SlideShare a Scribd company logo

Four mistakes to avoid when hiring your next security chief (print version nov 2015)

Niren Thanky
Niren Thanky

Four mistakes to avoid when hiring your next security chief

Leadership & Management
1 of 8
Download to read offline
Four mistakes to avoid when hiring your next security chief There is arguably no hire more important today than chief information security officer, but companies may be making the wrong calls when evaluating the role. Here’s how to feel more secure about your next security leader. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 1 27/10/2015 11:17
2 Four mistakes to avoid when hiring your next security chief For many organizations, recruiting a top- notch chief information security officer may be their most important hire. If that seems like an overstatement, then ask the boards of directors of Target, Sony Pictures, Home Depot, J.P. Morgan, or any one of the long list of organizations whose corporate data stores have been breached recently. They’re the ones who, with their executive teams, still have to deal firsthand with the reputational wreckage and loss of customers’ trust, the financial impact, and all the other consequences cyberattacks bring. With cybersecurity calamities regularly making front-page news, there’s clearly a crying need for better protections and stronger, smarter responses. So a big question being voiced in boardrooms these days is this: do we have the right information security leader in place — and at the right level and with the right skills? But here’s the problem. Boards — not to mention their CEOs — are still learning how to think about, and define, the chief information security officer (CISO) role. For one thing, the role is exponentially more complex than it used to be — far more than keeping the security software and firewalls up-to-date and anticipating and dealing with the outcomes of a stolen laptop. The person (or persons) now in the role might be a great match for yesterday’s challenges, but too many are unequal to the complexity and sheer volume of threats that organizations face today . . . to say nothing about tomorrow’s threats. The upshot: boards and their executive teams are in danger of getting the CISO role wrong. In particular, we’ve observed four ways in which that may happen: 1. The organization may shortchange the risk savvy required. 2. The reporting structure may be off-track. 3. There may be (paradoxically enough) an overemphasis on cyber qualifications. 4. The organization may hold out too long for the “perfect” security leader. We’ll look more closely at each of these pitfalls in a moment. First, though, it’s important to underscore how directors’ own roles are changing as cyber risks escalate. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 2 27/10/2015 11:17
Heidrick & Struggles 3 The buck stops where? It’s not the place of this article to grimace at the growing list of cyberattacks. But it is our job to point out that the buck for security, in all forms, stops squarely in the boardroom. That was made crystal clear in a June 2014 speech to the New York Stock Exchange by Luis Aguilar, commissioner at the US Securities and Exchange Commission: “Ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities,” he stated.1 Moreover, directors and officers who fail to assume this responsibility may find themselves individually liable for any lapses that occur. Translated into action, this means that boards must ensure that the appropriate teams are in place and that there are adequate plans to not only respond to breaches but prevent them. The National Association of Corporate Directors (NACD) has crystallized those themes into a set of guidelines. The first and foremost principle: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.”2 In response, more and more directors are stepping up. In the United States, nearly half of the respondents to a recent survey agreed that the audit committee has responsibility for cyber risk today.3 “Boards now are calling for clear and consistent cybersecurity policies,” said Richard Goodman, a member of the boards of Johnson Controls, Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at a recent gathering of CIOs, Goodman added: “You can’t give people in the field decision-making authority about whether you decide to do something or not on cybersecurity.”4 Indeed, we see many more boards becoming directly involved in the search for a new CISO as the strategic importance of the role increases. Similarly, we’ve seen an uptick in the number of boards seeking directors with real cybersecurity know-how — for example, in the form of sitting or retired CIOs (particularly those to whom the CISO has reported). 1 Luis A. Aguilar, U.S. Securities and Exchange Commission, “Boards of Directors, Corporate Governance, and Cyber-Risks: Sharpening the Focus” (speech, “Cyber Risks and the Boardroom” Conference, New York Stock Exchange, New York, NY, June 10, 2014), available on www.sec.gov. 2 National Association of Corporate Directors (NACD), Cyber-Risk Oversight Handbook, June 10, 2014, available on www.nacdonline.org; The Institute of Internal Auditors Research Foundation, Cybersecurity: What the Board of Directors Needs to Ask, 2014, available on www.theiia.org/bookstore. 3 Ken Berry, “5 Key Takeaways from KPMG’s ‘2015 Global Audit Committee Survey,’” accountingWEB, February 12, 2015, available on www.accountingweb.com. 4 Rachel King, “Cybersecurity Policies Need to Be Centralized: Board Member,” Wall Street Journal, CIO Report (blog), June 30, 2015, http://blogs.wsj.com/cio/2015/06/30/cybersecurity-policies- needs-to-be-centralized-board-member. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 3 27/10/2015 11:17
