The Changing Role of the CISO: Featuring Cassio Goldschmidt, CISO at ServiceTitan
In order to learn more about the ever-evolving role of the CISO, we interviewed Cassio Goldschmidt, CISO at ServiceTitan and Security Advisor at Glilot Capital. Cassio is an award-winning technology executive, advisor, mentor, speaker, and long-time contributor to the security community. He leads the LA OWASP chapter and was nominated for the Web Application Security Person of the Year by OWASP. Among many other accolades, he was named one of the top 100 CISOs in the United States by his peers.
ServiceTitan is a leading software provider for the trades, offering customers a business platform which includes CRM, intelligent dispatch, custom reporting, marketing automation, a mobile solution for field techs, and accounting, payments, and financing integrations. The company was recently named to Forbes’ Cloud 100 List.
We asked Cassio:
- How has the role of the CISO changed over time?
- How can the CISO be seen as an enabler (and not a blocker)?
- What are your tips for communicating with the board?
- What is your approach to implementing strong security throughout ServiceTitan?
- How can startups increase their stickiness so that they are not easily replaced?
- What tips do you have for fellow CISOs?
1) Glilot: The CISO’s role has changed significantly over time: From a technical IT role to a threat & vulnerability detection role, to a transformation enabler role where the CISO leads the organization through digital and cloud transformations to, today, where the CISO takes on a significant strategic leadership role. How has the role changed over time from your experience?
Cassio: As the industry transformed over time, the CISO had to transform as well. In the beginning, CISOs were strictly technical and responsible for things such as firewalls and networks. Their responsibilities were mainly part of IT. With time, almost every company has become a software company. Like Andreessen Horowitz said, “Software is eating the world.”
As a result, CISOs had to understand application security at a much deeper level than before. They were presented with a whole new set of challenges in which they needed to not only protect the network, but also the applications where the data lives. During this time, many companies also moved to the cloud and SaaS started becoming the norm.
All of the control over the infrastructure that the CISO had was suddenly gone and the CISO needed to reinvent themselves again. Now, instead of analyzing the technical aspects of solutions, CISOs are shifting their focus to compliance in order to deal with legal contracts and third parties by using questionnaires and SOC reports without actually seeing what third parties are doing. Concurrently, as data entered the picture, the CISO needed to understand privacy laws that are still in a period of flux and adaptation. GDPR is constantly changing, CCPA just came out and now CPRA is coming.
The changing focus on compliance, privacy, and trust has put security and the CISO in a key position within the organization. Due to the key role of security in business today, strong security is increasing shareholder value.
2) Glilot: How can the CISO be seen as an enabler (and not a blocker)?
Cassio: Working at a maniacally customer-focused organization like ServiceTitan, my team must do everything we can to help make our customers more successful. For example, there have been numerous times where our customers have had issues with phishing. We’ve taken these issues on as our own by helping them shut down the malicious websites. This creates a lot of trust with our employees in customer success, who understand that we have their back.
If one of our partners does not have the security that we need, we help that partner choose the best security resources in order to minimize the risk for our product teams. Building that connection and trust with teams across our organization has branded the security function as an enabler.
Security is a very serious topic. Many companies have internal security practices that are quite dry. We find that our employees take security more seriously when the content we are providing them is more engaging. For example, we have a “Phish a Phriend” program where we invite employees to write emails to try and phish one another. The engagement is unprecedented. The most successful emails seem to be the optimistic ones such as “we are giving away free company swag”. Looking back at successful phishing attempts and analyzing them goes a long way in improving the security awareness of our organization.
3) Glilot: What are your tips for communicating with the board?
Cassio: The board likes communication “Amazon” style. They want a summary ahead of time and it is important to keep things short. The focus of the discussion includes threats to the future of revenue and overall value to the business and company goals. ServiceTitan uses quantifiable benchmarks for the board to help them understand where we are. When I say “quantifiable benchmarks,” I don’t mean things like “there is a 48% chance that a certain breach will cost us X amount of dollars.” These are things our team needs to mitigate with cyber insurance and so on. When I speak to our board, I’ll compare ServiceTitan with the rest of the industry. By offering a security scorecard, we can show where our security posture is compared to similar organizations. It is much more effective to give the board a relative measure of our security, as opposed to communicating meaningless numbers such as how many incidents we were able to mitigate.
4) Glilot: What is your approach to implementing strong security throughout ServiceTitan?
Cassio: Many companies want to consolidate vendors and go with the big names when it comes to security solutions. My team tries to do the opposite and get the best breed per solution. This is why I love to network with innovative venture capital firms like Glilot. We want the latest, greatest, solution that will innovate OUT of the problem.
We take this same approach with the contractors we use to test our security. We consistently work with different contractors that take different pen-testing approaches so that we test ourselves from varying perspectives.
We are also trying to move away from monitoring and assessing to automating policies by leveraging infrastructure-as-code and compliance-as-code in order to enforce good behavior as opposed to waiting for incidents to happen.
5) Glilot: How can startups increase their stickiness so that they are not easily replaced?
Cassio: Stickiness is something I consider when looking at solutions. The difference between sticky solutions and ones that are not is the actionability and remediation piece. If a solution points out to me where I need to take action, and even more so when it gives me tools to take action it will stay around for much longer.
6) Glilot: What tips do you have for fellow CISOs?
Cassio: Constantly learn and learn by doing. Get your hands dirty in different things like shutting down a spoofing website, reviewing code, and participating in capture the flag exercises.
It is also important to interact with other business units and learn from them about the struggles of tenants. Sometimes the CISO needs to become part of the sales team when a certain vendor is debating whether to go with your organization from a security perspective.
Keeping yourself abreast is not always about reading, but many times about doing.
A huge “Thank You” to Cassio, a true forward-thinking cybersecurity expert and thought-leader.
To learn more about the Glilot community please contact us:
Dorin Baniel, Head of Value Creation, firstname.lastname@example.org
Chen Yakar, Value Creation Analyst, email@example.com