2. Private and Confidential 2
1. Trends in the Market 4
2. The Chief Information Security Officer Role 8
3. The Talent Implications 12
4. Our Track Record 15
5. About Russell Reynolds Associates 20
6. Our People 24
Table of Contents
3. Private and Confidential 3
Our Cyber Security Practice
Cyber Security at RRA
The growing number of cyber attacks against firms across industries
has created a rapidly growing demand for world-class information
security leaders. What once was a relatively hidden, highly technical
function embedded deep within an IT organization now has taken on
greater importance due to the potentially devastating consequences
of security breaches and the many stakeholders involved. Security
executives today must not only be hands-on, technical experts, but
also business savvy executives able to translate cyber risk in real
business terms for C-level executives and the Board.
Our consultants are experts of key security functions with an
extensive relationship network, ranging from government
organizations and the intelligence community to cybersecurity
startups and boutiques. Our practice focuses on the role of the chief
information security officer, as well as complimentary areas such as:
Direct reports to CISO :
Deputy CISO
Architecture
Business Continuity/Disaster
Recovery
Governance, Risk and Compliance
Identity and Access
Management/Data Privacy
Incident Response
Insider Threat
Operations
Threat Intelligence
3rd Party Risk Management
A Rapidly Growing Practice
Since 2012, Russell Reynolds Associates has completed more than 60 cyber security searches, with
over half of those searches completed within the past year. Positioned within the firm’s
Technology Officers Practice but working across all sectors and functional areas, the Cyber Security
Practice draws upon a global network of consultants bringing together professionals with diverse
backgrounds ranging from broader technology to data and analytics to governance, risk, and
compliance. Driven by extensive demand for top tier security leadership and talent, the practice,
led by Matt Comyns and Tim Cook, continues to expand and deliver results for clients across the
Americas, EMEA and Asia Pacific across multiple industries, including financial services, technology,
Industrial. professional services, consumer, healthcare, as well as nonprofit.
Global Cyber Security Leadership Team
Irene Chan
Singapore
Tim Cook
London
Mercedes LeGrand
Washington DC
Matt Comyns
New York
Lachlan Wark
Sydney
Nicolas Schwartz
Paris
Ahmed Jamil
Chicago
Yuko Yasuda
Tokyo
Jörn Ottendorf
Frankfurt
Hans Reus
Amsterdam
Board
Professional Services
C-Level Executives @
vendor companies
Product Security/IoT
Mindy Kairey
Chicago
Maneesh Dube
New Delhi
Michael Feldman
San Francisco
Eric Sigurdson
Chicago
Shawn Banerji
New York
Lisa Porlier
Toronto
Art Hopkins
Atlanta
Jennifer Rockwood
Houston
5. Private and Confidential 5
Cyber Risk Has Become the #1 Risk for Most Global Companies and Boards
Major Cyber Security Breaches
Retail
FS
Government
Online &
Content
Healthcare
Hardware
Consumer
Government
Telecom
Financial
Crime
Hacktivists Sabotage Espionage
Intellectual
Property
“The numbers have become numbing. Year after year, cyberattacks continue to escalate in
frequency, severity and impact. Prevention and detection methods have proved largely ineffective
against increasingly adept assaults, and many organizations don’t know what to do, or don’t have
the resources to combat highly skilled and aggressive cybercriminals.”
