Cybersecurity: Proactive damage limitation
How well equipped are the world’s largest companies to handle the threat of cybersecurity breaches today?
I think if we’ve learned one thing over the last two years, it is not a matter of ‘if’, it is a matter of ‘when’. Even the most sophisticated companies are still subject to breaches. This is the reality that we live in. We have a very complex ecosystem of technology, of business partners, of customers and of employees. It is very easy for a sufficiently motivated individual to find a weakness somewhere in that chain. We’ve seen a real shift and a movement from trying to prevent something from happening to being prepared when it does so that you minimize the total damage.
How frequently are cybersecurity breaches happening?
They are literally happening all the time – there are hundreds of breaches that never make the news. The FBI reported that they were involved in over 3,000 cybersecurity breaches in the US last year. There are different degrees of magnitude, but in any given day our clients probably have 10-15 large breaches. Very large organizations are probably in a constant state of breach, where they’re managing an individual server or system that has been compromised. But this isn’t just a large firm issue – it is happening to organizations of all sizes all over the world. What the best firms are able to do is they’re able to contain the damage so that it doesn’t become widespread.
How quickly have boards reacted to the threat of cybersecurity breaches?
We see them keenly interested in this. After the Target breach last year we saw more and more boards getting engaged in this discussion. If you’re a major Fortune Global 2000 company it is almost impossible that cybersecurity isn’t on the agenda. If you’re a Financial Services regulated organization, the regulators have come out with guidance that mandates that this is on the board’s agenda. Virtually every client we have, the board is taking this on as a topic and getting briefed on a regular basis.
What skills does it take for someone to thrive in a leadership role overseeing cybersecurity?
It is a very difficult role to fill right now. It requires a number of skills and experiences that are difficult to find in a single individual. You certainly need technical acumen that somebody who has grown up in the networking, internet, technology space has. They have to understand bits and bytes and fairly technical concepts.
At the same time it is really important that the person is able to communicate and engage with the business. This is fundamentally a risk management discussion. What are the types of bad things that can impact our competitive position? What is our tolerance for certain bad things to happen? Having those plain English business discussions is really critical and being able to frame the problem in a way that you can get your senior executives engaged in it is a really critical success factor.
The third factor the individual needs is the ability to consume and process intelligence – often somebody from the intelligence community, for instance someone who has come from the FBI, the CIA or GCHQ. Many of the same skills and techniques that our government uses to track down physical criminals can be used to track down criminals online.
In your opinion, how well placed are executive search firms to handle the increased demand for executives with cybersecurity knowledge?
Executive search firms certainly have the access and there is the market opportunity there. There are far fewer qualified candidates than there are positions and needs. The challenge for the search firms is to really get knowledgeable in the space, to understand the character traits and experiences that clients are looking for in these types of roles, and to understand what the attributes are that make somebody successful.