Security Leadership: Tension Is The Job
2–19–2025 (Wednesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Wednesday, February 19, 2025, and we’re coming back into another short week / long weekend with President’s Day here in the US on Monday.
We’re going to continue on the theme of humans in the security loop, but this week look at the role of security leadership. Let’s dive in.
Security Leadership: Tension Is The Job
We saw news last week that President Trump has nominated Sean Cairncross to be the US National Cyber Director, a relatively new office by Congress in 2021 and existing as part of the Executive Office of the President, advising on cybersecurity policy and strategy.
Because this is a relatively new role in the US Government, Cairncross would be only the third full-time director to hold the role (interim directors are common during time times of transition), but one thing that stands out to me isn’t what Cairncross has done in his background, but what he hasn’t done - which, apparently, is cyber.
He’s held leadership roles in other organizations, and worked as an advisor to a fair number of organizations that are nominally technological, but it doesn’t appear that he’s ever been held a hands-on cyber role or worked in a role where he owned or was responsible for cyber at an organizational level.
The previous director, Harry Coker, a Naval Academy graduate spent his time in the navy as a Surface Warfare Officer and then Engineering Duty Officer, overseeing the communications technology. From there, he worked in the CIA’s Directorate of Science and Technology for 17 years, before leaving to be the Executive Director of the National Security Agency from 2017-2019.
The reason I’m bringing this up is because the role of a security leader is often a particular one. We’re transitioning out of the time when the only senior folks with cyber experience cut their teeth in the military or law enforcement (as the two places where hands-on cyber work was more common), and bringing some new backgrounds to the senior roles.
That said, the most important part of this role is to sit at the decision-making table, but not sit alongside IT or Operations or Finance or other business considerations, but rather to sit across from them and provide a necessary tension in the decision making process.
The role of a security leader at this level is to help make risk-informed decisions, to bring this element to clarity. Often simply dismissed as “The Department of No,” we’ve seen a re-framing of the CISO role to look more like a typical C-Suite executive role, but that, I think misses the point.
This role is actually more similar to the ways in which a CFO might function, providing both some data and some guidance about the implications of a decision being made (whether it’s an acquisition, expansion, contraction, or other business imperative).
The role of the security leader isn’t to align with the business in these discussions, it’s to provide the necessary tension that can drive growth. Understanding this, as it can be counter-intuitive, is critical - as the least effective security leader is a prototypical “yes man” who simply goes along with the rest of the group.
It takes a particular type of person to succeed in this role, as you don’t make many friends, but you can make material impacts on the business where you’re leading the security function. If that tension isn’t there, not only does the leader fail to reach their potential for impact, so, too, does the organization.
Fundraising
From a fundraising perspective, we eclipsed last weeks $20B marker by putting up $23.1B in newly committed capital.
This was led by a huge raise from Oaktree Capital Management, around $16b for its 12th flagship fund, and PSG, who raised $6b for its sixth flagship fund, plus $2b for a new continuation fund that will cover six portfolio companies.
We also saw some quiet news that Insight Partners, who has about $90B in Assets Under Management, suffered a cyber attack this week. Details forthcoming, and we may talk more about it next week, but their portfolio companies includes some of the leading private cyber companies, including Wiz, Island, SentinelOne, Veeam, Abnormal, Corelight, Delinea, noname, and Prevalent.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://cyberscoop.com/sean-cairncross-national-cyber-director-nomination-donald-trump/