- PricewaterhouseCoopers 2016 Global State of Information Security Survey
2016
2015
2014
Higher
Education
Healthcare
FS
Government
Extortion/
Ransomware
Life Safety
Attack on Ukraine
power grid
6. Private and Confidential 6
Recent Notable Cyber Attacks
“CARBANAK”
$1Bn from 10
banks in 30
countries
Ryanair loses $5m
in a fraudulent
transaction
France Shopping
Site TFI loses 2M
records
TalkTalk loses 4m
records
USA Europe
Asia
Latin
America
IRS is hacked,
exposing tax
information on
700,000 accounts
OPM is breached,
exposing data on 4.2
million federal
workers
Virtual toy maker
VTech is breached,
putting 5 million
people at risk
Credit card details of
20 million stolen in
Korea Credit Bureau
breach
Mexican bank Banorte
is breached,
compromising roughly
20,000 accounts
AT&T call centers in
Mexico are breached,
exposing 280,000 user
customer accounts
Brazilian Air Force has
its website defaced by
hackers from
Anonymous
Brazilian payments
system, Boletos, poisons
the DNS entry used by
the bank’s website to
redirect them to a
harmful site
Cyber criminals stole
$81 million from
Bangladesh central
bank
$81M cybertheft from
Bangladesh’s central
bank
SAT hacking by
foreign students
2016 DNC email
hacking scandal
8. Private and Confidential 8
Understanding What’s Out There
Beyond confronting a surge in criminal hacker activity, CISOs now face a wide array of risks that have
significantly increased the complexity of their role. As companies raise the profile and prominence of
the CISO role, they also must require that the responsibilities of top cyber security executives change
in important ways:
Profile 2:
Professional
Services/Audit
Often holdings degrees in
accounting, executives
typically begin their career
in the Audit or Compliance
function and then transfer
to IT Audit and ultimately
Information Security.
Frequently holding a
technical degree in
engineering or computer
science, these executives
normally begin their career
in corporate IT (e.g.,
networking, application
development) and migrate
to a specialization in
information security.
Less commonly holding a
technical degree, these
executives begin their
career in the military or law
enforcement, gaining best
practices on leadership and
defense and often having
hybrid responsibilities for
physical and cyber security.
More cutting-edge cyber
threat intelligence
specialists who are
extremely technical, often
coming out of
organizations like the
National Security Agency
(NSA) or DOD. They satisfy
the need to create a
“hunters” mentality to stay
one step ahead of the bad
actors.
A new profile we are
starting to see is of a
software developer with a
focus on cyber security,
specializing in IoT (Internet
of Things), brought in at the
beginning of the product
development life cycle.
Profile 1:
General
Technologists
Profile 3:
Military or Law
Enforcement Professionals
Profile 4:
Cyber Security Threat
Intelligence Specialists
Profile 5:
Product Security
Executives
9. Private and Confidential 9
Cyber security organizations can take
many shapes below the CISO. Equally
the reporting line is usually through one
other role to the board
Cyber Security Org Structure in 2016
CEO
Chief
Financial
Officer
General
Counsel
Chief
Information
Officer Chief
Risk
Officer
Chief
Information
Security
Officer
Governance,
Risk, and
Compliance
Identity &
Access
Management/
Data Privacy
Security
Operations
Security
Architecture
Threat
Intelligence/
Incident
Response
Business
Continuity/
Disaster
Recovery
Deputy
CISO
Head of 3rd Party/Vendor Risk
and Compliance
Business Line Information
Security Officer (BISO)
Head of Insider
Threat
Regional Chief Information Security
Officer (Asia, Europe)
Emerging Roles:
Head of Product Security
(IoT)
Board
Cloud
Security
10. Private and Confidential 10
What Kind of CISO Do You Need?
Type of CISO
Degree
of
Security
Knowledge
and
Technical
Insight
Identify critical assets and crown jewels Medium High High High
Protect High High High High
Detect Medium High High High
Respond Medium High High High
Recover Low Medium High High
Automate Low Medium Medium High
Involved in cloud migration Medium Medium High High
Innovate with data & analytics Low Medium High High
Innovate with consumer devices & mobility Medium High High High
Innovate with the Internet of Things (IoT) Low Medium Medium High
Knowledgeable of the regulatory environment High High High High
Responsible for physical and logical risk Low Medium Medium High
Version
1.0
Version
2.0
Version
3.0
Version
4.0
Influential at: IT Level
Operations
Level
Finance and
Risk Level
Board
Level
Competencies
Results orientation High High High High
Team leadership High High High High
Change orientation Medium Medium High High
Influencing and collaboration Medium Medium High High
Strategic capability Low Medium Medium High
Version
1.0
Version
2.0
Version
3.0
Version
4.0
In our Cyber Security assignments, we usually spot out the type of Chief Information Security Officer needed by our clients, and
validate such profile with you before starting the search.
