Knowledge Center: Publication
Four mistakes to avoid when hiring your next security chief11/3/2015 Matt Aiello
For many organizations, recruiting a topnotch chief information security officer may be their most important hire.
If that seems like an overstatement, then ask the boards of directors of Target, Sony Pictures, Home Depot, J.P. Morgan, or any one of the long list of organizations whose corporate data stores have been breached recently. They’re the ones who, with their executive teams, still have to deal firsthand with the reputational wreckage and loss of customers’ trust, the financial impact, and all the other consequences cyberattacks bring.
With cybersecurity calamities regularly making front-page news, there’s clearly a crying need for better protections and stronger, smarter responses. So a big question being voiced in boardrooms these days is this: do we have the right information security leader in place — and at the right level and with the right skills?
But here’s the problem. Boards — not to mention their CEOs — are still learning how to think about, and define, the chief information security officer (CISO) role. For one thing, the role is exponentially more complex than it used to be — far more than keeping the security software and firewalls up-to-date and anticipating and dealing with the outcomes of a stolen laptop. The person (or persons) now in the role might be a great match for yesterday’s challenges, but too many are unequal to the complexity and sheer volume of threats that organizations face today . . . to say nothing about tomorrow’s threats.
The upshot: boards and their executive teams are in danger of getting the CISO role wrong. In particular, we’ve observed four ways in which that may happen:
- The organization may shortchange the risk savvy required.
- The reporting structure may be off-track.
- There may be (paradoxically enough) an overemphasis on cyber qualifications.
- The organization may hold out too long for the “perfect” security leader.
We’ll look more closely at each of these pitfalls in a moment. First, though, it’s important to underscore how directors’ own roles are changing as cyber risks escalate.
The buck stops where?
It’s not the place of this article to grimace at the growing list of cyberattacks. But it is our job to point out that the buck for security, in all forms, stops squarely in the boardroom. That was made crystal clear in a June 2014 speech to the New York Stock Exchange by Luis Aguilar, commissioner at the US Securities and Exchange Commission: “Ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities,” he stated.1 Moreover, directors and officers who fail to assume this responsibility may find themselves individually liable for any lapses that occur. Translated into action, this means that boards must ensure that the appropriate teams are in place and that there are adequate plans to not only respond to breaches but prevent them.
The National Association of Corporate Directors (NACD) has crystallized those themes into a set of guidelines. The first and foremost principle: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.”2
In response, more and more directors are stepping up. In the United States, nearly half of the respondents to a recent survey agreed that the audit committee has responsibility for cyber risk today.3 “Boards now are calling for clear and consistent cybersecurity policies,” said Richard Goodman, a member of the boards of Johnson Controls, Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at a recent gathering of CIOs, Goodman added: “You can’t give people in the field decision-making authority about whether you decide to do something or not on cybersecurity.” 4
Indeed, we see many more boards becoming directly involved in the search for a new CISO as the strategic importance of the role increases. Similarly, we’ve seen an uptick in the number of boards seeking directors with real cybersecurity know-how — for example, in the form of sitting or retired CIOs (particularly those to whom the CISO has reported).
Four pitfalls to avoid
Yet the additional attention doesn’t necessarily equip boards or executives to evaluate, let alone appoint, the right CISO. And that’s part of the point: there is no one true job description that will be as good a fit for a Silicon Valley technology company as it would be for a Rust Belt industrial machinery manufacturer. Furthermore, there are many different stripes of CISOs — not all necessarily with entrenched technology backgrounds. (See sidebar below, Know your CISO)
Know your CISO
Savvy boards and executive teams realize that not all CISOs come from the same mold. Just as with any functional leadership role, CISOs come from all sorts of backgrounds. In our work, we have identified four major types of CISOs:
1) Legacy compliance
Privacy- and compliance-focused individual who typically came up through risk or the Big Four. Generally not technical; limited understanding of hacking or engineering. (Low demand)
2) Cyber specialist
Knows how to identify the “black hats” and keep them out; has a strong technical background. Probably came from communications, government/defense, financial services company. (Strong demand)
3) Enterprise CISO
Historically most common; came from IT or infrastructure side; likely reports to CIO. Very comfortable implementing software, such as identity and access management software, or enhancements to mobile/cloud security. (Strong demand)
4) Product CISO
Embeds security in products such as online video games or Internet of Things; ensures that what the company makes has security in it. (Low demand but growing quickly)
In our experience, too many organizations appoint a CISO based on legacy concepts rather than demand-driven ideas. A tech company may select a CISO with a stellar track record of rolling out and supporting robust security software but who lacks the risk savvy to gauge and therefore guard against as-yet-unknown cyber threats. Or an industrial company may pick a CISO whose career in risk and compliance does not equip him or her to assess the scope or scale of the next cyberattack. Here are four common mistakes we see companies make.
