By Matt Aiello and Phil Schneidermeye, Heidrick & Struggles
Arguably, no hire is more important today than chief information security officer. If that seems like an overstatement, then ask the board of directors of Target, Sony Pictures, Home Depot, J.P. Morgan, or any one of the long list of organizations whose corporate data stores have been breached recently. They are the ones who still have to deal with reputational wreckage, loss of customers’ trust, financial losses, and all the other consequences cyberattacks bring.
With cybersecurity calamities regularly making front-page news, there’s clearly a need for better protections and stronger, smarter responses. So a big question being voiced in boardrooms these days is: do we have the right information security leader in place — and at the right level and with the right skills?
But here’s the problem. Boards — not to mention CEOs — are still learning how to think about, and define, the chief information security officer (CISO) role. For one thing, the role is exponentially more complex than it used to be — far more than keeping the security software and firewalls up-to-date and dealing with the outcomes of a stolen laptop. The person (or persons) now in the role might be a great match for yesterday’s challenges, but too many are unequal to the complexity and sheer volume of threats that organizations face today and in the future.
Boards and their executive teams are in danger of getting the CISO role wrong. In particular, we’ve observed four ways in which that may happen:
- The organization may shortchange the risk savvy required.
- The reporting structure may be off-track.
- There may be (paradoxically) an overemphasis on cyber qualifications.
- The organization may hold out too long for the “perfect” security leader.
We’ll look more closely at each of these pitfalls in a moment. First, though, it’s important to underscore how the directors’ roles are changing as cyber risks escalate.
The buck stops where?
The buck for all forms of security stops squarely in the boardroom. Luis Aguilar, commissioner at the US Securities and Exchange Commission made that crystal clear in a statement in 2014: “Ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of directors’ risk oversight responsibilities.” Moreover, directors and officers who fail to assume this responsibility may find themselves liable for any lapses that occur. Translated into action, this means boards must ensure the appropriate teams are in place and that there are adequate plans to respond and prevent breaches.
The National Association of Corporate Directors (NACD) crystallized those themes into a set of guidelines. Their first and foremost principle is: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.”
In response, more directors are stepping up. In the United States, nearly half of the respondents to a recent survey agreed that the audit committee has responsibility for cyber risk today. “Boards now are calling for clear and consistent cybersecurity policies,” said Richard Goodman, a member of the boards of Johnson Controls, Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at a recent gathering of CIOs, Goodman added: “You can’t give people in the field decision-making authority about whether you decide to do something or not on cybersecurity.”
Indeed, more boards are becoming directly involved in the search for a new CISO as the strategic importance of the role increases. Similarly, there’s an increase in the number of boards seeking directors with real cybersecurity experience— for example, in the form of sitting or retired CIOs.
Four pitfalls to avoid
Yet the additional attention doesn’t necessarily equip boards or executives to evaluate, let alone appoint, the right CISO. And that’s part of the problem: there is no one true job description that will be as good a fit for a Silicon Valley technology company as it would be for a Rust Belt industrial machinery manufacturer. Furthermore, CISOs can come from different backgrounds, not all of which are technological:
- Legacy compliance: Privacy and compliance focused individual; typically came up through risk or the Big Four; and generally with limited understanding of hacking or engineering; low demand
- Cyber specialist: Knows how to identify the “black hats” and keep them out; has a strong technical background; probably came from communications or government/defense; strong demand
- Enterprise CISO: Historically most common; came from IT or infrastructure side; likely reports to CIO; very comfortable implementing software, such as identity and access management software, or enhancements to mobile/cloud security; strong demand
- Product CISO: Embeds security in products such as online video games or Internet of Things; ensures that what the company makes has security in it; currently low demand, but growing quickly
Too many organizations appoint a CISO based on legacy concepts instead of demand-driven ideas. A tech company may select a CISO with a stellar track record of rolling out and supporting robust security software but who lacks the risk savvy to gauge and, therefore, guard against unknown cyber threats. Or an industrial company may pick a CISO whose career in risk and compliance does not equip him or her to assess the scope or scale of the next cyberattack. We discuss four common mistakes companies make below.
1. Thinking too tactically
Until recently, it was usually enough for organizations to have a technology-savvy leader on the CIO’s team who would roll out robust security software across the organization and make sure it was kept up to date. The underlying principle involved was defense: protect the organization against persistent yet fairly well understood threats.
Not anymore. The speed of technological change has brought with it more frequent and complex attacks. Today, regardless of industry or geography or size of the organization, the CISO must have an enterprise-level understanding of the risks of every form of cyberattack and be able to communicate them to IT-focused colleagues as well as the board of directors. Some CISOs are already headed in that direction. Speaking to Bank Info Security recently, David Sherry, CISO of Brown University, indicated that he sees the role transitioning completely to manage the risk of an enterprise by setting the proper programs, policies, and processes to fulfill the IT security mission.
Yet many companies still have tactically focused security leaders — often because they’ve had no cause to reexamine the issue from a broader perspective. This was the case for a large technology company that was spinning off a large subsidiary. It was only during the spin-off process that the NewCo’s general counsel recognized how immature its security operations actually were.
Meanwhile, a technology services firm recognized that its cybersecurity leader wasn’t sufficiently business minded or strategic enough to help grow the company’s solutions business — a business, ironically enough, focused on cybersecurity. The leader was capable of managing the security challenges, but less capable of operating effectively across a matrix organization as a peer to senior business leaders, something the company needed to ensure that its solutions business achieved its growth objectives.
Similarly, a diesel engine manufacturer recognized that its director-level cybersecurity leader was well prepared to handle the everyday tactics of the role, but out of his depth when it came to engaging with the board of directors on cybersecurity strategy. The manufacturer’s general counsel clarified the need for a CISO “upgrade” and put a search in motion.
