four mistakes to avoid when hiring your next /media/publications and...آ 2 four mistakes to avoid...
Post on 11-Jun-2020
Embed Size (px)
Four mistakes to avoid when hiring your next security chief There is arguably no hire more important today than chief information security officer, but companies may be making the wrong calls when evaluating the role. Here’s how to feel more secure about your next security leader.
C yber seCurit y Pr aC tiCe
2 Four mistakes to avoid when hiring your next security chief
For many organizations, recruiting a top-
notch chief information security officer
may be their most important hire.
If that seems like an overstatement, then ask the boards of directors of Target, Sony Pictures, Home Depot, J.P. Morgan, or any one of the long list of organizations whose corporate data stores have been breached recently. They’re the ones who, with their executive teams, still have to deal firsthand with the reputational wreckage and loss of customers’ trust, the financial impact, and all the other consequences cyberattacks bring.
With cybersecurity calamities regularly making front-page news, there’s clearly a crying need for better protections and stronger, smarter responses. So a big question being voiced in boardrooms these days is this: do we have the right information security leader in place — and at the right level and with the right skills?
But here’s the problem. Boards — not to mention their CEOs — are still learning how to think about, and define, the chief information security officer (CISO) role. For one thing, the role is exponentially more complex than it used to be — far more than keeping the security software and firewalls up-to-date and anticipating and dealing with the outcomes of a stolen laptop. The person (or persons) now in the role might be a great match for yesterday’s challenges, but too many are unequal to the complexity
and sheer volume of threats that organizations face today . . . to say nothing about tomorrow’s threats.
The upshot: boards and their executive teams are in danger of getting the CISO role wrong. In particular,
we’ve observed four ways in which that may happen:
1. The organization may shortchange the risk
2. The reporting structure may be off-track.
3. There may be (paradoxically enough) an
overemphasis on cyber qualifications.
4. The organization may hold out too long for the
“perfect” security leader.
We’ll look more closely at each of these pitfalls in a moment. First,
though, it’s important to underscore how
directors’ own roles are changing as cyber risks escalate.
Heidrick & Struggles 3
The buck sTops where? It’s not the place of this article to grimace at the growing list of cyberattacks. But it is our job to point out that the buck for security, in all forms, stops squarely in the boardroom. That was made crystal clear in a June 2014 speech to the New York Stock Exchange by Luis Aguilar, commissioner at the US Securities and Exchange Commission: “Ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities,” he stated.1 Moreover, directors and officers who fail to assume this responsibility may find themselves individually liable for any lapses that occur. Translated into action, this means that boards must ensure that the appropriate teams are in place and that there are adequate plans to not only respond to breaches but prevent them.
The National Association of Corporate Directors (NACD) has crystallized those themes into a set of guidelines. The first and foremost principle: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.”2
In response, more and more directors are stepping up. In the United States, nearly half of the respondents to a recent survey agreed that the audit committee has responsibility for cyber risk today.3 “Boards now are calling for clear and consistent cybersecurity policies,” said Richard Goodman, a member of the boards of Johnson Controls, Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at a recent gathering of CIOs, Goodman added: “You can’t give people in the field decision-making authority about whether you decide to do something or not on cybersecurity.”4
Indeed, we see many more boards becoming directly involved in the search for a new CISO as the strategic importance of the role increases. Similarly, we’ve seen an uptick in the number of boards seeking directors with real cybersecurity know-how — for example, in the form of sitting or retired CIOs (particularly those to whom the CISO has reported).
1 Luis A. Aguilar, U.S. Securities and Exchange Commission, “Boards of Directors,
Corporate Governance, and Cyber-Risks: Sharpening the Focus” (speech, “Cyber
Risks and the Boardroom” Conference, New York Stock Exchange, New York,
NY, June 10, 2014), available on www.sec.gov.
2 National Association of Corporate Directors (NACD), Cyber-Risk Oversight Handbook,
June 10, 2014, available on www.nacdonline.org; The Institute of Internal Auditors
Research Foundation, Cybersecurity: What the Board of Directors Needs to Ask,
2014, available on www.theiia.org/bookstore.
3 Ken Berry, “5 Key Takeaways from KPMG’s ‘2015 Global Audit Committee
Survey,’” accountingWEB, February 12, 2015, available on
4 Rachel King, “Cybersecurity Policies Need to Be Centralized: Board
Member,” Wall Street Journal, CIO Report (blog), June 30, 2015,
4 Four mistakes to avoid when hiring your next security chief
Legacy compliance Privacy- and compliance-focused individual who typically came up through risk or the Big Four. Generally not technical; limited understanding of hacking or engineering.
Cyber specialist Knows how to identify the “black hats” and keep them out; has a strong technical background. Probably came from communications, government/defense, or �nancial services company.
Enterprise CISO Historically most common; came from IT or infrastructure side; likely reports to CIO. Very comfortable implementing software, such as identity and access management software, or enhancements to mobile/cloud security.
Product CISO Embeds security in products such as online video games or Internet of Things; ensures that what the company makes has security in it.
Currently low demand but growing quickly
Know your CISO
Savvy boards and executive
teams realize that not all CISOs
come from the same mold. Just
as with any functional leadership
role, CISOs come from all sorts
of backgrounds. In our work, we
have identified four major types of
Four piTFalls To avoid Yet the additional attention doesn’t necessarily equip boards or executives to evaluate, let alone appoint, the right CISO. And that’s part of the point: there is no one true job description that will be as good a fit for a Silicon Valley technology company as it would be for a Rust Belt industrial machinery manufacturer. Furthermore, there are many different stripes of CISOs — not all necessarily with entrenched technology backgrounds. (See sidebar, “Know your CISO.”)
In our experience, too many organizations appoint a CISO based on legacy concepts rather than demand-driven ideas. A tech company may select a CISO with a stellar track record of rolling out and supporting robust security software but who lacks the risk savvy to gauge and therefore guard against as-yet-unknown cyber threats. Or an industrial company may pick a CISO whose career in risk and compliance does not equip him or her to assess the scope or scale of the next cyberattack. Here are four common mistakes we see companies make.
Thinking too tactically
Until relatively recently, it was usually enough for organizations to have a technology-savvy leader on the CIO’s team who would roll out robust security software across the organization and make sure it was kept up- to-date. The underlying principle involved was defense: protect the organization against persistent yet fairly well understood threats.
Not anymore. The speed of technological change has brought with it more frequent and more complex attacks, even as companies have come to rely more on technology and technological connectivity for growth. Today, regardless of industry or geography or size of the organization, the CISO must have an enterprise-level understanding of the risks of every form of cyberattack and other enterprise threats and be able to communicate them not only to IT-focused colleagues but to the board of directors as well. Some CISOs are already headed in that direction. Speaking to Bank Info Security recently, David Sherry, CISO of Brown University, indicated that he sees the role transitioning completely to manage the risk of an enterprise by setting the proper programs, policies, and processes that are necessary to fulfill the IT security mission.5
5 Tom Field, “CISO’s Challenge: Security & Risk. Security Leaders Take on Dual
Responsibilities,” Bank Info Security, October 23, 2012 , available on