Technology's impact on the roles of CIOs and CISOs?
Technology advances over the last decade have undeniably transformed executive-level talent acquisition and C-suite roles. Every industry and function has been disrupted. For technology specialists, this disruption has been both a challenge and an opportunity.
It was only nine years ago that the first iPhone was released. Further, we have seen the incredible growth of cloud computing and Software-as-a-Service (SaaS) – with investment banking firm Centaur Partners predicting that the market for these services will grow from $13.5 billion in 2011 to $32.8 billion this year. Both of these disruptions created tremendous pressure for consumer friendly goods and services that were quick, easy-to-use and available on demand.
These innovations have changed the way that we view technology. In the process, they have completely transformed the role of Chief Information Officers (CIOs) and effectively created an entirely new executive role – the Chief Information Security Officer (CISO). In this article, we explore how both roles have evolved in recent years and where to find the bestin- class talent in both disciplines.
How has the role changed?
As digital disruption transformed our expectations of what technology could do for us, Chief Information Officers found themselves at an inflection point: they could take the opportunity to elevate themselves within the business and drive commercial innovation, or they could maintain their focus on systems management.
“The traditional CIO was responsible for making sure the internal system trains ran on time – improving efficiency, keeping costs in check and generally avoiding major errors,” says David Finke (USA), who leads Russell Reynolds Associates’ Global Technology Sector and is the founder of the firm’s Digital Transformation Practice. “Now IT can be a source of competitive advantage or a reason that companies get disrupted out of existence. Today’s top CIOs don’t just support the business with well-functioning back office IT systems. They also engage strategically to find sources of sustainable differentiation across the value chain so as to focus precious internal resource on what truly matters while partnering with external providers for the rest.”
A decade ago, IT security specialists were mostly concerned with systems management and anti-virus software. But the wave of digital innovation of the last ten years has left many, if not most, organizations significantly underprepared for cyber security threats. Over the last three or four years the demand for CISOs has exploded, following a wave of high profile breaches too numerous to list. “Even in the last few years the role of the CISO has evolved and changed,” says Gerry McNamara (USA), Global Managing Director of Korn Ferry’s CIO Practice. “There has been a lot of education needed from consultancies to help boards understand what realistic expectations are. The level of engagement by boards regarding matters of both cyber and physical security has risen to an all-time high primarily driven by a desire to manage reputational and operational risk.”
Part of the shift for leadership has been to understand the new environment that we live in: cyber security is no longer about simply keeping hackers out of your systems and data; it is about minimizing the damage once an inevitable breach occurs. Threats can come from any number of places, as a recent Boyden study (called ‘Cybersecurity: Is Your Board on Board?’) of 36 client organizations shows (see chart below).
An additional layer of complexity for CISOs to navigate is that the industry for security software has exploded just in the last couple of years, as Lambert Rugani (USA), who leads Spencer Stuart’s CISO team, explains. “The market for tooling and technology has exploded tenfold,” he says. “So many firms have entered the market with niche solutions. While this provides more opportunity for new insights on threats, we now see CISOs considering consolidation of tools and an added focus on automation.”
WHAT SKILLS DO EXECUTIVES NEED TO BE SUCCESSFUL?
When we work on a CIO assignment now, we answer to the CEO or the board,” says Baard Storvseen, Managing Partner at TRANSEARCH Norway. “They are looking for people with strategic skills who can act as an advisor.”
To shift their value proposition towards a more commercial and strategic function, CIOs have to demonstrate many traits that have not traditionally been associated with technology leaders: high levels of emotional intelligence, ability to influence other business leaders, and a holistic overview of technology’s role in the business.
Cathy Holley (UK), Partner and Co-Head of Boyden’s CIO Practice, says: “What makes a world-class CIO has nothing to do with technology anymore. What differentiates them is that they are outstanding leaders who can motivate people through difficult times and manage difficult stakeholders. They are expected to provide shareholder value and that means demonstrate commercial value.”
“The ideal CISO needs to be a little bit like Cary Matheson [from hit TV show Homeland]: smart, fearless, intuitive and more than just a little bit paranoid,” says Jay Hussey, who leads Odgers Berndtson’s US Technology Practice. “Cyber security is more chess than checkers – you may have to sacrifice a few pieces to win the game. Breaches will happen but how you learn about them and respond is crucial.”
However, CISOs also need to exhibit more traditional leadership skills as well: particularly communication and ability to collaborate and influence others. With reputational risk being clients’ biggest concern about a cyber breach, these executives need to be as comfortable building relationships with PR firms and IT vendors alike, building multifaceted responses to identify, respond and recover from an attack. If they don’t manage this skillfully, they can become unpopular pretty quickly, as Jan-Bart Smits (Holland), Technology Practice Leader at Stanton Chase, explains. “Changing behavior is extremely difficult and it requires excellent social skills. CISOs have to explain why they’re implementing more rules and systems that may make people’s lives more difficult. They have to help people understand the importance of their decisions.”
Russell Reynolds Associates’ recent research (called ‘The CISO Assessment Level Model CALM’) helped to define some of the traits and skills that different organizations may need to find the right CISO for them. Ultimately, if a CISO believes that cyber security is an IT issue, they are more likely to be reactionary and transactional. Whereas the CISOs who place their role at the center of business operations and strategy are anticipatory and relational. Unsurprisingly, the latter group typically answer into the board or executive committee of organizations and command higher compensation, while the former are likely to have a less elevated position in their company.