4 Four mistakes to avoid when hiring your next security chief Legacy compliance Privacy- and compliance-focused individual who typically came up through risk or the Big Four. Generally not technical; limited understanding of hacking or engineering. Low demand Cyber specialist Knows how to identify the “black hats” and keep them out; has a strong technical background. Probably came from communications, government/defense, or financial services company. Strong demand Enterprise CISO Historically most common; came from IT or infrastructure side; likely reports to CIO. Very comfortable implementing software, such as identity and access management software, or enhancements to mobile/cloud security. Strong demand Product CISO Embeds security in products such as online video games or Internet of Things; ensures that what the company makes has security in it. Currently low demand but growing quickly Know your CISO Savvy boards and executive teams realize that not all CISOs come from the same mold. Just as with any functional leadership role, CISOs come from all sorts of backgrounds. In our work, we have identified four major types of CISOs: Four pitfalls to avoid Yet the additional attention doesn’t necessarily equip boards or executives to evaluate, let alone appoint, the right CISO. And that’s part of the point: there is no one true job description that will be as good a fit for a Silicon Valley technology company as it would be for a Rust Belt industrial machinery manufacturer. Furthermore, there are many different stripes of CISOs — not all necessarily with entrenched technology backgrounds. (See sidebar, “Know your CISO.”) In our experience, too many organizations appoint a CISO based on legacy concepts rather than demand-driven ideas. A tech company may select a CISO with a stellar track record of rolling out and supporting robust security software but who lacks the risk savvy to gauge and therefore guard against as-yet-unknown cyber threats. Or an industrial company may pick a CISO whose career in risk and compliance does not equip him or her to assess the scope or scale of the next cyberattack. Here are four common mistakes we see companies make. Thinking too tactically Until relatively recently, it was usually enough for organizations to have a technology-savvy leader on the CIO’s team who would roll out robust security software across the organization and make sure it was kept up- to-date. The underlying principle involved was defense: protect the organization against persistent yet fairly well understood threats. Not anymore. The speed of technological change has brought with it more frequent and more complex attacks, even as companies have come to rely more on technology and technological connectivity for growth. Today, regardless of industry or geography or size of the organization, the CISO must have an enterprise-level understanding of the risks of every form of cyberattack and other enterprise threats and be able to communicate them not only to IT-focused colleagues but to the board of directors as well. Some CISOs are already headed in that direction. Speaking to Bank Info Security recently, David Sherry, CISO of Brown University, indicated that he sees the role transitioning completely to manage the risk of an enterprise by setting the proper programs, policies, and processes that are necessary to fulfill the IT security mission.5 5 Tom Field, “CISO’s Challenge: Security & Risk. Security Leaders Take on Dual Responsibilities,” Bank Info Security, October 23, 2012 , available on www.bankinfosecurity.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 4 27/10/2015 11:17
