CISO Networks Decoded: What Works, What Doesn't

I often chat with VCs and startups looking to build out their network of security leaders who are looking for advice. These conversations typically follow a pattern where we swap stories about our experiences, emphasize the importance of building solid networks of security leaders, and distinguish what separates good and not-so-good ones.

Over the years, I have been involved in various CISO and security leader networks, both within VC firms and startup advisory networks. I’ve seen first-hand what good looks like and what misses the mark. So, after recently rereading the infamous a16z blog post, Good Product Manager/Bad Product Manager, I came up with a list of these characteristics from a 'good versus bad' perspective.

Before dissecting the good from the bad, it's important to understand the broad spectrum of what is meant by 'CISOs' and 'security leaders.' These terms include a diverse group of professionals far beyond those holding the CISO title. These are people who have seen a lot of variety in technology and industries, have opinions they are willing to share, have a desire to see the industry improve, and have had an influential part in the decision-making process of buying security technologies and services.

Now that we have a clear picture of who makes up these networks, let's pivot to a foundational concept that underpins a network’s success or failure: the principle of network effects. As the network grows, each new member adds to the network's size and exponentially enhances its value for all participants. This principle reveals why the quality and depth of these networks exponentially amplify their value. Building these kinds of networks should be a positive sum for everyone involved. Recognizing the power of network effects sets the stage for exploring the core discussion: the contrasting dynamics of good and bad CISO networks. Let's look at the traits that define the best networks and the pitfalls that trap the others.

The Good, The Bad, and The Ugly

Good CISO Networks focus on bringing together a collection of interesting and influential people in the cybersecurity community and letting the magic happen. These networks create dialog, shared interests, unique experiences, and even friendships among practitioners, investors, and founders alike. Good CISO Networks leverage network effects by fostering a community where every additional security leader enhances the collective expertise and resources, making the network increasingly valuable for everyone involved (remember network effects?). This can be in the form of in-person events, virtual sessions, or more informal channels on Slack/Discord, WhatsApp/Signal, or some combination.

Bad CISO Networks don't create network effects at all and keep members in the dark. They reach out to practitioners when they need something, and it’s always urgent or time-sensitive. They encourage short-term thinking and short-term actions. Bad CISO Networks don't actively encourage connecting with the other security leaders in the network and don't create opportunities to engage. Good CISO Networks realize the value of community interactions and engagement and seek it out at all turns. Good CISO Networks realize they are playing long-term games with long-term people.

Good CISO Networks know how to connect security leaders to the right companies and let the rest play out. Good CISO Networks coach founders on engaging with the group of security leaders in an open and transparent way. Bad CISO Networks rely too much on the security leaders for sales in the form of warm leads and introductions to their networks instead of focusing on building better value propositions and go-to-market (GTM) approaches.

Bad CISO Networks can be one-way streets. They repeatedly ask more of the security leaders in the network without giving back or appreciating the value. Bad CISO Networks crowdsource insights from the security leaders in the network and pass off their learnings as their own thought leadership. 

Bad CISO Networks don't even ask what is important or valuable to the security leaders in it. They see security leaders as sources of knowledge they can mine on-demand and as sources of sales and lead generation. Bad CISO Networks focus on exchanging security leaders' time and insights for "access to cool startups" as a viable value exchange for security leaders.

Good CISO Networks create opportunities for security leaders and startups to discuss how they can collaborate and share ideas to elevate one another and move the industry forward without pressure or expectations. Good CISO Networks realize that security leaders are already inundated and overwhelmed with outreach across all fronts from those startups and many other firms. Access has never been the issue, and Good CISO Networks know that. 

Good CISO Networks limit the asks of security leaders in their network and focus on facilitating ideas, themes, and concepts over a long time. Good CISO Networks know the subtle art of relationship building over time, which naturally benefits both sides.

As I called out in a previous article called On the Art of Selling to Cybersecurity People:

Good CISO Networks know that security leaders want fewer but higher-quality insights and do everything they can to create that environment. Bad CISO Networks focus on how many Fortune 500 CISOs they can showcase on their websites. Good CISO Networks know they need security leadership voices outside large firms to get multiple buyer perspectives. Good CISO Networks focus on creating signals from the noise and realize the value exchange taking place.

Good CISO Networks do way more than just tick a box for VCs and their startups—it's a core piece of their success. It's all about the real connections and the give-and-take, not just grabbing what you can. This kind of network makes sure everyone's in it together and that the security leaders are not just a one-sided gold mine. 

Good CISO Networks stand on their own, and security leaders know which are good and which are not. In the end, building a Good CISO Network vs. a Bad CISO Network comes down to intentions and how participants are incentivized.

If the incentives of the network don’t add up where the whole is greater than the sum of the parts (also known as a 1 + 1 = 3 situation), it is a Bad CISO Network. 

Take Action

To everyone building or thinking of joining a CISO network, your experiences are important to this ongoing conversation. Share your stories, challenges, and successes with others, and reach out directly if you need help. Together, we can redefine what it means to build a network that connects and elevates every member. Let’s aim for networks where the sum truly is greater than its parts.

The Takeaway Guide

To sum all of this up to make it easier to remember, here’s a table with all the points: