Enterprises today face a threat landscape that continues to evolve and become increasingly more perilous. Boards recognize the need for their companies to become resilient and the important role that cybersecurity leaders and their teams play in accomplishing that goal. As corporations race to create competitive solutions through digitization and transformation, the complexities of securing the enterprise are magnified. As such the role of the Chief Information Security Officer (CISO) has become more crucial and the selection of a uniquely qualified leader essential to the success of building a resilient corporation. Because corporations retain Alta Associates to find this new breed of security leadership, we have become adept to understanding, identifying and overcoming the evolving challenges they face. This narrative will share some of those insights.
Now more than ever before corporations, their boards, their regulators and their customers are all attuned to risks associated with the digitization of their assets and processes. Boards know that a highly publicized breach can have a direct impact on their brand and their stock prices. As such, forward thinking companies understand that the role of the CISO that was once relegated to the Information Technology department must now been elevated to a truly senior business advisor of the company.
Cybersecurity concerns must be viewed by someone capable of having the broad vision of both how to secure the corporation and mitigate risk while also continuing to enable competitive products and services that lead to revenue generation.
According to a recent survey done by the National Association of Corporate Directors Cyber Risk Oversight Handbook, although only 5% of public company directors are very confident that their company is properly secured against an attack, 89% of them admit that cybersecurity is regularly discussed at board meetings.
Part of this raised concern at the board level is the reality that in an effort to become more agile and productive companies are embracing technologies such as blockchain, the internet of things, big data and mobility. With innovation often comes increased risk.
CISO’s and IT Risk executives must have the capability to engage with business and technology leaders to both proactively evaluate these new technologies, enhance their capabilities and mitigate their risks. As such corporations are now seeking transformative CISO’s.
A transformative CISO is one that has the skills to reduce risk while still allowing adaptability in a volatile threat landscape. Keeping their organization safe goes far beyond purchasing technology solutions. CISO’s are often able to accomplish a great deal in the way of improvements through collaboration and influence. Finding an executive with these complementary skills requires access to a deep network of security professionals and specialized recruiters with the knowledge to conduct in depth interviews.
So what does the board want to know?
Based on the searches Alta Associates performs for CISO’s, we have found about one third of the roles require that the CISO actually presents directly to the board as a part of their responsibilities. Many more are involved with creating the reports or dashboards that their CIO’s ultimately present. Either way, Boards are interested in gaining answers to questions that involve: What are our major cybersecurity risks and how adequately are we managing them? How do our cybersecurity efforts benchmark against others in our industry? How are our cybersecurity strategies aligned to our corporate transformation efforts? What are we doing about third party risks?
The challenges in hiring security executives
Old school cybersecurity techniques and traditional security professionals will not have the capabilities to provide proactive perspectives on automation and digitization initiatives, including identifying emerging risks and offering recommendations that match the constantly changing business and risk landscapes of their organizations. In order to identify the right candidate, companies must first define the scope of responsibilities and the organizations they will be managing. The size, scope and influence of the role will largely determine who they will be able to attract. Potential functions that could report to the security leader include: Cybersecurity, IT Risk, Governance, Risk &Compliance, Physical security, and Privacy.
The challenge doesn’t end with hiring the right security executive as their effectiveness is highly dependent upon the team that supports him or her. A skilled and dedicated team frees a CISO from repeatable tasks and allows them to delegate and drive projects more effectively. By 2022 there is expected to be a workforce gap of 1.8 million cybersecurity professionals. The demand for qualified talent is immense. Hiring women and minorities has a dual benefit of introducing diversity of thought to complex and demanding roles and increasing your chances of a successful hire. Alta is proud to have filled 40% of all of its retained searches in 2016 with qualified women executives and 60% of all searches with diverse professionals. This proves that hiring a diverse team is possible when companies prioritize diversity as a goal and work with the right recruiting partner.
In order for corporations to lessen the cybersecurity workforce gap of qualified candidates, they must do a better job hiring and retaining women and minorities. The Women in Cybersecurity Report that I co-authored with EWF Executive Director Lynn Terwoerds and (ISC)2 highlights the state of women in cybersecurity. The study shows women have remained stagnant at 11% of the global cybersecurity workforce since 2013. 51% of women experienced various forms of discrimination, as compared to 15% of their male counterparts and those percentages rise to as high as 67% as women progress to “C” level roles. Men are 4 times more likely to hold executive level positions and there are 9 times more men in management roles than women. Sadly, 28% of women in cybersecurity report that they do not feel valued at work. Finally, even though women have more advanced degrees than men, they are still paid less at every level from staff through executive. These are pretty harsh facts and as you can see it’s not just one thing holding women back it’s the confluence of all of these events that is having a negative impact on women progressing and succeeding in the cybersecurity workforce. Alta Associates recommends strategies such as requiring hiring managers to interview a diverse slate of candidates, ensuring women are included on interview panels and reviewing job descriptions for unconscious bias as basic first steps to be implemented in a company’s recruiting practices. Forward thinking organizations foster an inclusive culture and diversity should be a key element of your people and client strategy when developing security teams.