Lessons from the Field (CISO)

Most people don't know what a Field CISO is. I spent nine months as one at Praetorian and I'm not sure the industry has figured it out either.

The role is relatively new. It's organizationally dependent, meaning every company that creates one defines it differently. And depending on who you ask, it's either the future of how security vendors engage with customers or a sales job with a better title.

There's real disagreement about what this job is.

Earlier this year I wrote about building production AI systems as a Field CISO and introduced Optio, the Claude Code persona I'd configured as an operational partner. Since then, Optio has been retired and replaced by a half-dozen specialized agents. Each one has a defined role, its own personality, and rules that constrain how it operates. I'll write more about that evolution soon. The relevant one here is MKNC. The name is a phonetic compression of McKinsey, and it does what the name implies: structured research, source collation, analysis. It runs parallel sub-agents to survey a topic from multiple angles and produces a single research deliverable. Each agent carries a name with functional meaning from its literary source (if you're curious about where the names come from and how they connect back to 77 Spyglass, there's a note on that below).

I pointed MKNC at the Field CISO landscape: job postings, published thought leadership, practitioner commentary across the industry. What came back confirmed what I'd experienced firsthand. The titles alone emote the challenge. Palo Alto Networks calls it VP, Field CSO. CrowdStrike avoids "CISO" entirely and uses Field CTO. Google Cloud skips "Field" and puts former CISOs in an "Office of the CISO." Smaller vendors use Field CISO, Regional CISO, CISO-in-Residence. No two companies define it the same way.

While I was in the role, Mark Weatherford posted a question to his LinkedIn network that stuck with me. Weatherford is the former Deputy Under Secretary for Cybersecurity at DHS. His post asked a simple question: what is a Field CISO? His own framing was useful:

"A Field CISO is usually a customer-facing cybersecurity bridge between a technology vendor and their customers and partners."

The practitioners who responded couldn't agree on what that bridge actually carries.

Between MKNC's research and the conversation on Weatherford's thread, I kept seeing the same three positions:

#The advisory camp

Palo Alto Networks states it explicitly in their Field CSO posting:

"This is not a sales position and will not be compensated as such. This is a thought leadership role that is both public facing and internal to the company."

Their Field CSO reports into the Americas Regional CSO, focuses on conference speaking and executive engagement, and carries no quota. In this view, the Field CISO is a practitioner who happens to work for a vendor. The value comes from credibility, and credibility requires distance from the sales motion.

#The sales camp

Gadi Evron responded to Weatherford's thread with a line that stuck:

"I know some field CISOs who deserve the title. Most are sales."

Evron is the CEO of Knostic and founder of Cymmetria. He's watched the role up close and concluded that the title, more often than not, dresses up a sales function. Cloudflare's own Field CISO posting reinforces this end of the spectrum, describing the role as "delivering against corporate objectives and meeting the growth targets for the business."

#The hybrid camp

Alex Lanstein, now CTO at StrikeReady, held the Field CISO role at FireEye and broke it down on the same thread:

"1/3 sales engineer, 1/3 ability to speak to novel research or breach insights that were not public/published, 1/3 CTO role where I could take their feature requests and actually drive engineering to implement them."

His description is the most honest accounting of the role I've come across. The role does all three. Whether the company has thought about how they work together (or if they just happen) determines how the role plays out.

#Where I Land

I'm in the hybrid camp, but with more structure than Lanstein's "1/3, 1/3, 1/3" suggests.

At Praetorian I was a Managing Director and Field CISO, reporting directly to the CEO. Before that, eight years at Synopsys leading security consulting delivery, four and a half years directing technical services at Leviathan, and time at Amazon building security architecture for Global Payments. Twenty-five years, most of it at the intersection of technical delivery and business strategy.

The role is dual-purpose. It has to be. A Field CISO exists inside a company that needs to grow.

I experienced this credibility problem directly. I'd been accepted to attend an industry conference for practitioners. The night before, the organizers rescinded the invitation. Attendees weren't supposed to be in sales, and sales people had to pay to attend as vendors. I was there as a practitioner who happened to work for a vendor. But the title signaled to the organizers everything they thought they needed to know.