WHERE DO YOU FIND EXECUTIVES WITH THE RIGHT SKILLS?
While the notion of commercially-savvy CIOs may be a development in most sectors over the last decade, it was pioneered by several companies in the consumer sector before that – such as Walmart, Procter & Gamble, and American Express. Odgers Berndtson’s Hussey explains: “The best consumer companies have innovation at the core of their business. The line between technology and marketing has become almost non-existent in these companies over the last 10-15 years.”
While the consumer sector can yield commercial CIOs, TRANSEARCH’s Storvseen explains that there are other places to look if you are searching for a more strategic CIO. “You can find a good combination of technical skills and business acumen in the professional services sector,” he says. “Those companies do a lot of structural and strategic work. In my experience those consultants are open to a conversation about going in-house, as long as the role works closely to the CEO.”
The changes of the last decade have been so transformational for the CIO role and so disruptive for the technology function as a whole, it can be difficult to distinguish where the real expertise is. Essentially, everyone has been disrupted, so how do you know who responded well? That is why the value of executive search firms has also risen in this space, as Peter Hodkinson (USA/UK), Consultant in Spencer Stuart’s Financial Services and Information Technology Practices, explains: “You have to distinguish between those who have learned the new language and buzzwords of technology and those who have a genuine track record of success in this new dynamic. We earn our money by deciphering what’s really been achieved and how.”
Because the role of today’s CISO is so significantly different to the remit of a technology security professional a decade ago, there is an element of experimentation taking place to find the right CISO fit.
Gavin Colman (London), Partner at Heidrick & Struggles, says: “There hasn’t been a clear career path for this role and that’s what we need in order to develop security experts. CISOs tend to be quite an eclectic group. You get the technology people, who aren’t always great communicators and are more interested in solutions. Then there are former consultants who have moved over, who are good in the C-suite but tend not to have the same depth of technical understanding. Finally there are people who have come through security roles, such as MI5, MI6, CIA, NSA etc., who were very popular for a period of time.”
While individuals with a security, intelligence or military background had been considered ideal candidates to thrive in fast-paced, highly complex environments, that opinion has evolved – amidst concerns over cultural fit, the ability to manage teams outside of a command and control leadership style and differences between the role in the private and security sectors. Spencer Stuart’s Hodkinson explains: “In some cases that has been successful, but in a variety of others, people have struggled because they have found it difficult to go from an environment where they have the option of offense as well as defense to one focused on defense alone. We’re also seeing an evolving trend for people with an engineering background who have a strong understanding of cloud computing. The logic is that as we get more sophisticated about how we store and manage our data in the Cloud, such skills will come to be critical to securing data for a modern enterprise.”
A pressing need that consistently came up during interviews for this article was for greater training and focus on the level below the CISO. The threat of a cyber breach is not likely to abate any time in the foreseeable future. Therefore as the importance of the cyber security role continues to grow both in terms of mandate and responsibility, we will need a greater talent pool. Investment in mentoring, development and succession planning should be underway already so that we do not find ourselves continuously so under-resourced.
WHAT ARE THE FUTURE OPPORTUNITIES FOR OUTSTANDING CIOs AND CISOs?
CIOs and CISOs
Beyond the opportunities within the CIO and CISO functional roles, do the skills that these executives have acquired qualify them to be considered for broader C-suite roles and even board positions? There are some success stories to report in the case of CIOs moving into new roles, because the position has existed for longer. Notable examples include: David Lister, who is the CIO at National Grid in the UK and now sits on five boards, including HSBC Bank Plc and the Department for Work & Pensions; John Hinshaw, who served as the CIO at Hewlett Packard and is now on the board of BNY Mellon; and Tania Howarth, whose expertise as CIO at Igloo Group led to her becoming CIO & Group HR Director and now Chief Operating Officer.
However, Stanton Chase’s Smits explains that digital executives have to become more comfortable being their own ambassadors. “Nobody notices when something works as it should, so CIOs only hear when things don’t work out,” he says. “They are sometimes perceived as people who simply create issues. CIOs have to put effort and time into telling their own success stories.”
Indeed, Amrop’s recent Digital Board Skills Survey shows that digital executives haven’t made it to board level yet. After analyzing 1,280 board directors from the largest publicly-listed companies in 11 countries across Europe and North America, Amrop found that on average only five percent of non-technology companies have digital competencies. This is both surprising and shocking when you think about the opportunities that digital and technological advances create for innovation and the constant threat of a cyber-attack.
Linn Freedman, cyber security expert and Partner at the law firm Robinson & Cole, believes that boards need to focus on identifying board members with cyber expertise with some urgency. “Boards need someone who understands the risks and the needs from a budgetary standpoint,” she says. “CISOs are dealing with this on their own and there is often a disconnect if the board doesn’t understand what is happening from a risk management perspective. There needs to be someone on the board to be a conduit of communication and understanding.”
No doubt we will see more of these examples as both the CIO and the CISO role continue to innovate as hubs of strategic innovation and risk management.