Heidrick & Struggles 5 Yet many companies still have tactically focused security leaders — oftentimes because they’ve simply had no cause to reexamine the issue from a broader perspective. This was the case for a large technology company we know that was spinning off a large subsidiary. It was only during the spin-off process that the NewCo’s general counsel recognized how immature its security operations actually were. Meanwhile, a technology services firm recognized that its cybersecurity leader wasn’t sufficiently business- minded or strategic enough to help grow the company’s solutions business — a business, ironically enough, focused on cybersecurity. The leader was capable of managing the security challenges but less capable of operating effectively across a matrix organization as a peer to senior business leaders, something the company needed to ensure that its solutions business achieved its growth objectives. Similarly, a diesel engine manufacturer recognized that its director-level cybersecurity leader was well prepared to handle the everyday tactics of the role but out of his depth when it came to engaging with the board of directors on cybersecurity strategy. The manufacturer’s general counsel clarified the need for a CISO “upgrade” and put a search in motion. The push for a top-level CISO can come from several sources. Oftentimes, the general counsel is a prime mover because of the risk component of the role. But it can come from the CEO, the audit or risk committees, or a director whose other boardroom experiences heighten his or her awareness of the risks. That was the case recently at a leading pharmaceutical company; one of its directors had been on the board of a national retailer that had been hacked — and whose brand suffered as a result. The director knew firsthand the importance of hiring a top- level CISO who could handle the cybersecurity risks and thus pushed the board to do so. Mismanaging the reporting structure It’s a mistake to assume that since the CISO job touches technology, the role should always report in to the CIO. A security chief who comes from the legacy compliance world will be entirely out of place working for the head of IT. Similarly, a CISO who is steeped in cyber everything may not work well if the job is required to report to, say, the chief risk officer. In our experience, who the CISO reports to and what access and influence he or she has are at least as important as the CISO’s qualifications and experience. The reporting structure will always be specific to the organization — to its strategy, its structure, and its culture. Companies respond to this issue in different ways. Some elevate the function, while others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel. There are two dimensions to the issue of reporting structure that are most important to consider. The first is influence. The role has to be at a senior enough level for the CISO to be able to have the respect of the other C-level executives and the board. (If the CISO is really at only a manager level, he or she faces an uphill battle to get the respect required to meet the broad mandate of the job.) The second dimension is the potential for conflict of interest. Let’s say the CISO reports to the CIO. It’s the CIO who controls the purse strings for the company’s technology networks. But if the CISO’s job is to audit those networks, there’s a built-in difficulty. It’s never easy to tell your boss that his or her network is the source of the organization’s cybersecurity problems, particularly if the implication is that it will cost money to fix the predicament and therefore potentially conflict with the CIO’s other priorities. Indeed, given how often CIOs are asked to cut costs, this issue is quite often an overlooked source of tension in the reporting relationship. “The CISO is there to give an independent view of what the CIO is doing. That’s why the reporting line needs to be separate,” said one participant at a recent meeting of the North American and European Audit Committee Leadership Networks.6 6 “Board and audit committee oversight of cyberrisk,” ViewPoints for the Audit Committee Leadership Summit, July 13, 2015, available on www.ey.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 5 27/10/2015 11:17
6 Four mistakes to avoid when hiring your next security chief Overemphasizing cyber and technical qualifications Yes, cyber savvy does matter for any top security job today, but it must not eclipse other crucial capabilities — notably communication, collaboration, influencing ability, and the candidate’s fit with the organization’s culture. For example, a CISO who is technically sound but who has had little exposure to the business, or comes from a rigid, “security is the only priority” background, may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks. To be sure, companies screening CISO candidates should be aware of the candidate’s technology credentials and even insist on them. Yet organizations that view the role solely through this lens, or weight the technical requirements too heavily, risk a variety of unintended consequences. For example, a CISO who puts the board to sleep with tech talk has just failed and will not be invited back to the boardroom; one who consorts largely with the organization’s tech community — and who cannot speak the language of business — is not doing the job. Interviewed by Healthcare IT News, Meredith Phillips, CISO of the Henry Ford Health System in Detroit, explained what needs to happen: “If we can’t capture the hearts and minds of individuals that are engaging with data and systems and