The cybersecurity field today is very different from Walt Powell’s teenage years, when he dropped out of college to tour with his rock band before starting a cybersecurity career without any higher education qualifications.
Now the lead field CISO of US-based IT integrator CDW, Powell has kept his playful character with a horde of robots populating his background during our interview – robots he assures he built himself.
This drive to make everything fun has followed him into the workplace, where Powell has developed a martial arts-style belt system for his team of field CISOs to compare their skills in various areas relevant for their job, from technical cybersecurity know-how to practical leadership expertise.
Speaking to Infosecurity, Powell explains why and how he transitioned from traditional CISO roles to a more external-facing field CISO role, how he keeps up with cyber-related technologies and cyber-threats and what one skill modern CISOs should prioritize: mastering risk quantification to secure the board buy-in and and budget needs.
Infosecurity Magazine: How would you define the role of field CISO?
Walt Powell: When I first started my current role, field CISO wasn't even a term yet, I was one of the first to hold this title. Since then, my team has grown and there are six or seven of us now. I've started to see this role grow at our partners and our competitors, and it's a common title now.
Field CISO means something different depending on which type of organization you're in. CDW is a big solution integrator, so we can help with every solution across the entire IT stack, from value-added resale to managed services.
At CDW, the role of field CISO is built around four pillars:
- CISO peering: we maintain peer-to-peer relationships with client CISOs, mentoring them to manage their strategy, quantify their cybersecurity risk and communicate risk as a business level initiative to a board of directors
- Reporting client feedback to CDW’s Global Security Strategy Office: we’re the voice of the customer back into CDW’s security practice for how we go to market in security by bringing back solution ideas that our customers are looking for
- Levelling-up CDW sellers: we run enablement sessions around sales to help our sellers figure out how to open the door to our customers’ C-suite executives and how to speak the language of the C-suite
- Eminence: we level the credibility of CDW’s security practice in general, through speaking engagements at industry conferences and on webinars, writing blogs, articles and white papers
IM: Do you manage the security strategy of CDW itself?
WP: No, we are all external facing.
There is an internal security team, and our actual CISO is Marcos Christodonte. We do frequently work together.
For instance, I’m currently trying to build a set of service offerings around post quantum cryptography (PQC) and CDW is patient-zero, so I work closely with Marcos and his team.
In the past we built services offerings around zero trust architectures, risk quantification programs, and more – things that became part of what we deliver at CDW.
IM: Would you say that to become a field CISO, you need to have been a CISO?
WP: You need to have a good deal of experience in cybersecurity, because you have to know a little bit about almost everything.
The biggest challenge of the internal CISO role is responsibility. When you're the CISO, you're the leader of a team and you are the authority when it comes to security.
In the field CISO role, you move to being an individual contributor again and an advisory role.
Instead of deciding on the strategy, you make suggestions; sometimes people take those suggestions and sometimes they don't. Some people can handle that, others can't. Some CISOs make the transition well, and some don't.
"The level of responsibility of CISOs has dramatically increased, yet not all CISOs are set up for success."
Personally, I love that every day is a different challenge. I love to go out and research new topics and write a paper or create some thought leadership. Just yesterday, I spent my whole day writing an article about how we do security for vibe coding, because that was something that came up with a client the day before.
In contrast, one of the biggest challenges with my current job is keeping up your skill set. It's easy to get stale when you get out of the internal CISO seat and you're not a practitioner.
You have to stay up to date on what is hot and what's going on in the world.
IM: How do you ensure you and your team keep up?
WP: One of the things I did for my team to measure our skills is an application I built, a skills matrix, organized around belt levels. You can have a black belt in one area and a blue belt in another, therefore you'll get a red belt overall.
The skills matrix covers knowledge levels across certain industry verticals and our ability to deliver services to our clients, with the skills broken down between strategy, governance and security operations (SecOps).
Then, there are field CISO skills, your ability to do peering, enablement and eminence activities, the amount of eminence activities that you're doing, all factor into that.
Every so often, we run meetings we call expert-led strategic advisory sessions (ELSAS) to the wider organization: they're 60-to-90-minute free workshops that are meant to be educational.
During those sessions, we talk about new, cutting-edge technologies – the big ones right now are AI security, PQC or SOC modernization. The ability of field CISOs to deliver those educating sessions also goes into the belt system.
When you hit a certain kind of score for set of skills, then you move up the belt level. I used to be the one making the scoring system, but now AI does it. I turned what used to be a spreadsheet into an application and I vibe coded it with an OpenClaw agent and now the application runs on OpenClaw. When you go in and answer all the questions, it tells you what your score is and prompts you for the things that you need to do to level up your belt.
The belt system was just a way to make that skills matrix fun. It helps motivate myself and others to keep growing, because there's a lot to know and there's a lot of challenges. It can get discouraging when you look at all the things that you don't necessarily know.
