The Role of Today’s CISO: Opportunities, Challenges, and Personal Liabilities

In episode 87 of The New CISO, host Steve Moore welcomes Jeff Farinich, SVP of Technology Services and CISO at New American Funding. Their discussion covers security vendor selection, managing personal liability, and making smart decisions for career growth. This blog post highlights key insights from their conversation, which are important for CISOs and aspiring CISOs alike.

In this article:

• A career rooted in adaptability and curiosity
• Vendor selection in a crowded market
• Fostering relationships for personal and organizational growth
• Career growth and knowing when to move on
• Addressing personal liability as a CISO
• The need for education and communication
• Conclusion

A career rooted in adaptability and curiosity

Initially a business major with a background in accounting and finance, Jeff’s IT career was sparked by a Novell CNA university course. The 1990s banking crisis led to bank mergers and a decrease in finance jobs. At this time, Novell was gaining traction in the days of mainframes and computer rooms. Jeff took the initiative to enroll in the course, which quickly resulted in an IT job offer. His Novell certification provided a new career path, including roles in the housing and movie industries in southern California.

A self-proclaimed “MacGyver,” Jeff has a knack for fixing things. He can “build almost anything out of a box of junk,” a skill he attributes to being “born with a screwdriver and a hammer in my hand.” 

Vendor selection in a crowded market

CISOs face the daunting task of selecting from thousands of security vendors. Jeff often chooses top vendors, but is also an early adopter of startup technologies. “It usually depends on the capabilities and the need to fill the gap,” he says. With recent shifts in the mortgage market impacting lender revenues, Jeff emphasizes the importance of creativity in meeting compliance requirements.

To navigate the crowded market, Jeff offers the following tips:

• Consult major market research reports for an initial overview of the landscape.
• Talk to peers about their experiences with various vendors.
• Meet with potential vendors’ founders, current leadership, or CEOs.
• Opt for shorter contracts (for example, one year) to allow for reevaluation and adjustments.

Jeff further elaborates on the importance of personal connections with vendor leadership to help ensure successful partnerships:

Fostering relationships for personal and organizational growth

Jeff underscores the value of networking and relationship-building in the cybersecurity industry for personal growth and organizational benefit. By engaging with industry peers, attending conferences, and participating on advisory boards, CISOs can gain valuable insights, negotiate better pricing and services, and drive improvements in the cybersecurity space.

“I think any IT leader or CISO that is not getting involved to even a lower degree is probably doing a disservice to themselves and the organization,” Jeff says.

Career growth and knowing when to move on

While Jeff is loyal to his employers — his longest tenure was 15 years, and it ended due to an acquisition — he doesn’t advocate for loyalty for loyalty’s sake. He believes in recognizing when it’s time to move on to something new. He advises being proactive about career moves and considering the average CISO tenure (about one to one-and-a-half years) when evaluating career growth options.

Jeff says, “I think my new perspective is, I’m going to leave at the top of my game, not on the downward trend of my game. So I think being in security, there’s all kinds of opportunities.”

Addressing personal liability as a CISO

High-profile breaches at companies like Uber and Yahoo! highlight the personal risks CISOs face. Jeff cautions CISOs to remain cognizant of the limitations of Directors and Officers (D&O) insurance and the potential for personal liability. “D&O insurance only covers so much. The Yahoo! CISO and Uber CISO were sued and had to cover all their legal expenses on their own — millions of dollars. Whether or not they were at fault, there are a lot of costs you may cover, which could potentially bankrupt people,” Jeff explains.

To protect against personal liability, Jeff advocates for board indemnification and stresses the importance of staying informed about new regulations and rulings that could impact CISO liability. One such example is the recent McDonald’s case, where a Delaware Chancery Court judge ruled that corporate officers owe a fiduciary duty of oversight to their company. Corporate officers who fail to fulfill their oversight duties can be sued derivatively by shareholders acting on behalf of the corporation.

Jeff stresses the need for CISOs and their peers to understand the escalating risks they face: “Our risk increases by the day, as do threats, and we need to ensure that we can carry out our jobs without being consumed by worries about personal liability.”

The need for education and communication

Given the current risk landscape, CISOs are increasingly elevated to executive and board levels. Jeff notes, “Cybercrime is now the third largest economy in the world and, if the report I saw is correct, it may surpass China in the coming years.” To protect organizations, CISOs must prioritize education and communication with business leaders and other stakeholders.

Conclusion

In cybersecurity, new challenges and opportunities emerge every day, making it essential for CISOs to stay informed, build strong relationships, and advocate for themselves and their organizations. By taking a proactive approach to vendor selection, career growth, and personal liability, CISOs can better navigate the complexities of their roles and drive positive change within their organizations.

Listen to the Podcast

For more insights from Jeff’s insightful conversation with Steve, listen to the episode or read the transcript.