant: technology companies see people come and go, strategies shift, and leadership changes, so the value of the role has to be explained again to each new wave of colleagues and executives. A Field CISO who cannot articulate their own value internally will not last long enough to demonstrate it externally.

What the Background Actually Requires

Phil Venables, who built Google Cloud’s Office of the CISO, wrote that the guiding principle for that team was prior senior leadership experience in real enterprise roles. He is pointing in the right direction, but it brings to mind the Zen parable of the finger pointing at the moon: do not mistake the finger for the moon itself. I’d put it this way: the role demands breadth and tenure, somewhere around twenty years across the domains, far more than it demands any specific previous title. In my opinion, a Field CISO does not have to have served as a sitting CISO.

I will admit there is something self-serving in that claim, because I have never held the sitting CISO title myself, and in writing this I am to some degree justifying my own position. I will leave that judgment to the two large enterprises that have trusted me with the Field CISO title: VMware and Veeam.

I have been a security practitioner since the 1990s. I started at an internet service provider, where I ran penetration tests, set up honeypots, and led the company through its ISO 27001 audit, which was no small undertaking at the time. I have led an infrastructure security team, worked for UK government regulators, and worked inside enterprises in both the UK and the United States. I spent years building secure cloud architecture in Riyadh, New Zealand, Australia, and across Europe before settling in the United States. Every one of those chapters gets drawn on weekly.

Now consider the reverse: someone who spent twenty years rising through a single company to the CISO chair, but who has never worked for a software vendor or built cloud architecture at scale, deciding to try their hand at the Field CISO role. I think they would be in for a rough time of it. I say that to set realistic expectations of what the role entails rather than to gatekeep. One minute the conversation is API security for a SaaS platform; the next it is a boardroom-level discussion of CMMC 2.0. The role punishes narrowness, however senior that narrowness was.

It Stretches Far and Wide

A sitting CISO builds one mental model of one business. It takes years, and once built, every decision draws on it. That investment gets amortized across an entire tenure. It is genuinely hard work, and nothing here diminishes it.

A Field CISO never gets to amortize anything. Every customer is a new business, a new threat model, a new maturity level, a new set of internal politics, and frequently a new regulatory regime. I might be deep in CMMC with a defense contractor one week and GDPR, CCPA, or NIST with an enterprise the next. Each customer expects fluency from the start, and no onboarding or grace period.

But wait…

The strongest objection to the role goes like this:

you have never stood in front of my board, you have never fought a CFO for budget, you do not carry the risk.

The first part is often wrong, since many of us did exactly that in previous roles. But I take the objection seriously, because the underlying point is fair. A Field CISO today does not own an internal security program and does not answer to that customer’s board. (CISOs, have I tempted you over to the dark side yet?)

What we carry instead is a different kind of exposure. A sitting CISO answers to one board, and that accountability is very real; the term “CISO scapegoat” did not emerge out of nowhere. A Field CISO who gives bad advice burns their name across an entire market. CISOs talk to each other constantly, and reputation is the only asset the role has.

Add to that the absence of positional authority. A sitting CISO can mandate. A Field CISO can never mandate anything, anywhere. Everything is achieved through credibility and influence, in rooms full of people who are professionally trained to be skeptical of anyone employed by a vendor.

It is also why this role cannot afford a big ego. Walk into a customer’s room needing to be the smartest person in it, then you are not listening, and listening is most of the job. The people who last in this role keep the customer’s problem at the center of every conversation, even if we know the answer before the question is finished.

My Advice to Other Field CISOs

A good Field CISO arrives already knowing the customer’s business, sector, and regulatory obligations. They ask about constraints before they say anything about capabilities. They bring pattern recognition from dozens of other security programs, anonymized and useful. They advocate the customer’s needs back into their own organization’s products, including when that advocacy costs revenue. And they will talk openly about competitors, because they are not incentivized to sell products, and that freedom is what makes a trusted advisor possible. Just yesterday, in that Gartner boardroom full of CISOs, the conversation turned to a competitor’s product, and I fostered the discussion rather than steering it away. I leave the feature checklists to our Sales Engineers. That point matters internally as much as externally, because if the leadership at a vendor does not understand it, the Field CISO role suffers for it, which is one more reason for the internal advocacy I mentioned.

There is a personal attribute underneath all of this too. The people who do this role well are ridiculously obsessed with the security and privacy industry as a whole, and they contribute original work to the field. In my case that includes the OSINT Defense & Security Framework (ODSF). I built it because adversaries increasingly weaponize public information against an organization’s people, reconnaissance opens the kill chain, and there was no open, controls-based framework for managing that exposure. It has taken me the best part of 12 months to get it to where it is today. Whether anything comes of it, I do not know. It feels bigger than me, but it felt deeply needed. My instinct of putting a year into something the industry needs with no financial incentive, burning the midnight oil and plenty of weekends, sits close to the heart of the role when done properly. I also run a privacy and security podcast, I have been part of the SANS CISO and OSINT communities for years, and I once ran a capture the flag challenge for my podcast listeners with some TryHackMe vouchers as prizes. What goes for a Field CISO goes for anyone in cybersecurity, and it thrives on giving back.

Wrap Up

The CISO whose post prompted this article closed it by saying he would not have his role any other way. Funnily enough, neither would I. The travel is relentless, the context switching never stops, and I will be explaining what I do for as long as I hold the title, yet every week I get to sit with security leaders across industries I would otherwise never see outside of a conference, and I learn something in every single one of those meetings.

So for the security leaders who share his frustration, the test is simple. If the person across the table opens with questions about your business and has clearly done the work before walking in, you are talking with a peer. If the meeting opens with a slidedeck, a roadmap, or a feature comparison, you are in a sales meeting, regardless of what the subject says on the invite, you have my permission to leave the room!