Read more: What CISOs Should Know (And Do) About OpenClaw
IM: What are your personal strengths and weaknesses, according to your system?
WP: My skills are varied. I am working on this PQC service offering program and I wrote a book on quantum proof cryptography [called Quantum Ready: The Enterprise Guide to Post-Quantum Cryptographic Readiness], so I'm ahead on that.
Then, I also wrote a book on how to be a CISO [called The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership], so I'm also ahead on doing risk quantification and using risk metrics to tell a business story.
However, I really have big gaps in governance and compliance. For instance, what is required in the US under the government’s Cybersecurity Maturity Model Certification (CMMC). I know almost nothing about that, but there are several people on my team who are certified for this type of job.
Read more: How Businesses Should Approach the Post-Quantum Cryptography Transition
IM: To what extent do you feel that the CISO role has changed since you started in this industry?
WP: It’s changed a lot. After I dropped out of college to go on tour with my rock band, I had to figure out how to get a real-person job, I remembered loving computers and thought I could be an ‘IT guy’ – back then, you could have crazy hair and tattoos out and be an IT guy.
I took many security certifications because I was offered a very cheap bundle and then was able to work my way up with just certifications. I don't know if you could get away with landing in a CISO seat without a degree today, but I still know a couple of people who've pulled it off.
This is actually the premise of my CISO 3.0 book, in which I lay out a history progression of CISOs.
First, CISO 1.0 is what we had in the early 2000s when it was enough to just be the smartest technical person. If you knew what a firewall was, you were a security expert. A lot of the time, CISO 1.0s just put tools in place and spent a lot of time opening tickets and ‘firefighting.’
When we moved into the 2.0 version of CISOs in the 2010s, we moved toward a compliance-based role. They had to figure out how their security program measured up against security standards, like NIST or ISO. Additionally, that was when CISOs took a lot of external input from cyber insurers, their customers and government bodies to identify the gaps in their organization’s security posture.
Then, CISOs 3.0 took an inside out look. We started trying to understand how we become an business partner and how we internalize what our risk posture and risk appetite is and use that to drive what we should be doing.
However, even though there's a historical progression there, I still find that today, it's not uncommon to see people who are in the CISO seat today but are still performing as CISOs 1.0 or 2.0.
Additionally, the level of responsibility of CISOs has dramatically increased, yet not all CISOs are set up for success. The more accountability you have, the more you have to worry about.
Oftentimes, in the US, CISOs are held responsible for what they disclose to the Securities and Exchange Commission (SEC) but don't necessarily have a lot of input into what goes into those disclosures. Look at Tim Brown, the former CISO of SolarWinds, he was personally sued by the SEC.
IM: What advice would you give to someone who wants to be a CISO 3.0?
WP: Today, CISOs end up in the seat through two different paths.
Sometimes, you’re the most technical person and you'll end up with a technical architect role and later get elevated into that top CISO seat.
In other cases, the organization will take somebody who has an MBA but no security background and put them in that seat because they have business skills.
Either way, you need both business skills and security technical prowess. What’s more, you must be able to quantify the risk and translate it into a language that the executives understand.
Historically, we have not necessarily been great as an industry in sounding like the other C-level executives. If we want to get a seat at the board like other C-suite executives, we need to be able to turn cyber risk into business risk.
IM: How did you achieve the mission of talking to the board?
WP: If you think about boards, they generally use risk-based approaches. They have liquidity risk, health and safety risk, all kinds of risks – and cyber risk is just one of those.
All the other risks are framed in dollars and cents, so that's what boards want from us when we tell them about cyber risks. They want us to come in and say, “You have $100m worth of risk. I want to help buy that down by $50m, and it's going to cost $200,000.”
It's a much easier story to tell than using something like the NIST or ISO maturity levels that we use today. Quantification is the secret to business alignment and to understanding your materiality.
To do so, you need to answer the following questions:
- What are your main threats and risks?
- How much risk should you accept?
- How much risk should you mitigate (e.g. with security solutions, secure architecture, etc.)?
- How much risk you should transfer to insurance?
- How should you explain those choices in a board level conversation?
The only way to do that is to quantify that risk, but I would advise against using old qualification methods, like the ‘high, medium low’ risk matrix.
You’d be left with a dilemma: is it better to solve one high risk, five medium risks or 15 low risks? You can't figure that out from using only this metric, meaning you can't justify your spending.
Today, there are many valid methods, including basic Monte Carlo simulations, learning how to calculate long tails or using the Factor Analysis of Information Risk (FAIR) framework. I would also recommend the book How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard’s and Richard Seiersen.
However, if your resources are constrained, you don't have to take it that far, you can do real simple calculations. Plus, there are several companies that will help you do this for a small fee.
Image credit: Stock all / Shutterstock.com