applications in order to take care of patients, no amount of technology that I put in place will ever solve that problem.”7 Unfortunately, though, CISOs and boards aren’t always communicating as they should. According to the 2015 US State of Cybercrime Survey, nearly one-third (28%) of respondents said their security leaders make no presentations at all to the board, while only 26% of CISOs, or their organization’s equivalent, provide an annual presentation to their board of directors.8 By contrast, forward-looking companies look for smart ways to introduce CISOs to the board: for example, by bringing them in to copresent to the audit committee, or by pairing the CISO with a seasoned executive elsewhere in the business to learn the ropes of managing a relationship with the board. Absent a thoughtful approach, there’s a risk that CISOs will be sent from the “backroom to the boardroom” too quickly and damage their cause (and their credibility) in the process. 7 Erin McCann, “Time to ditch the ‘security team of yesterday,’” Healthcare IT News, Sept 1, 2015, available on www.healthcareitnews.com. 8 “US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey,” PwC, July 2015, available on www.pwc.com. Holding out for the “perfect” security leader We have seen instances where corporate leaders have waited and waited and waited in vain in an attempt to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops and collaborative skills and a terrific suite of cyber skills — only to find that in the interim they lost well-qualified candidates to more agile companies. One company we know lost seven months and several candidates in this way. For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. To our earlier point about the many different types of CISOs out there, rather than searching for the perfect candidate, a more practical approach is to understand the different degrees of fit and to systematically gauge the candidates’ strengths against the organization’s future needs. The CISO role is new enough, layered enough, and now essential enough that it’s often worth considering splitting the role among two or three individuals, each the master of a key component of the job, or to come as close as possible to the ideal with one candidate and then complement his or her shortfalls with a highly qualified second-in-command. The large technology company that was spinning off a subsidiary took a variation of this approach. When company leaders realized that the “perfect” CISO wasn’t to be found, they decided to spread cybersecurity across three roles — corporate security, information and application security, and risk and compliance. These kinds of composite, flexible approaches may seem messy, but they will be far better than waiting for a candidate who doesn’t exist. The tasks of evaluating, hiring, and placing the right security chief aren’t easy. They are exacerbated by the supply–demand mismatch, with demand far outstripping supply as cyber risks ripple outward from familiar sectors such as financial services and become headaches for industrial, governmental, and even nonprofit companies. But there can no longer be any excuse for inaction by the board on the cybersecurity front. The SEC has made it clear that boards are entirely responsible because enormous risk is involved. Insurers and attorneys and the NACD are driving that message home. And what matters to boards matters to executive leadership teams. It’s past time for business leaders to figure out how to hire the security chief who’ll keep those risks in check. n 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 6 27/10/2015 11:17
Cybersecurity For more than a decade, Heidrick & Struggles has developed expertise for finding talent for cybersecurity roles and security firms of all sizes, with consultants focused across industries and functions around the world. Our experience includes placing executives for information security, operational and enterprise risk, privacy, compliance, and senior leadership roles for firms providing security services, software, and hardware. Our cybersecurity team has a world-class knowledge base to advise clients on the leadership they need to deliver against their security strategy. For more information, please write cybersecurity@heidrick.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 7 27/10/2015 11:17
Heidrick & Struggles is the premier provider of senior-level executive search, culture shaping, and leadership consulting services. For more than 60 years we have focused on quality service and built strong relationships with clients and individuals worldwide. Today, Heidrick & Struggles’ leadership experts operate from principal business centers globally. www.heidrick.com Copyright © 2015 Heidrick & Struggles International, Inc. All rights reserved. Reproduction without permission is prohibited. Trademarks and logos are copyrights of their respective owners. hs-00120 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 8 27/10/2015 11:17

