What to Know Before Moving from Government to Industry in Cyber

In the shadow of Andrew Jackson’s statue near the center of Lafayette Square in Washington rests one of the most famous benches in American history. Officially dubbed the Bench of Inspiration fifty-nine years ago, the small resting place is where the great financier Bernard Baruch held private court with the leaders of our country during the 1940’s and 1950’s. The bench remains today a symbol of public-private cooperation in the US.

That business leaders should step away from industrial management to serve their fellow citizens is well-established in our nation. Sometimes it results in the gift of capable insight, as with Mr. Baruch serving many presidents including FDR. And other times the results are more questionable, as with the Whiz Kids from the Ford Motor Company using modern dispassionate accounting methods to help justify LBJ’s continued involvement in Vietnam.

Regardless of the outcome, the move from industry to government remains popular, and continues to allow executives to give back to their country. More modern examples of this transition include Perot, Trump, Corzine, Romney, Whitman, Forbes, Bloomberg, Fiorina, and on and on. Each of these individuals transferred executive skills learned in industry to become political leaders (some more successful than others, obviously).

But what of the reverse move? The transition from government to business has been less welcome – even considered unsavory at times. Images of former political leaders taking money for speeches to companies are met with great scorn by citizens, as if some crime were being committed. Even the nomenclature used is weird: Government leaders will say, for example, that they are moving to the private sector. No one in business uses that term.

This issue is especially relevant in our cyber security community, because the reverse career move from government to industry for CISOs is not only common, but encouraged. Boards, C-suites, and investors laud the idea that someone federally-trained in cyber security would come to industry to leverage their experience. Few people question the potential success of such moves, and as far as I know – there have been no studies to see if it works.

I can tell you, however, that many CISOs with government experience have had bumpy dealings with cyber threats. Sony Pictures, JP Morgan Chase, and Capital One, for example, all experienced serious data breaches with government-trained security executives at the helm. These cases might be coincidence, but they do prompt the question of whether the transition in cyber security from government to industry is being properly managed.

Based on four decades watching this process unfold, including my own very brief stint serving government in an official cyber security role, I can offer three suggestions for any cyber security executive doing the shift to the private sector (ahem). I should preface my comments by saying that these are intended for executives moving into operational roles in cyber defense. Government experts doing start-ups should look elsewhere for advice.

The first suggestion involves the means and purpose guiding the day-to-day work of the CISO and security team. In government, both the means and purpose will consist of this: Meetings with the right attendees, documents with the right content, and councils with the right organizations. If you check each of these three boxes, you will be a successful civil servant (and admittedly, this is less true in the military as in civilian government).

In industry, things are a bit different. Any business executive will tell you that meetings, documents, and councils are to be avoided wherever possible. They are neither the preferred means nor the target purpose for any initiative, much less ones related to cyber security, where long meetings and boring reports are loathed. Every CISO in industry knows, for example, that number-of-meetings is booked on the cost side of the ledger, not the reverse.

Successful businesses focus instead on tangible results, and this is often accomplished through simplification. Interestingly, in many environments, such simplification can be achieved by dramatically reducing the number of . . . yes, you guessed it: Meetings, documents, and councils. The successful security executive leaving a civilian agency to join a bank had better learn this fact quickly – or prepare to relocate back to River City.

The second suggestion involves how an individual’s job performance is evaluated. In government, every federal CISO or security executive knows that fairness is the primary metric by which civil servants are compared and compensated. The United States Office of Personnel Management publishes a guide that lays out the basics of this process, which boils down, more or less, to making sure that everyone is treated the same.

When managers depart government and land in a business, however, they quickly realize that when it comes to performance review, the concept of fairness is interpreted quite differently. That is, it is considered fair to treat higher performers better than weaker ones. This can include visible recognition such as trips to Hawaii or the best corner offices. Unlike in government, fair does not mean same-for-all: Fairness is based on merit.

What this means is that the successful security executive coming from some federal department to a power or retail company had better learn to identify the company's business objectives. And all job performance activity had better link directly to the practical achievement of those objectives. Do this properly, and you will advance. Do it poorly – and, well . . . you might be back in that cubicle in Arlington tapping into a slow Windows PC.

The third suggestion is perhaps the most difficult for anyone coming from government to accept. Recognize that federal cyber security teams, especially in the military and intelligence communities, are driven by a passion to serve their nation. The stark recognition that global cyber threats from an adversary could impede one’s way of life, helps to drive this passion – and we all benefit from such fine motivation. It is wonderful.

In stark contrast, however, modern business executives in public companies are coldly driven by three quantifiable objectives: Earnings, stock price, and growth. This is neither good nor bad. It is just different from the underlying factors that motivate federal workers. Businesses must do whatever needs to be done to optimize these factors. Their only recognized adversaries are competitors: Coke doesn’t hate foreign hackers. They hate Pepsi.

The successful security executive coming from government must therefore learn quickly that protecting one's nation is not the charter of business – unless their products or services are used for such purpose. And yes – corporations can be good citizens, and can help during times of stress such as terrorist or weather emergencies. That said, an enterprise will go out of business if it doesn't focus on its stakeholders.

I hope security executives who are either planning to move from government, or who have recently done so, will take my advice to heart. Partnership between the public and private sectors requires close coordination, and the cross-pollination that comes from executives making this switch helps lubricate this process. We should all encourage movement in both directions between business and government.

But the government security executive who is trained to use meetings, documents, and councils, in an atmosphere of employee fairness, with the ultimate goal of protecting society, might be in for a rude awakening. In business, the successful executive minimizes the number of meetings, documents, and councils, in an atmosphere of rewarding merit, with the ultimate goal of making lots and lots of money. It's not better or worse: It's just different.

As always, I hope you’ll share your views on this topic.