Knowledge Center: Publication
Does your security chief have board-level commercial savvy?8/29/2016 Chris Bray and Adam Vaughan
Cyber risk is a peril of doing business today—and cyber breaches can have devastating consequences for organizations. To address this risk, many organizations have expanded their C-suite to include a Chief Information-Security Officer (CISO). The CISO can help ensure that board members, who may have limited experience with technology, understand cybersecurity risks so they can fulfill their responsibilities.
What should organizations look for when recruiting a CISO?
“There is a tiny pool of qualified people, and they are in big demand,” says Damian Walsh, a partner in Heidrick & Struggles’ London office. This is especially true in Europe. Although Silicon Valley is producing qualified candidates, European organizations struggle to convince Americans to move to London, Paris, Amsterdam, or Berlin. Some European organizations are recruiting candidates from the intelligence-service community, the telecom-infrastructure sector, and network security in hardware and software firms. However, these candidates may fall short on strategic commercial experience, or may lack experience working collaboratively with external bodies.
A CISO must have a sophisticated understanding of information technology—but other key traits, such as communication and leadership skills, are equally important. Organizations should look for the following traits when recruiting a CISO:
- Exemplary communication skills. As with other C-suite positions, the CISO role is about changing and managing people’s attitudes—in this case, toward security risks. The CISO must be a polished and sophisticated communicator, able to influence both internal and external stakeholders. “A techie saying that the firewall doesn’t have the right number of ports of protocols tends to confound a CEO. And the CEO can’t make a business decision if he or she doesn’t understand what the technical team is talking about,” says Greg Day, the regional chief security officer for Europe, Middle East, and Africa at the network-security company Palo Alto Networks.
- Commercial savvy. “The very best CISOs are deeply commercial,” says Adam Vaughan, a partner in Heidrick & Struggles’ London office. “They are as able to advise on the relationship between investment in risk negation and commercial opportunity as they are on the technical aspects of the role.”
- A sophisticated understanding of organizational culture. “It is an old view that information security is simply about building up the walls of a citadel to prevent external attack(s),” says Vaughan. “Modern information security is as much about considering the behaviors and unintended operational risks within an organization.”
- The ability to filter information. “The technology world is massively complex already and becoming more so,” says Day. “There are millions of threats out there, and a typical business experiences more than 10,000 security events every month.” The CISO has to filter these down into the few that truly matter and take appropriate action to mitigate the impact.
- The ability to collaborate with law enforcement and other outside agencies. An effective CISO should become part of a collaborative defensive community—in the UK, this includes INTERPOL, Scotland Yard, the Ministry of Defense, Government Communications Headquarters (GCHQ), and specialist industry bodies that can share information and protect businesses and other entities against sophisticated attacks. Day says he spends two-thirds of his time as CISO on such external activities.
To download the full report, please click the download link above.
About the authors
The team wishes to thank Greg Day of Palo Alto Networks for his contribution to this article.