A CISO's Playbook for Switching Industries

When Timothy Youngblood joined T-Mobile as CSO and Product Security Officer in 2021, he'd already been a security leader at multiple companies, including Dell, Kimberly-Clark, and McDonalds. He also had experience consulting with telecommunications companies. Nonetheless, the new full-time position in this industry "on the operational side, especially at the scale of T-Mobile, was quite eye-opening," says Youngblood, who is now an investor, mentor, and CISO in Residence.

For instance: SIM swapping – a fraudulent attempt to get someone's communications switched to a new SIM card controlled by the attacker – may be obscure to some outside the industry, but at the major carriers it's attempted many thousands of times per day. And FCC regulations that protect consumers' ability to switch carriers also make it harder to implement controls to stop SIM swapping, Youngblood says.

That‘s a small taste of the challenges that can greet a CISO moving from one industry to another. In addition to understanding a new employer’s business model, priorities, and regulatory constraints, it pays to have eyes wide open about the varied security and risk management issues that are unique to the new sector. These points echo the experience of Renee Guttman, herself a veteran of a wide span of industries.

Today, jumping into a new sector is, in fact, "easier than it used to be," says Guttman, a venture capital advisor and consultant who has led security programs in pharmaceuticals, media, food manufacturing, finance, and cruise lines. She says there is some common ground, and security basics apply everywhere, starting with well-known security standards: "Every company that I worked for adopted a framework, starting with ISO 27001 and then NIST, as the foundation that we used to define the cybersecurity strategy and how we measured basic success," she says. Guttmann also notes that the body of industry-specific cybersecurity knowledge is better developed and disseminated than it was even a decade ago.

However, it's still vital to be a quick study in order to understand industry-specific risks, know what controls to prioritize, and find the right resources to help.

Here are seven takeaways on changing industries from CISOs who've done so multiple times.

1. Walk in knowing how the business makes money.

"Where does the company drive its revenue? That's where I start," says Youngblood. For publicly owned companies, the annual 10-K filing is required reading, even before interviewing for the job. That's closely followed by numerous conversations with C-suite leaders and their lieutenants.

Threats to the primary revenue sources are "potentially extinction events," Youngblood says, "and I want to make sure the previous security administration had appropriate funding to address those threats."

Guttmann underscores how priorities can differ, even as a foundational framework is being implemented:

• At Glaxo Wellcome (now GlaxoSmithKline), Capital One and TimeWarner, confidentiality, regulatory requirements and privacy were vital.
• At Coca-Cola, operations and marketing content security (like the company’s website) were top of mind.
• At Royal Caribbean International, concerns included safety, operational (OT) risk, and handling of government IDs.
• Campbell Soup Company focused on OT and Operations risk.

“I’m glad I got the opportunity to work across industries,” she says. 

2.  Resuscitate the tired aphorism "learn the language of the business."

In the cruise line industry, Guttmann says, "Ships and boats are not the same. We have guests, not customers." Making basic mistakes with industry terminology clearly undermines the CISOs credibility.

In addition to interviewing other company leaders, ways to learn industry specifics include:

• Participate in Information Sharing and Analysis Centers (ISACs), which help industry competitors and partners alike connect with peers to protect infrastructure.
• Ask for an executive-level business mentor within the company.
• And "it's incumbent to do a lot of reading," as Guttmann says. Corporate documents, industry history, information on regulating bodies, case studies and more can all help ramp up.

3. Think in terms of two-way translation skills.

A good CISO "has to be very skilled at not only translating technology into business terms, but also business priorities into tech requirements," says Youngblood. "It goes both ways."

Peers in HR, Finance, Legal and other departments can help in this regard. Guttmann notes that for these nontechnical leaders, security concerns are less of a foreign language than in years past. Today, "you can't go to an HR or finance conference without seeing at least one track on cybersecurity," she says.

Another helpful tool she strongly recommends is the Cyber Risk Oversight Handbook, jointly produced by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA). It provides a basis for getting everyone on the same page with the CEO and Board members.

4. Expect industry-specific relationships and service providers.

CISO’s security efforts can be tied to many different kinds of partners. For example, Youngblood describes a telecommunications tower as "a conglomerate of many players. An infrastructure management company might operate a given  communications tower, with multiple competing carriers leasing space on that tower. The manager may have prime responsibility for securing that tower, but the relationships are complicated, he says, and CISOs must take time to understand how the pieces work together.

From her time at Royal Caribbean, a point of pride for Guttman is having worked with the US Coast Guard to develop maritime cybersecurity guidance. But she says that an essential early step was searching out a small security consulting company that specialized in exactly that topic.

"In any area, there are boutique firms that know the space inside and out," she says. That knowledge can prove invaluable to a new CISO in saving time and avoiding missteps.

5. Don't underestimate the Operational Technology (OT) challenge.

Multiple CISOs note that OT has as big a learning curve as any other security domain, and that expertise is more crucial than ever for CISOs in many sectors.

Highly publicized ransomware incidents may have increased executive sensitivity to OT concerns, but a ransom payment is not the top concern for most leaders, Guttmann says. It's the possibility of interrupting operations, and thus incurring penalties for late product deliveries or losing customer relationships altogether.

A CISO taking on OT responsibilities for the first time is well-served to invest significant time learning the ins and outs. “I believe that now, everyone must address resiliency and consider OT/ICS as a priority,” Guttmann says.

6. Know your limits (and those of your service providers).

"Whatever you get funded for, make sure you can deliver,” says Guttmann. "It's important to assess the resource capacity of teams to deliver funded initiatives, and important that critical projects have strong program and project managers.

And that capacity can be limited by partners, inside and outside the company. "You have to learn about your own delivery ecosystem as much as learn about the business. Be really careful about the technologies you choose," she says. One mistake to avoid, for example, is buying a product only to discover that internal stakeholders resist it, or that your managed service partners won't support it. “It's terrible to request funding, only to give it back to the organization,” Guttmann notes.

7. Emphasize that leading change is a transferable skill.

While Youngblood was at Dell, the company flipped its business strategy, from organic growth to acquiring dozens of companies. During his Kimberly-Clark tenure, the traditional CPG manufacturer was working to build more digital channels for direct sales. In each case, new risks emerged. Youngblood says the change management experience he gained, in terms of both people and technology, proved valuable in his later CISO posts in other sectors.

This applies to other leadership skills as well, and in some cases the fresh eyes of an outsider will help identify new ways to solve security problems. When you've been immersed in several different sectors, "it's easier to take a step back and bring a unique perspective. A control used by McDonalds might help address a risk in healthcare," Youngblood says.

"You can definitely 'borrow brilliance' from other industries."