The push for a top-level CISO can come from several sources. Often, the general counsel is a prime mover because of the risk component of the role. But it can come from the CEO, the audit or risk committees, or directors whose other boardroom experiences heighten their awareness of the risks. That was the case recently at a leading pharmaceutical company; one of its directors had been on the board of a national retailer that had been hacked — and whose brand suffered as a result. The director knew firsthand the importance of hiring a top level CISO who could handle the cybersecurity risks and thus pushed the board to do so.
2. Mismanaging the reporting structure
It’s a mistake to assume that since the CISO job touches technology, the role should always report in to the CIO. A security chief who comes from the legacy compliance world will be entirely out of place working for the head of IT. Similarly, a CISO who is steeped in cyber everything may not work well if the job is required to report to the chief risk officer.
In our experience, who CISOs report to and what access and influence they have are at least as important as their qualifications and experience. The reporting structure will always be specific to an organization’s culture, strategy, and structure. Companies respond to this issue in different ways. Some elevate the function, while others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel.
Two dimensions of the reporting structure issue are most important to consider. The first is influence. A CISO must be senior enough to have the respect of the other C-level executives and the board. If the CISO is only at a manager level, he or she faces an uphill battle to get the respect required to meet the broad mandate of the job.
The second dimension is the potential for conflict of interest. Let’s say the CISO reports to the CIO. It’s the CIO who controls the purse strings for the company’s technology networks. However, if the CISO’s job is to audit those networks, there’s a built-in difficulty. It’s never easy to tell your boss that their network is the source of the organization’s cybersecurity problems, particularly if it will cost money to fix the predicament and potentially conflict with the CIO’s other priorities. Given how often CIOs are asked to cut costs, this issue is often an overlooked source of tension in the reporting relationship. “The CISO is there to give an independent view of what the CIO is doing. That’s why the reporting line needs to be separate,” said one participant at a recent meeting of the North American and European Audit Committee Leadership Networks.
3. Overemphasizing cyber and technical qualifications
Cyber savvy matters for any top security job today, but it must not eclipse other crucial capabilities — notably communication, collaboration, influencing ability, and the candidate’s fit with the organization’s culture. For example, a CISO who is technically sound but has little exposure to the business, or comes from a rigid, “security is the only priority” background, may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks.
Companies screening CISO candidates should be aware of the candidate’s technology credentials and even insist on them. Yet organizations that view the role solely through this lens, or weight the technical requirements too heavily, risk a variety of unintended consequences.
For example, a CISO who puts the board to sleep with tech talk will not be invited back to the boardroom; one who consorts largely with the organization’s tech community — and who cannot speak the language of business — is not doing the job. Interviewed by Healthcare IT News, Meredith Phillips, CISO of the Henry Ford Health System in Detroit, explained what needs to happen: “If we can’t capture the hearts and minds of individuals that are engaging with data and systems and applications in order to take care of patients, no amount of technology that I put in place will ever solve that problem.”
Unfortunately, CISOs and boards aren’t always communicating as they should. According to the 2015 US State of Cybercrime Survey, nearly one-third (28 percent) of respondents said their security leaders make no presentations to the board, while only 26 percent of CISOs, or their organization’s equivalent, provide an annual presentation to their board of directors. By contrast, forward-looking companies look for smart ways to introduce CISOs to the board: for example, by bringing them to co-present to the audit committee, or by pairing the CISO with a seasoned executive elsewhere in the business to learn how to manage a relationship with the board. Without a thoughtful approach, there’s a risk that CISOs will be sent from the “backroom to the boardroom” too quickly and damage their cause (and their credibility) in the process.
4. Holding out for the “perfect” security leader
We have seen instances where corporate leaders have waited in vain to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops and collaborative skills and a terrific suite of cyber skills — only to find that in the interim they lost well-qualified candidates to more agile companies.
For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. Rather than searching for the perfect candidate, a more practical approach is to understand the different degrees of fit and to systematically gauge the candidate’s strengths against the organization’s future needs.
The CISO role is new enough, layered enough, and now essential enough that it’s often worth considering splitting the role among two or three individuals. Each person would be a master of a key component of the job— corporate security, information and application security, and risk and compliance. Another option is to choose one person who comes as close as possible to the ideal candidate and then offset his or her shortfalls with a highly qualified second-in-command. These kinds of composite, flexible approaches may seem messy, but they will be far better than waiting for a candidate who doesn’t exist.
Evaluating, hiring, and placing the right security chief isn’t easy. This is exacerbated by the supply–demand mismatch, with demand far outstripping supply as cyber risks ripple outward from familiar sectors and become headaches for industrial, governmental, and even nonprofit companies.
But there can no longer be any excuse for inaction by the board on cybersecurity. The SEC made it clear that boards are entirely responsible because enormous risk is involved. Insurers and attorneys and the NACD are driving that message home. And what matters to boards matters to executive leadership teams.
It’s past time for business leaders to figure out how to hire the security chief who’ll keep those risks in check.
About the Authors
Matt Aiello is a partner in Heidrick & Struggles’ Washington, DC, office. He co-leads the firm’s Cybersecurity Practice and leads the Information & Technology Officers Practice in the Americas. [email protected]
Phil Schneidermeyer is a partner in Heidrick & Struggles’ New York office and a member of the Life Sciences and Information Officers practices. He is a co-leader in the Cybersecurity Practice. [email protected]
Heidrick & Struggles is the premier provider of senior-level executive search, culture shaping, and leadership consulting services. For more than 60 years we have focused on quality service and built strong relationships with clients and individuals worldwide. Today, Heidrick & Struggles’ leadership experts operate from principal business centers globally.