“Cybersecurity is a niche, there’s no market.”

That’s what a renowned VC investor told me in 2009.

He wasn’t too wrong… back then, Check Point, Symantec and McAfee were the leading cybersecurity companies. Check Point just crossed $1B/yr in revenues, Symantec was at $6B/yr with slow growth, and McAfee was at $2B/yr. Those were the 400-pound gorillas.

Fast forward to 2024, Palo Alto Networks alone has annual revenues of $8B/yr (nearly the same as all three had back then), and is one of dozens of publicly listed cybersecurity companies with over $1B/yr in revenue.

The growth and success of these companies comes from the continuous growth in spend on information security, expected to cross $200B/yr soon. Back in 2009, it was around $10B. 20x in 15 years is better than the 5x the S&P 500 did in that timeframe.

Such a massive growth can only come when the number of customers you have grows, and their ability to buy (speed / amount / etc) increases as well. Seven-figure, even eight-figure, cybersecurity deals are becoming more and more common.

And who is signing these checks? The Chief Information Security Officers, or CISOs. This fantastic group of 32,000 people globally are responsible for the cybersecurity of their organizations. These CISOs, many of whom were the exact opposite of “the cool kids” just 15 years ago, are now getting all the attention (even some attention they don’t appreciate).

Remember the days that no sales person would dare talk to the “IT security” people? Now, salespeople are actually calling them, emailing them, sending them cookies and trying to get their favor.

This all means that the aforementioned VC was right when describing the current situation, but VCs always like to say “skate where the puck is going”, and it looks like he didn’t do it that well. (other VCs who caught onto the cyber trend early, did see where the puck was going)

So how did this happen, and what can Chief Data Officers (CDOs) and Chief Data and Analytics Officers (CDAOs) learn from this?

From propeller head to executive

As we try to distill the journey CISOs have taken, this is the flow we see:

1. Severe hacks spur a massive macro push, which results in top-down prioritization of cybersecurity in each business. Government regulation also helps drive this.

2. As cybersecurity became important, the security people became the center of attention. However, these security people, weren’t used to this attention. They were usually leading a small team or department within IT. Focusing on cool product features and technical nuisances. The newest feature in Check Point’s firewall product, or reminiscing on how they installed their first firewall from a floppy disk.

3. A language barrier becomes a severe impediment: security people don’t speak “business”, and business people don’t speak security. Frustration on both sides ensues.

4. Some security people “see the light”, and begin understanding that by learning to speak “business”, they can become more successful in their role, and positively impact the organization. Initially, it’s only a few, but over time, and through a lot of content at the RSA Conference, the trend expands.

5. Security people can now better describe how certain investments can impact the business - its growth, its costs, and, most importantly, the risks it faces. They also understand better how the business measures them, and they work to ensure that their decisions are implemented in a way that aligns with what the business needs.

6. The security people who perform well are rewarded with titles (C-level), high six-figure (and sometimes seven-figure) compensation, massive budgets (some even past $600M/yr), and teams of hundreds of people reporting to them. They get a seat at the table.

This took a while, it unfolded over a few years, but the smart security people were able to make the transition. Unfortunately, average tenure in their role is two years, so there’s still some improvement left to make.

The journey from IT security specialist to CISO offers invaluable lessons for today’s data and analytics leaders. In Part Two, we’ll explore how CDAOs can learn from the CISOs’ journey to redefine their roles and drive strategic business impact in their organizations.