Thinking too tactically
Until relatively recently, it was usually enough for organizations to have a technology-savvy leader on the CIO’s team who would roll out robust security software across the organization and make sure it was kept up-to-date. The underlying principle involved was defense: protect the organization against persistent yet fairly well understood threats.
Not anymore. The speed of technological change has brought with it more frequent and more complex attacks, even as companies have come to rely more on technology and technological connectivity for growth. Today, regardless of industry or geography or size of the organization, the CISO must have an enterprise-level understanding of the risks of every form of cyberattack and other enterprise threats and be able to communicate them not only to IT-focused colleagues but to the board of directors as well. Some CISOs are already headed in that direction. Speaking to Bank Info Security recently, David Sherry, CISO of Brown University, indicated that he sees the role transitioning completely to manage the risk of an enterprise by setting the proper programs, policies, and processes that are necessary to fulfill the IT security mission.5
Yet many companies still have tactically focused security leaders — oftentimes because they’ve simply had no cause to reexamine the issue from a broader perspective.
This was the case for a large technology company we know that was spinning off a large subsidiary. It was only during the spin-off process that the NewCo’s general counsel recognized how immature its security operations actually were.
Meanwhile, a technology services firm recognized that its cybersecurity leader wasn’t sufficiently business-minded or strategic enough to help grow the company’s solutions business — a business, ironically enough, focused on cybersecurity. The leader was capable of managing the security challenges but less capable of operating effectively across a matrix organization as a peer to senior business leaders, something the company needed to ensure that its solutions business achieved its growth objectives.
Similarly, a diesel engine manufacturer recognized that its director-level cybersecurity leader was well prepared to handle the everyday tactics of the role but out of his depth when it came to engaging with the board of directors on cybersecurity strategy. The manufacturer’s general counsel clarified the need for a CISO “upgrade” and put a search in motion.
The push for a top-level CISO can come from several sources. Oftentimes, the general counsel is a prime mover because of the risk component of the role. But it can come from the CEO, the audit or risk committees, or a director whose other boardroom experiences heighten his or her awareness of the risks. That was the case recently at a leading pharmaceutical company; one of its directors had been on the board of a national retailer that had been hacked — and whose brand suffered as a result. The director knew firsthand the importance of hiring a top-level CISO who could handle the cybersecurity risks and thus pushed the board to do so.
Mismanaging the reporting structure
It’s a mistake to assume that since the CISO job touches technology, the role should always report in to the CIO. A security chief who comes from the legacy compliance world will be entirely out of place working for the head of IT. Similarly, a CISO who is steeped in cyber everything may not work well if the job is required to report to, say, the chief risk officer.
In our experience, who the CISO reports to and what access and influence he or she has are at least as important as the CISO’s qualifications and experience.
The reporting structure will always be specific to the organization — to its strategy, its structure, and its culture. Companies respond to this issue in different ways. Some elevate the function, while others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel.
There are two dimensions to the issue of reporting structure that are most important to consider. The first is influence. The role has to be at a senior enough level for the CISO to be able to have the respect of the other C-level executives and the board. (If the CISO is really at only a manager level, he or she faces an uphill battle to get the respect required to meet the broad mandate of the job.)
The second dimension is the potential for conflict of interest. Let’s say the CISO reports to the CIO. It’s the CIO who controls the purse strings for the company’s technology networks. But if the CISO’s job is to audit those networks, there’s a built-in difficulty. It’s never easy to tell your boss that his or her network is the source of the organization’s cybersecurity problems, particularly if the implication is that it will cost money to fix the predicament and therefore potentially conflict with the CIO’s other priorities. Indeed, given how often CIOs are asked to cut costs, this issue is quite often an overlooked source of tension in the reporting relationship. “The CISO is there to give an independent view of what the CIO is doing. That’s why the reporting line needs to be separate,” said one participant at a recent meeting of the North American and European Audit Committee Leadership Networks.6
Overemphasizing cyber and technical qualifications
Yes, cyber savvy does matter for any top security job today, but it must not eclipse other crucial capabilities — notably communication, collaboration, influencing ability, and the candidate’s fit with the organization’s culture. For example, a CISO who is technically sound but who has had little exposure to the business, or comes from a rigid, “security is the only priority” background, may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks.
To be sure, companies screening CISO candidates should be aware of the candidate’s technology credentials and even insist on them. Yet organizations that view the role solely through this lens, or weight the technical requirements too heavily, risk a variety of unintended consequences.
