The Chief Information Security Officer (CISO) role is hotter than ever, in midsized to larger enterprises. You might be surprised by the names of some of the firms that are hiring a CISO for the very first time. Many of them, like Target and Neiman-Marcus, are doing so after suffering widely reported data breaches and resulting loss of revenue. Others are doing so as they see big brands lose market share and customer trust.
The way that these new CISOs are inserted into the organizational hierarchy, in some cases, is attracting scrutiny. Putting great responsibility into one high-powered position and finding an executive experienced in strategic security planning is all wasted, goes one school of thought, if that person’s effectiveness is constrained by reporting through a CIO, rather than directly to the CEO. CSOonline cites research in the 2014 Global State of Information Security Survey showing that when the CISO reported to the CIO, instead of the CEO, downtime and financial losses were both worse. The numbers from 2013 showed similar results.
Candidates for these positions, then, will want to research the hiring company’s organizational structure and ask for specifics about how the reporting structure for the new CISO was determined. Will direct access to the CEO be the norm? If not, what is the strategic thinking behind that decision? How will potential conflicts between efforts to maximize the company’s security stance and other mission-critical operations be handled?
As well, the search for candidates who can demonstrate security expertise alongside strong general business skills will lead to questions about everything from staff management to boardroom behavior. Matt Comyns, global co-head of cybersecurity practice at executive search firm Russell Reynolds Associates, told The Wall Street Journal that when he assists in searching for a firm’s new CISO, “the biggest single issue is often cultural fit and executive presence. The expectation is that you might be a CISO, but I assume you will sound like my CFO, my CEO, my COO or my CMO.”
Executives from Heidrick & Struggles, a global executive search and leadership advisory firm, shared specifics on what companies think they need in a CISO and how they are evaluating candidates in a LeadershipTV video. Their internal research shows that information and data security are now in the top two concerns of corporate boards. Five years ago, the two topics were not in the top five concerns.
Paul Gibson, partner at Heidrick & Struggles, observes, “The biggest criteria is leadership, and that’s leadership with a capital ‘L.’ Communication, executive presence, influencing, behavior, particularly partnership behavior with the business."
David Boehmer, regional managing partner with Heidrick & Struggles, explains:
“So we look at the leaders of tomorrow in this space, they’re tech-savvy. They have relationships with agencies. They understand the cyber world. They understand legal. They understand privacy. They have the nuances of understanding technology in a regulated world and regulation within technology. There was an evolution really about two years ago that led much more to information risk manager. This is someone who thought more about the broader risk paradigm, that still probably came up the information side, the IT side of things, but had a bit more of that broader, horizontal view of risk."
So what skills are most desired? Said Gibson:
“You’ve got to be able conceptually to build a risk-based framework to tackle data privacy and data security. But you’ve then got to be able to execute against that and what we call operationalize that framework: build the right controls, put the right controls in place to protect the data that you’ve got and the data you’re going to have in the future.”
And where is the trend leading, from a recruiter’s viewpoint? Again, Gibson:
“As an organization, we’ve done twice as many chief information security officer searches in the last two years compared to the prior two years. But linked to that, we’re also seeing huge spikes in demand for operational risk leaders and leaders who can adequately set that conceptual framework and then drive operational excellence against it. Chief information security officer talent, chief risk officer talent, is continually in huge demand. We don’t see that trend dying off at all. In fact, we see it escalating and increasing, particularly in the areas of protecting data or linking information risk, information security to operational risk.”