Recommended

Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Guy Pearce
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 

Recommended

Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Guy Pearce
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)Julie Bridgen
 
In the news
In the newsIn the news
In the newsRob Wilson
 
Research Note RSA 2019
Research Note RSA 2019Research Note RSA 2019
Research Note RSA 2019Wing Venture Capital
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secureMeg Weber
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1Yigal Behar
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 

More Related Content

What's hot

cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)Julie Bridgen
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secureMeg Weber
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1Yigal Behar
 

What's hot (20)

cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)
 
In the news
In the newsIn the news
In the news
 
Research Note RSA 2019
Research Note RSA 2019Research Note RSA 2019
Research Note RSA 2019
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1fund-managers-on-the-hunt-1
fund-managers-on-the-hunt-1
 
Websense
WebsenseWebsense
Websense
 

Similar to Four mistakes to avoid when hiring your next security chief (print version nov 2015)

Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJSherry Jones
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Matthew Rosenquist
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metricsAbhishek Sood
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 

Similar to Four mistakes to avoid when hiring your next security chief (print version nov 2015) (20)

Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 

Recently uploaded

VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girladitipandeya
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Hedda Bird
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampPLCLeadershipDevelop
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementTulsiDhidhi1
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxSaqib Mansoor Ahmed
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, MumbaiPooja Nehwal
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Smisbafathima9940
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607dollysharma2066
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
 

Recently uploaded (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Empowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdfEmpowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdf
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing management
 
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptx
 
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdfImagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
 
Disrupt or be Disrupted - Kirk Vallis.pdf
Disrupt or be Disrupted - Kirk Vallis.pdfDisrupt or be Disrupted - Kirk Vallis.pdf
Disrupt or be Disrupted - Kirk Vallis.pdf
 
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg PartnershipUnlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
 
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima S
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdfImagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 

Four mistakes to avoid when hiring your next security chief (print version nov 2015)

