We live in an era of technological insecurity. What can we do to make sure our clients have the right talent to meet their cybersecurity needs?
Cybersecurity breaches pose the third largest threat to organizations today, according to a recent global survey of C-suite executives by the consulting firm Protiviti. Two years ago, cybersecurity ranked seventh on the list of top threats. PwC estimates that there were 42.8 million breaches worldwide during 2014, a 48% increase compared to 2013. The speed and sophistication of these breaches has surprised the business world, with high profile casualties including Sony, Target, and JP Morgan. In many instances, organizations have more comprehensive insurance for fires, floods and ice storms than they do for cyber security breaches and data attacks.
While North Korea’s hacking of Sony and Iran’s hacking of American billionaire Sheldon Adelson have gathered headlines, it is incorrect to assume that this issue only affects large organizations or that it only happens in the United States. Hackers do this for many different reasons, whether it is financial, ethical, political, for the prestige of breaking into a high profile website or database, or simply for entertainment. Similarly, hackers can be external or, in the case of the NSA, internal.
Anthony Batchelor, Partner at Odgers Berndtson, explains that “information security is moving from the boardroom to the bedroom. In Canada we keep hearing about situations where people have their personal information hacked and are asked to pay a ransom.” Batchelor says that many of these incidents go unreported for a long time, as individuals are too scared or embarrassed to approach the necessary authorities. Any organization that holds data about its clients has an obligation to keep that information safe, to protect their customers and their reputation.
Risks have risen exponentially
Technology has facilitated giant leaps in innovation, akin to the industrial revolution, and trends in software as a service and cloud computing have enabled organizations to cut costs and drive efficiency. But the price we pay for this more interconnected world is greater instability, as Graham Willis, managing partner at Watermark Search International, explains. “The growth of big data sets and the technologies to interrogate this data means that the risks associated with third-party illegal access have risen exponentially.” During the AESC’s recent Global Conference, panelist Stephen Ward, chief information security officer at TIAA-CREF, explained that the role of a CISO has changed dramatically in recent years, to handle the greater data insecurity and the growing corporate concern. “Five years ago we were scrapping for a $5 million budget. Now we’re given hundreds of millions,” he said.
Cybersecurity is no longer just about compliance with regulators, although in heavily-regulated sectors like financial services this is still a factor. “We’re seeing a tremendous amount of variation from company to company,” says Matt Aiello, partner at Heidrick & Struggles. The requirements of the role depend on an organization’s products – a consumer technology brand may search for a CISO with a software engineering background to shore up customer-facing products, a financial services firm may look for someone with a government security background in the NSA, CIA, or GCHQ, while healthcare organizations may search for white collar “ethical” hackers to build defenses.
“This is such a fast moving topic that I don’t think we’ve landed on what the perfect CISO looks like,” Batchelor says. “That’s why creating this function hasn’t taken off in companies as quickly as people thought it would. The smarter companies will look at the composition of their board and have an information security board member who will interact with the CISO. You need someone waking up and thinking about information security from a strategic level, as well as someone from a tactical level.” This can be seen in the cases of Kris Lovejoy at IBM and Pat Reidy at CSC, both of whom have made the step up from CISOs to a more strategic cybersecurity position that is further embedded with the rest of the business. By adding a layer of cybersecurity expertise above the CISO – either at the board level or overseeing a function that encompasses physical security, risk and compliance, for example – there will be greater consistency between organizations, greater professionalism from the cybersecurity experts, and more strategic thinking around the trade-offs of security and enterprise.
It is a very difficult role to fill now
But with so much variety currently around what is being expected of CISOs, Joe Nocera, partner at PwC, says, “it is a very difficult role to fill right now. It requires a number of skills and experiences that are difficult to find in a single individual.” So what are the desirable traits of successful CISOs?
Matt Comyns, cybersecurity practice lead at Russell Reynolds Associates, says: “The role has traditionally required technology leaders to serve as urgent responders, but they must now be ahead of the curve, developing a clear vision of how hackers’ tactics will evolve, becoming proactive innovators. While technology roles always have and always will call for relentless attention to process and detail, they must also demonstrate real agility – the willingness and ability to pivot and respond to changes in the threat environment.” Similarly, a CISO must have an ability to be externally facing, dealing with concerns of colleagues, customers, regulators, governments, law enforcement agencies, crisis management firms and investors where applicable.
But, despite interfacing with so many stakeholders and staying up to date with the latest trends in cybersecurity, perhaps the most important expectation is that CISOs will be business-savvy enough to understand when to take calculated risks in the name of enterprise, and when to tighten the reigns. For instance, McKinsey estimates that banks are currently losing $300 billion a year globally because of delays in product launches caused by security compliance, which is impractical and positions cybersecurity professionals as obstacles to progress. “A compliancebased approach where everything must be protected is too overwhelming and also destroys more business value than it saves,” says Paul Chau, head of Korn Ferry’s Asia Pacific CIO center of expertise. “The CISO must be a strong communicator and business relationship builder, able to work and influence across business silos and get people to engage and ‘do the right thing,’ and to understand the necessary trade-offs.”
A Tour of Duty
All told, these factors combine to make the role of a CISO appear as a thankless task. They are on the front line in the war against cybercrime, potentially in the boardroom briefing directors in language that resonates with them, reassuring their peers that they are not an inhibitor to progress, and often prove to be the scapegoat when a breach does occur.
So who would put themselves forward for such a high-profile and demanding role, and why? “The role is incredibly demanding and high risk, so we see CISOs considering other career paths and viewing the role as a ‘tour of duty’,” says Aiello. This language lends itself to individuals with a military, secret service, or security background. But, due to the inconsistencies with the role itself from one organization to the next, there is no definitive consensus on what background makes for the best CISO. From speaking to a range of executive search consultants in this field, some good places to start include: CIOs, cybersecurity ‘lifers’, governance and compliance, risk, technology product specialists.
If CISOs can find a way to contribute to strategic boardroom conversations, while staying up to date with the latest tactical developments, and still be seen as an enabler of business growth, they have the potential to supersede the importance of the CIO or CTO. But, it remains to be seen whether there is a large enough talent pool of individuals with the technical aptitude and leadership skills to meet the demand for cybersecurity expertise. It seems that the role will reach an inflection point in the coming years – a sink or swim moment for the position and the individuals hoping to make their name from it.