Why Hiring the Right CISO is so Hard And What You Can Do About ItAUTHORS:ERIK MATSON | Managing Director, Global Head of Insurance & Cybersercurity
JOHN BUDRISS | Executive Director, Technology, Data Science & Cybersercurity
A S H E F F I E L D H A W O R T H W H I T E P A P E R
2
The headlines bring word almost daily of major cyber- attacks. The weapons grow more sophisticated while the vulnerabilities grow more numerous. Today’s attackers include not only global super-criminals looking for financial gain but also state-sponsored groups intent on stealing intellectual property and other strategic assets.
For financial services firms, the stakes are only getting higher—potential business disruption, the compromising of customer information, regulatory backlash, damage to the brand, and possible destabilizing of the tightly interconnected global financial system itself.
Cybersercurity has rightly moved to the front burner for CEOs and boards of financial services firms. One of the most critical decisions? Choosing the right Chief Information Security Officer (CISO). Here’s how to take the uncertainty out of the decision.
Introduction
sheffieldhaworth.com
3
A Shot in the Dark?Given the threats, it’s no surprise that demand for outstanding CISOs far outstrips supply. But beyond the challenge posed by short supply lurks an even bigger hiring challenge: Choosing the right person for the job.
Here’s why it’s so difficult:
THE CISO ROLE IS RELATIVELY NEW AND LACKS DEFINITION.
The difficulty in defining the role is reflected in the many different reporting structures in which it is embedded. The CISO reports directly to the CEO or the board in one organization and to the COO, CIO, Chief Risk Officer, or Chief Security Officer in another. In organizations that have been slow to adapt to today’s realities, the role hasn’t been separated from the role of CIO.
In addition to technical expertise, today’s CISOs must also have the gravitas, management and relationship-building skills to work with a variety of internal and external parties.
MOST HIRING EXECUTIVES LACK A FULL GRASP OF WHAT’S REQUIRED IN THE CISO ROLE.
Do you know what the latest cyber-weapons are and how they have figured in successful attacks? Most executives have no way of knowing whether a CISO candidate has the experience to deal with them or with all of the other ever-changing and unknown threats. Should you look for a longtime corporate cybersecurity professional? An IT generalist? A cybersecurity consultant? Someone with a military or intelligence background? Add these questions to the challenge of defining the role and the difficulties of this hiring decision multiply exponentially.
FINANCIAL SERVICES FIRMS ARE RELUCTANT TO SHARE DETAILS ABOUT CYBERSECURITY.
Some information sharing does occur. The Financial Services Information Sharing and Analysis Center (FS-ISAC), for example, provides a central resource for threat intelligence analysis and sharing. Nevertheless, firms are reluctant to admit that their security has been breached, because it tarnishes their brand, or share effective defense strategies, which they regard as a competitive advantage. As a result, no best practices have emerged against which to measure a candidate’s knowledge and qualifications.
MANY FIRMS DON’T UNDERSTAND THEIR SECURITY CULTURE OR NEEDS.
Is information security second nature to employees? Or do many of them fail to follow even basic security policies? Do various functions work collaboratively with the information security function or regard it as a nuisance? Do top executives agree on issues of cybersecurity and how to address them?
Consider the confusion unearthed in Pricewater-houseCoopers’ “2014 US State of Cybercrime Survey.” Asked what the greatest obstacle was to improving an organization’s information security, CEOs identified lack of funding. CFOs said it was a lack of leadership from the CEO. CIOs and security executives cited a lack of actionable vision or understanding within the organization.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It
sheffieldhaworth.com
How To Clarify the CISO Role and Hiring DecisionTo overcome these challenges, you must bring the CISO role and your firm’s specific needs into sharper focus.
Take these critical steps to set the context for cybersecurity in your organization:
1) MAKE CYBERSERCURITY A BOARD- LEVEL CONCERN.
Few board responsibilities are as important as oversight of risk management, especially for financial services firms. If cybersercurity and its risks aren’t already of prime concern to your board, they should be. The board should not only treat it as regular agenda item but also hear regularly from the CISO.
The board’s role is to help clarify the role of the CISO. Directors must make sure that manage-ment is addressing cybersercurity adequately and within the bounds of risk tolerance the board has established. The CISO is no mere technician, but instead a critical resource for the board, helping it understand cyber risks in general and in the context of business actions the firm is weighing up. Candidates for the role should therefore have business acumen as well as security expertise.
2) DETERMINE WHERE YOU CURRENTLY STAND.
Identify your crown jewels—your most valuable information assets, from customer and employee information to intellectual property—then conduct a no-holds-barred exercise designed to expose your vulnerabilities. (It could be facilitated by third-party certified cybersercurity experts.) Immediately follow this with a candid review.
Such exercises can be eye opening. You may discover unknown weaknesses and, in some cases, exceptional strength or competitive advantages.
If security is notably weak, consider CISO candidates with experience turning around similarly weak organizations. If your security is strong, seek a CISO who can keep you on the cutting edge. The types of vulnerabilities that you uncover can also figure in the CISO job profile. For example, if you find that the greatest danger lies with cloud services providers or other vendors, your CISO should have experience with supplier management and contracts.
3) HONESTLY ASSESS YOUR SECURITY CULTURE.
The carelessness – and sometimes the malevolence – of employees can be the greatest threat to cybersercurity. How do employees throughout your organization treat security? What kind of security culture is created by their actions, along with policies and processes? If it’s a lax culture, where security is sometimes treated lightly, your CISO will need change management and influencing skills to fix it.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It
4sheffieldhaworth.com
5
ConclusionEngaging the board, determining where you currently stand, and assessing the security culture across your enterprise are large undertakings. But with so much at stake, few firms can afford to do less.
Talent will continue to be scarce and threats will continue to multiply. Firms that know precisely what they need will waste less time looking at unsuitable candidates and, ultimately, better prepare themselves to fend off ever more sophisticated cyber threats and attacks.
About Sheffield HaworthSheffield Haworth is a leading global executive search and talent advisory firm. Leveraging its deep industry knowledge, the firm partners with clients all over the world to provide tailored solutions for their business and talent needs at the senior management level. Established in 1993, Sheffield Haworth has 12 offices throughout the Americas, Europe, Middle East and Asia Pacific and serves clients in the Financial Services, Business & Professional Services and Technology industries.
Sheffield Haworth’s global Technology executive search practice specializes in helping financial services firm identify, attract and retain the technology management and digital talent to build next-generation cybersecurity infrastructures.
CONTACT UK +44 20 7236 2400 - [email protected] | US +1 (212) 593-7119 - [email protected] Asia +852 2110 1234 - [email protected]
sheffieldhaworth.com
Why Hiring the Right CISO is so Hard ... And What You Can Do About It