  • 1. Four mistakes to avoid when hiring your next security chief There is arguably no hire more important today than chief information security officer, but companies may be making the wrong calls when evaluating the role. Here’s how to feel more secure about your next security leader. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 1 27/10/2015 11:17
  • 2. 2 Four mistakes to avoid when hiring your next security chief For many organizations, recruiting a top- notch chief information security officer may be their most important hire. If that seems like an overstatement, then ask the boards of directors of Target, Sony Pictures, Home Depot, J.P. Morgan, or any one of the long list of organizations whose corporate data stores have been breached recently. They’re the ones who, with their executive teams, still have to deal firsthand with the reputational wreckage and loss of customers’ trust, the financial impact, and all the other consequences cyberattacks bring. With cybersecurity calamities regularly making front-page news, there’s clearly a crying need for better protections and stronger, smarter responses. So a big question being voiced in boardrooms these days is this: do we have the right information security leader in place — and at the right level and with the right skills? But here’s the problem. Boards — not to mention their CEOs — are still learning how to think about, and define, the chief information security officer (CISO) role. For one thing, the role is exponentially more complex than it used to be — far more than keeping the security software and firewalls up-to-date and anticipating and dealing with the outcomes of a stolen laptop. The person (or persons) now in the role might be a great match for yesterday’s challenges, but too many are unequal to the complexity and sheer volume of threats that organizations face today . . . to say nothing about tomorrow’s threats. The upshot: boards and their executive teams are in danger of getting the CISO role wrong. In particular, we’ve observed four ways in which that may happen: 1. The organization may shortchange the risk savvy required. 2. The reporting structure may be off-track. 3. There may be (paradoxically enough) an overemphasis on cyber qualifications. 4. The organization may hold out too long for the “perfect” security leader. We’ll look more closely at each of these pitfalls in a moment. First, though, it’s important to underscore how directors’ own roles are changing as cyber risks escalate. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 2 27/10/2015 11:17
  • 3. Heidrick & Struggles 3 The buck stops where? It’s not the place of this article to grimace at the growing list of cyberattacks. But it is our job to point out that the buck for security, in all forms, stops squarely in the boardroom. That was made crystal clear in a June 2014 speech to the New York Stock Exchange by Luis Aguilar, commissioner at the US Securities and Exchange Commission: “Ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities,” he stated.1 Moreover, directors and officers who fail to assume this responsibility may find themselves individually liable for any lapses that occur. Translated into action, this means that boards must ensure that the appropriate teams are in place and that there are adequate plans to not only respond to breaches but prevent them. The National Association of Corporate Directors (NACD) has crystallized those themes into a set of guidelines. The first and foremost principle: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.”2 In response, more and more directors are stepping up. In the United States, nearly half of the respondents to a recent survey agreed that the audit committee has responsibility for cyber risk today.3 “Boards now are calling for clear and consistent cybersecurity policies,” said Richard Goodman, a member of the boards of Johnson Controls, Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at a recent gathering of CIOs, Goodman added: “You can’t give people in the field decision-making authority about whether you decide to do something or not on cybersecurity.”4 Indeed, we see many more boards becoming directly involved in the search for a new CISO as the strategic importance of the role increases. Similarly, we’ve seen an uptick in the number of boards seeking directors with real cybersecurity know-how — for example, in the form of sitting or retired CIOs (particularly those to whom the CISO has reported). 1 Luis A. Aguilar, U.S. Securities and Exchange Commission, “Boards of Directors, Corporate Governance, and Cyber-Risks: Sharpening the Focus” (speech, “Cyber Risks and the Boardroom” Conference, New York Stock Exchange, New York, NY, June 10, 2014), available on www.sec.gov. 2 National Association of Corporate Directors (NACD), Cyber-Risk Oversight Handbook, June 10, 2014, available on www.nacdonline.org; The Institute of Internal Auditors Research Foundation, Cybersecurity: What the Board of Directors Needs to Ask, 2014, available on www.theiia.org/bookstore. 3 Ken Berry, “5 Key Takeaways from KPMG’s ‘2015 Global Audit Committee Survey,’” accountingWEB, February 12, 2015, available on www.accountingweb.com. 4 Rachel King, “Cybersecurity Policies Need to Be Centralized: Board Member,” Wall Street Journal, CIO Report (blog), June 30, 2015, http://blogs.wsj.com/cio/2015/06/30/cybersecurity-policies- needs-to-be-centralized-board-member. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 3 27/10/2015 11:17
  • 4. 4 Four mistakes to avoid when hiring your next security chief Legacy compliance Privacy- and compliance-focused individual who typically came up through risk or the Big Four. Generally not technical; limited understanding of hacking or engineering. Low demand Cyber specialist Knows how to identify the “black hats” and keep them out; has a strong technical background. Probably came from communications, government/defense, or financial services company. Strong demand Enterprise CISO Historically most common; came from IT or infrastructure side; likely reports to CIO. Very comfortable implementing software, such as identity and access management software, or enhancements to mobile/cloud security. Strong demand Product CISO Embeds security in products such as online video games or Internet of Things; ensures that what the company makes has security in it. Currently low demand but growing quickly Know your CISO Savvy boards and executive teams realize that not all CISOs come from the same mold. Just as with any functional leadership role, CISOs come from all sorts of backgrounds. In our