TikTok resets the clock on security leadership

The best time to do succession planning was last year.   But the next best time is right now.

The news this morning that Roland Cloutier is stepping away from the TikTok Global CSO role may or may not be surprising.   After all, Roland joined TikTok a couple of years ago, around the same time that TikTok was dragged into some US political maneuverings.  At the time, it wasn’t clear if Roland was going to be their CSO-for-life, or if his role was to guide TikTok through a transition and build an excellent foundation for its security future (I guess we know now).

Anyone who interacted with TikTok at the RSA Conference this year probably noticed something different.  Unlike most buyers, TikTok showed up in full force.  In addition to having one of the best RSAC parties I’ve ever been to, they ran their own mini-conference, simultaneously using it as a recruiting event and as a vendor education opportunity.   Where most CSOs hide their staff from vendors (after all, who wants even more unsolicited outreach), Roland set his team out in front.  They explained what their day jobs were, and the language of security that TikTok used.   I asked Roland about it during the mini-conference, and he noted that if vendors actually had value they could provide, this would let them more clearly articulate it to TikTok staff; and that vendors who just spammed out their own templates would more easily be filtered out.

Roland’s LinkedIn post announcing his move spends more time talking about the leaders he developed than his own achievements.  Having met the leaders in question—Kim Albarella, Andy Bonillo, VJ Larosa, and Will Farrell (no, not that Will Farrell)—I can say all of them are potentially CISO material, and I look forward to seeing the impact they’ll each have over their careers.  The timing of Roland’s role change is interesting, though, from a career development perspective.

One of the hardest tasks a CSO has is to give opportunities to the next generation of leaders to develop their skills and accumulate successes in their own right.  When the CSO is always there in the wings, all too often the accomplishments of their team are diminished and attributed in part to the presence of the CSO. The result is that when that CSO leaves an organization, the company is quick to replace them with an already-accomplished executive, ignoring the amazing talent that the CSO spent years nurturing.  Alternately, when a CSO stays too long in an organization, their staff wonder if they’ll ever be given an opportunity to progress, and frustration can leave them to depart, whether or not they are ready to do so.

With Roland moving into an advisory role, there is hopefully no urgency today to replace him as Global CISO, especially with the recent creation of TikTok’s US Data Security team (I look forward to the dance-fight for the rights to the acronym with the US Digital Service).  This window as TikTok assesses what their needs are from a future Global CSO, will give Kim, Andy, and Will the opportunity to demonstrate their own abilities.   Maybe one of them will be TikTok’s future CSO, perhaps TikTok will have some form of divisional CISO roles, or someone else might come in and headhunt one of them.   Roland’s transition creates the space for his team to find those opportunities.  Now it’s up to them to seize those opportunities.

[Disclaimer: Roland is a friend of mine.  We were both inducted into the CSO Hall of Fame last year, he’s been a guest of mine on the Cloud Security Reinvented podcast, and we’ve long run into each other at conferences. We’ve been on alternating sides of the CSO/vendor relationship for a very long time.  Roland, however, did not talk to me about this change beforehand, which I might bring up when he buys me a drink at the CSO50 Conference in September.]