Adam Fletcher didn’t even know what cybersecurity was when he got into it. But he had a knack for computers, and a friend persuaded him to join a startup that was installing firewalls when most companies were just buying their first T1 internet connection.
That random exposure to the industry set him on a security career that has spanned three continents – the U.S., South America and Europe — and companies including Equifax, Nokia and Blackstone, where he currently serves as Chief Security Officer.
In that role Fletcher is responsible for both cybersecurity and physical security; oversees a team that advises Blackstone’s portfolio companies; manages investments in early stage cybersecurity companies; and co-heads the Miami office.
This year, he also served on the distinguished panel of judges for CISO Connect’s CISOs Top 100 CISOs (C100) award.
Exceptional Chief Information Security Officers, in Fletcher’s view, need some level of technical proficiency because that facilitates their ability to solve problems in a dynamic threat landscape.
Another desirable trait is balance.
“Executive teams are probably dealing with small fires all day long, so I tend to only cry wolf when I see the wolf,” Fletcher said. “I want to be measured in my response to a potential incident, and educate them that there’s a process for escalation in place.”
A good CISO will promote transparency to foster trust among key stakeholders and the people who actually get the job done, he added.
“Oftentimes, security can’t really do a lot by itself, especially in the modern infrastructure world of cloud, DevOps and distributed responsibilities,” Fletcher said.
“Security leaders are influencers, and you have to have the types of skills that bring people to the table to discuss what’s important. Then you influence them to put security work at or near the top of their priority list for the good of the organization.”
Security leaders need to be humble, he said, because attackers outnumber them and have only one mission – to attack. “Things change really fast,” he said. “If you think you’ve covered everything and that there’s nothing left for you to learn, you’re just wrong.”
Lastly, Fletcher said, top CISOs have to be willing to share what they’ve learned.
“Many CISOs today started their careers when security wasn’t even a thing,” he said. “But now, we are in a position to teach concepts of risk management and security leadership to a lot of people. Security is everyone’s responsibility. So you have to be a teacher and an educator and a consensus builder in order to bring people along for the program.”
Security leaders aren’t competing against each other, even if their companies are, Fletcher noted. They may even be co-dependent, he said.
“If you were in the financial services industry and it was attacked, why wouldn’t you share information? Giving back to the security community in that way is part of your responsibility.”
As the CISO’s role continues to evolve, security leaders have become the de facto landing place for a lot of technology risk questions that not many others in the organization can answer – for example, with regard to artificial intelligence and third party cyber risk, he said.
“Thinking about it more holistically as a technology risk officer or a technology risk executive is certainly something that I’ve been hearing about recently,” he said.
Additionally, more and more CISOs are taking on physical security because of its convergence with cybersecurity.
Having a cyber team that monitors information on physical security risks and then mobilizes the relevant teams to prevent damage or loss is becoming a more common option right now.”
Fletcher hopes vendors will leverage AI to improve the security tools organizations are already using. And he thinks this may be the year that Identity Governance / Threat Detection and Response breaks through as perhaps the most important layer of security.
“I think that will be as much a focus in the next 10 years as regular endpoint activity was in the previous 10 years,” he said.
Fletcher is a staunch advocate of what he calls “agile cyber defense.”
The idea is to become aware of the “unknown unknown” as quickly as possible; determine whether it is relevant to the organization and if so, assess the potential impact; and finally, conclude whether prevention is available and implementable, and if not, decide how to implement detection and response until it is.
“Becoming really fluent at that agile cyber defense methodology is something that I think everybody really needs to focus on,” he said.
He also advocates more frequent testing of controls.
“We need automated testing, continuous red teaming of some kind,” he said. “I need to know that my controls are working effectively, but I also need to know that they’re deployed comprehensively.”
Fletcher expects software as a service platforms where companies store confidential data to become major targets. “Improving SaaS security is something we have a limited amount of time to figure out,” he said.
With authorities requiring more accountability of CISOs, security leaders are going to be held to a higher level of professionalism, including documentation, Fletcher said.
Lately, Fletcher has been on a longevity science journey, learning how to extend health span in the context of lifespan through better diet and exercise.
He tries to play golf once a week, and recently bought a CAROL bike that uses AI for training. He likes to travel with his wife and two young children, and meditates every night.
“I’m usually asleep long before the meditation ends, which I think is a good thing,” Fletcher said with a laugh.