For example, a CISO who puts the board to sleep with tech talk has just failed and will not be invited back to the boardroom; one who consorts largely with the organization’s tech community — and who cannot speak the language of business — is not doing the job. Interviewed by Healthcare IT News, Meredith Phillips, CISO of the Henry Ford Health System in Detroit, explained what needs to happen: “If we can’t capture the hearts and minds of individuals that are engaging with data and systems and applications in order to take care of patients, no amount of technology that I put in place will ever solve that problem.”7
Unfortunately, though, CISOs and boards aren’t always communicating as they should. According to the 2015 US State of Cybercrime Survey, nearly one-third (28%) of respondents said their security leaders make no presentations at all to the board, while only 26% of CISOs, or their organization’s equivalent, provide an annual presentation to their board of directors.8 By contrast, forward-looking companies look for smart ways to introduce CISOs to the board: for example, by bringing them in to co-present to the audit committee, or by pairing the CISO with a seasoned executive elsewhere in the business to learn the ropes of managing a relationship with the board. Absent a thoughtful approach, there’s a risk that CISOs will be sent from the “backroom to the boardroom” too quickly and damage their cause (and their credibility) in the process.
Holding out for the “perfect” security leader
We have seen instances where corporate leaders have waited and waited and waited in vain in an attempt to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops and collaborative skills and a terrific suite of cyber skills — only to find that in the interim they lost well-qualified candidates to more agile companies. One company we know lost seven months and several candidates in this way.
For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. To our earlier point about the many different types of CISOs out there, rather than searching for the perfect candidate, a more practical approach is to understand the different degrees of fit and to systematically gauge the candidates’ strengths against the organization’s future needs.
The CISO role is new enough, layered enough, and now essential enough that it’s often worth considering splitting the role among two or three individuals, each the master of a key component of the job, or to come as close as possible to the ideal with one candidate and then complement his or her shortfalls with a highly qualified second-in-command. The large technology company that was spinning off a subsidiary took a variation of this approach. When company leaders realized that the “perfect” CISO wasn’t to be found, they decided to spread cybersecurity across three roles — corporate security, information and application security, and risk and compliance.
These kinds of composite, flexible approaches may seem messy, but they will be far better than waiting for a candidate who doesn’t exist.
The tasks of evaluating, hiring, and placing the right security chief aren’t easy. They are exacerbated by the supply–demand mismatch, with demand far outstripping supply as cyber risks ripple outward from familiar sectors such as financial services and become headaches for industrial, governmental, and even nonprofit companies.
But there can no longer be any excuse for inaction by the board on the cybersecurity front. The SEC has made it clear that boards are entirely responsible because enormous risk is involved. Insurers and attorneys and the NACD are driving that message home. And what matters to boards matters to executive leadership teams.
It’s past time for business leaders to figure out how to hire the security chief who’ll keep those risks in check.
About the authors
Matthew Aiello (firstname.lastname@example.org) is a partner in Heidrick & Struggles’ Washington, DC, office. He co-leads the firm’s Cybersecurity Practice and leads the Information & Technology Officers Practice in the Americas.
Phil Schneidermeyer (email@example.com) is a partner in Heidrick & Struggles’ New York office and a member of the Life Sciences and Information Officers practices. He is a co-leader in the Cybersecurity Practice.
A version of this article also appeared in the Wall Street Journal's CIO Report. View the column.
1 Luis A. Aguilar, U.S. Securities and Exchange Commission, “Boards of Directors, Corporate Governance, and Cyber-Risks: Sharpening the Focus” (speech, “Cybe Risks and the Boardroom” Conference, New York Stock Exchange, New York, NY, June 10, 2014), available on www.sec.gov.
2 National Association of Corporate Directors (NACD), Cyber-Risk Oversight Handbook, June 10, 2014, available on www.nacdonline.org; The Institute of Internal Auditors Research Foundation, Cybersecurity: What the Board of Directors Needs to Ask, 2014, available on www.theiia.org/bookstore.
3 Ken Berry, “5 Key Takeaways from KPMG’s ‘2015 Global Audit Committee Survey,’” accountingWEB, February 12, 2015, available on www.accountingweb.com.
4 Rachel King, “Cybersecurity Policies Need to Be Centralized: Board Member,” Wall Street Journal, CIO Report (blog), June 30, 2015, http://blogs.wsj.com/cio/2015/06/30/cybersecurity-policies-needs-to-be-centralized-board-member/.
5 Tom Field, “CISO’s Challenge: Security & Risk. Security Leaders Take on Dual Responsibilities,” Bank Info Security, October 23, 2012, available on www.bankinfosecurity.com.
6 “Board and audit committee oversight of cyberrisk,” ViewPoints for the Audit Committee Leadership Summit, July 13, 2015, available on www.ey.com.
7 Erin McCann, “Time to ditch the ‘security team of yesterday,’” Healthcare IT News, Sept 1, 2015, available on www.healthcareitnews.com.
8 “US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey,” PwC, July 2015, available on www.pwc.com.