work, we have identified four major types of CISOs: Four pitfalls to avoid Yet the additional attention doesn’t necessarily equip boards or executives to evaluate, let alone appoint, the right CISO. And that’s part of the point: there is no one true job description that will be as good a fit for a Silicon Valley technology company as it would be for a Rust Belt industrial machinery manufacturer. Furthermore, there are many different stripes of CISOs — not all necessarily with entrenched technology backgrounds. (See sidebar, “Know your CISO.”) In our experience, too many organizations appoint a CISO based on legacy concepts rather than demand-driven ideas. A tech company may select a CISO with a stellar track record of rolling out and supporting robust security software but who lacks the risk savvy to gauge and therefore guard against as-yet-unknown cyber threats. Or an industrial company may pick a CISO whose career in risk and compliance does not equip him or her to assess the scope or scale of the next cyberattack. Here are four common mistakes we see companies make. Thinking too tactically Until relatively recently, it was usually enough for organizations to have a technology-savvy leader on the CIO’s team who would roll out robust security software across the organization and make sure it was kept up- to-date. The underlying principle involved was defense: protect the organization against persistent yet fairly well understood threats. Not anymore. The speed of technological change has brought with it more frequent and more complex attacks, even as companies have come to rely more on technology and technological connectivity for growth. Today, regardless of industry or geography or size of the organization, the CISO must have an enterprise-level understanding of the risks of every form of cyberattack and other enterprise threats and be able to communicate them not only to IT-focused colleagues but to the board of directors as well. Some CISOs are already headed in that direction. Speaking to Bank Info Security recently, David Sherry, CISO of Brown University, indicated that he sees the role transitioning completely to manage the risk of an enterprise by setting the proper programs, policies, and processes that are necessary to fulfill the IT security mission.5 5 Tom Field, “CISO’s Challenge: Security & Risk. Security Leaders Take on Dual Responsibilities,” Bank Info Security, October 23, 2012 , available on www.bankinfosecurity.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 4 27/10/2015 11:17
  • 5. Heidrick & Struggles 5 Yet many companies still have tactically focused security leaders — oftentimes because they’ve simply had no cause to reexamine the issue from a broader perspective. This was the case for a large technology company we know that was spinning off a large subsidiary. It was only during the spin-off process that the NewCo’s general counsel recognized how immature its security operations actually were. Meanwhile, a technology services firm recognized that its cybersecurity leader wasn’t sufficiently business- minded or strategic enough to help grow the company’s solutions business — a business, ironically enough, focused on cybersecurity. The leader was capable of managing the security challenges but less capable of operating effectively across a matrix organization as a peer to senior business leaders, something the company needed to ensure that its solutions business achieved its growth objectives. Similarly, a diesel engine manufacturer recognized that its director-level cybersecurity leader was well prepared to handle the everyday tactics of the role but out of his depth when it came to engaging with the board of directors on cybersecurity strategy. The manufacturer’s general counsel clarified the need for a CISO “upgrade” and put a search in motion. The push for a top-level CISO can come from several sources. Oftentimes, the general counsel is a prime mover because of the risk component of the role. But it can come from the CEO, the audit or risk committees, or a director whose other boardroom experiences heighten his or her awareness of the risks. That was the case recently at a leading pharmaceutical company; one of its directors had been on the board of a national retailer that had been hacked — and whose brand suffered as a result. The director knew firsthand the importance of hiring a top- level CISO who could handle the cybersecurity risks and thus pushed the board to do so. Mismanaging the reporting structure It’s a mistake to assume that since the CISO job touches technology, the role should always report in to the CIO. A security chief who comes from the legacy compliance world will be entirely out of place working for the head of IT. Similarly, a CISO who is steeped in cyber everything may not work well if the job is required to report to, say, the chief risk officer. In our experience, who the CISO reports to and what access and influence he or she has are at least as important as the CISO’s qualifications and experience. The reporting structure will always be specific to the organization — to its strategy, its structure, and its culture. Companies respond to this issue in different ways. Some elevate the function, while others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel. There are two dimensions to the issue of reporting structure that are most important to consider. The first is influence. The role has to be at a senior enough level for the CISO to be able to have the respect of the other C-level executives and the board. (If the CISO is really at only a manager level, he or she faces an uphill battle to get the respect required to meet the broad mandate of the job.) The second dimension is the potential for conflict of interest. Let’s say the CISO reports to the CIO. It’s the CIO who controls the purse strings for the company’s technology networks. But if the CISO’s job is to audit those networks, there’s a built-in difficulty. It’s never easy to tell your boss that his or her network is the source of the organization’s cybersecurity problems, particularly if the implication is that it will cost money to fix the predicament and therefore potentially conflict with the CIO’s other priorities. Indeed, given how often CIOs are asked to cut costs, this issue is quite often an overlooked source of tension in the reporting relationship. “The CISO is there to give an independent view of what the CIO is doing. That’s why the reporting line needs to be separate,” said one participant at a recent meeting of the North American and European Audit Committee Leadership Networks.6 6 “Board and audit committee oversight of cyberrisk,” ViewPoints for the Audit Committee Leadership Summit, July 13, 2015, available on www.ey.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 5 27/10/2015 11:17