The role has to be sales-adjacent. The conversations that produce value, where a CISO or CTO is willing to share what's actually happening in their environment, only happen when there's trust that the conversation isn't a pipeline play.

Inside the company, the tension exists too. Not every organization that creates a Field CISO role fully understands where to place it. The role that actually works sits between thought leadership and quota-carrying sales, and holding that position requires forethought.

#Three Functions of the Role

I came to see the role as having three core functions.

#Executive Relationship Management

I think of this as the advisory function, though internally I started calling it the CISO whisperer. The core of the job is engaging with business leaders as a peer. Sitting across from a CISO or CTO and understanding what's actually driving their decisions. I've written about how I approach this in my First 90 Days as a CISO series.

A CISO preparing for an acquisition has different priorities than one scaling into a new market. The conversation with a CTO at a Series B startup who just landed their first enterprise customer looks nothing like the one with a Fortune 500 security leader managing a 200-person team. The trajectory of their business determines which risks are paramount and which conversations are productive.

I learned this at Synopsys more than anywhere else. Eight years working with enterprise security programs across industries. A vulnerability scan produces data. Anyone can run one. Connecting that data to what the business is actually trying to accomplish is where value exists.

At Praetorian, this translated directly. I started with their business context, not the service catalog, asking what they were trying to accomplish and where security intersected.

#Sales and Go-to-Market Partnership

Phil Venables, CISO of Google Cloud, put it plainly:

"We all need to advance our businesses and that is in many respects about selling."

Every Field CISO contributes to revenue. How it's done, and if the method preserves credibility, is the key.

My approach at Praetorian was to partner with the sales team on strategy, both the overall go-to-market and account-specific. I led the High-Tech vertical GTM covering AI, Cloud, IoT, and Automotive, working directly with the VP and account executives on pipeline strategy. I partnered with Marketing on account-based campaigns and spent a lot of time translating our value proposition into language that landed in customer conversations. I also worked directly with the security engineers and their leads to focus efforts on what customers actually cared about.

I had the technical credibility and executive presence to build the relationships. When a prospect's decision maker needed to talk through their security strategy with someone who had actually run one, I was that conversation. Candid advisory conversations surface things a sales process never will.

This is the function that gets the role into trouble when it's not structured correctly. A Field CISO with a commission plan has a fundamentally different conversation than one without.

#Evangelism

The third function blends principal engineering, company spokesperson work, and product management. It's anchored by a deep technical understanding of what the company actually offers and operates through two channels.

Industry representation. Conferences, roundtables, media, analyst briefings. I developed topics like "AI, Attackers, and Reaction Time" and "CISOs, AI, and the Human Edge" and led the conversations with CISOs. The goal was to align what was happening in the broader cybersecurity landscape with the concepts they cared about. Free consulting and education, not a product pitch. If they learned something valuable and actionable, they might remember the interaction and consider reaching out when appropriate or necessary.

When I stand on a stage or sit on a panel, my credibility as a practitioner and the company's reputation are both on the line. Anyone who's attended a security conference knows how many "thought leadership" sessions are thinly disguised product demos. We, the audience, know. And we leave unhappy.

Product evangelism. The other channel runs inward. Customer conversations surface needs, gaps, friction points that the product team should hear. When I heard the same problem described across multiple engagements, that became a roadmap conversation. Single instances became product conversations. The Field CISO is positioned to carry that signal because the conversations are happening at the right level.

This function requires enough technical depth to evaluate what you're hearing. A customer might describe a symptom. Understanding the underlying architectural issue means knowing whether the product can address it, whether it needs a roadmap correction, whether there's an adjacent approach like pairing AI with the product in a way engineering hadn't predicted, or whether the honest answer is that the solution isn't right for them.

#What I'd Want Next

The role ran its course. I started 77 Spyglass because I wanted to apply this philosophy independently. But if the right organization came along with a Field CISO role that understood these three functions, I'd be interested in that conversation.

I'd want an organization that treats the Field CISO as strategic, values the technical foundation, and is honest that the role contributes to growth. Getting the structure right means protecting the independence that makes the whole thing work.

The Field CISO role is still being defined by the market. This is the version I'd want to see adopted.