  • 6. 6 Four mistakes to avoid when hiring your next security chief Overemphasizing cyber and technical qualifications Yes, cyber savvy does matter for any top security job today, but it must not eclipse other crucial capabilities — notably communication, collaboration, influencing ability, and the candidate’s fit with the organization’s culture. For example, a CISO who is technically sound but who has had little exposure to the business, or comes from a rigid, “security is the only priority” background, may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks. To be sure, companies screening CISO candidates should be aware of the candidate’s technology credentials and even insist on them. Yet organizations that view the role solely through this lens, or weight the technical requirements too heavily, risk a variety of unintended consequences. For example, a CISO who puts the board to sleep with tech talk has just failed and will not be invited back to the boardroom; one who consorts largely with the organization’s tech community — and who cannot speak the language of business — is not doing the job. Interviewed by Healthcare IT News, Meredith Phillips, CISO of the Henry Ford Health System in Detroit, explained what needs to happen: “If we can’t capture the hearts and minds of individuals that are engaging with data and systems and applications in order to take care of patients, no amount of technology that I put in place will ever solve that problem.”7 Unfortunately, though, CISOs and boards aren’t always communicating as they should. According to the 2015 US State of Cybercrime Survey, nearly one-third (28%) of respondents said their security leaders make no presentations at all to the board, while only 26% of CISOs, or their organization’s equivalent, provide an annual presentation to their board of directors.8 By contrast, forward-looking companies look for smart ways to introduce CISOs to the board: for example, by bringing them in to copresent to the audit committee, or by pairing the CISO with a seasoned executive elsewhere in the business to learn the ropes of managing a relationship with the board. Absent a thoughtful approach, there’s a risk that CISOs will be sent from the “backroom to the boardroom” too quickly and damage their cause (and their credibility) in the process. 7 Erin McCann, “Time to ditch the ‘security team of yesterday,’” Healthcare IT News, Sept 1, 2015, available on www.healthcareitnews.com. 8 “US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey,” PwC, July 2015, available on www.pwc.com. Holding out for the “perfect” security leader We have seen instances where corporate leaders have waited and waited and waited in vain in an attempt to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops and collaborative skills and a terrific suite of cyber skills — only to find that in the interim they lost well-qualified candidates to more agile companies. One company we know lost seven months and several candidates in this way. For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. To our earlier point about the many different types of CISOs out there, rather than searching for the perfect candidate, a more practical approach is to understand the different degrees of fit and to systematically gauge the candidates’ strengths against the organization’s future needs. The CISO role is new enough, layered enough, and now essential enough that it’s often worth considering splitting the role among two or three individuals, each the master of a key component of the job, or to come as close as possible to the ideal with one candidate and then complement his or her shortfalls with a highly qualified second-in-command. The large technology company that was spinning off a subsidiary took a variation of this approach. When company leaders realized that the “perfect” CISO wasn’t to be found, they decided to spread cybersecurity across three roles — corporate security, information and application security, and risk and compliance. These kinds of composite, flexible approaches may seem messy, but they will be far better than waiting for a candidate who doesn’t exist. The tasks of evaluating, hiring, and placing the right security chief aren’t easy. They are exacerbated by the supply–demand mismatch, with demand far outstripping supply as cyber risks ripple outward from familiar sectors such as financial services and become headaches for industrial, governmental, and even nonprofit companies. But there can no longer be any excuse for inaction by the board on the cybersecurity front. The SEC has made it clear that boards are entirely responsible because enormous risk is involved. Insurers and attorneys and the NACD are driving that message home. And what matters to boards matters to executive leadership teams. It’s past time for business leaders to figure out how to hire the security chief who’ll keep those risks in check. n 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 6 27/10/2015 11:17
  • 7. Cybersecurity For more than a decade, Heidrick & Struggles has developed expertise for finding talent for cybersecurity roles and security firms of all sizes, with consultants focused across industries and functions around the world. Our experience includes placing executives for information security, operational and enterprise risk, privacy, compliance, and senior leadership roles for firms providing security services, software, and hardware. Our cybersecurity team has a world-class knowledge base to advise clients on the leadership they need to deliver against their security strategy. For more information, please write cybersecurity@heidrick.com. 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 7 27/10/2015 11:17
  • 8. Heidrick & Struggles is the premier provider of senior-level executive search, culture shaping, and leadership consulting services. For more than 60 years we have focused on quality service and built strong relationships with clients and individuals worldwide. Today, Heidrick & Struggles’ leadership experts operate from principal business centers globally. www.heidrick.com Copyright © 2015 Heidrick & Struggles International, Inc. All rights reserved. Reproduction without permission is prohibited. Trademarks and logos are copyrights of their respective owners. hs-00120 15100747 - hs-00129-CISO article 2-DRAFT 02.indd 8 27/10/2015 11:17