11. Private and Confidential 11
Competencies Low Importance High
Technical
Cyber Security
Strategy/Vision
Business Acumen
Influencer
Risk Management
External Network
Professional Services
Evaluation Methodology - Experiences & Competencies Benchmarking
In our Cyber Security assignments, we set a list of core competencies against which all candidates will be benchmarked during the search.
13. Private and Confidential 13
Digital is Creating New Roles and
Fundamentally Changing Existing Ones
Key players in a digital transformation include new catalyst roles that have emerged to accelerate
transformation and existing roles that require increasingly digitally-savvy leaders.
Manage infrastructure to harness
data from across organization
to analyze into actionable
insight
Partner with key business leaders
to use analytics to inform
business optimize operations,
decisions and guide strategies
with business intelligence and
insight
Typically more focused on
internal systems and
operational technology. Key
enabler of digital
transformation by building a
strong technology
infrastructure
Partner with senior
leadership in defining and
executing digital strategy across
all functions and platforms,
accelerating digital
transformation
Chief Marketing Officer
Lead an increasingly analytical
data-based marketing function.
Partner with IT to leverage new
technologies for improved
customer segmentation and
personalization
Responsible for
information/cyber-security
vision and its execution across
organization, including risk
management and compliance
and privacy
Chief Information Officer
Chief Technology Officer
Typically the technology
visionary responsible for
understanding/
developing innovative technology
and its application to the
business
Chief Data Officer Chief Analytics Officer Chief Digital Officer
Chief Information
Security Officer
Business leader of digital
product or channel, often with
separate P&L, with
understanding of differences
between online/offline
businesses and how to
integrate with broader
organization
Digital GM
14. Private and Confidential 14
14
Why attracting Top Cyber Security Talent is Difficult Today ?
Demand far outweighs supply.
First-mover industries now face competition from
industries across the board. HR teams are having to
break with standards to accommodate highly
sought after information security executives. Some
companies are nearly doubling comp or offering
retention bonuses of proven security leaders
The role is changing and requiring
broader business executive skills.
As cyber risk has risen as a top priority, companies
are moving the CISO role up the corporate ladder
closer to C-Level execs and Board. Next generation
CISOs must possess strong business acumen and
executive presence.
The market is moving quickly.
All companies are waking up to this new cyber
reality and seeking leaders at the same time. The
best candidates are receiving multiple offers,
putting pressure on the typical recruiting process.
Product Security
AS the world becomes more digital and connected,
there is a new demand for leaders who not only
understand enterprise security, but also product
security to secure connected devices.
New security challenges abound.
Constantly growing threats require new types of
information security executives to combat and
minimize damage of breaches. New roles are
emerging, and organizations need to be optimized
for speed and agility to minimize damage.
Diversity is a growing challenge.
According to a major survey by ISC2, the largest
organization that certifies cyber professionals,
women account for just one out of ten cyber
security professionals, a gender gap that has
widened in recent years.
External Network/Information sharing
is critical.
You can never have enough friends. Companies
need trusted partners to tackle evolving
information security challenges. Information
sharing has become a key component of successful
strategies.
Communicating with the board.
Interfacing with the board regularly to ensure that
they understand the true nature of threats and
what investments must be made is critical to
running an effective security organization.
16. Private and Confidential 16
Sample Assignments: Ongoing Searches
Cyber Security Senior
Manager
Partner – Europe
IBM Security Partner
Non-Executive
Director Specialized
in Cyber Security
Privacy and Data
Security Counsel
Cyber Security
Partner – Japan
Cyber Security
Partner – Germany
Cyber Security
Partner - Canada
Head of IS Policy &
Governance
Chief Information
Security Officer
VP, Corporate
Product and Cyber
Security
Chief Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Deputy Chief Information
Security Officer
SVP, IT Information
Security
Managing Director
Asia
Chief Information
Security Officer
Chief Information
Security Officer
WorldWide Director,
Cyber Security
17. Private and Confidential 17
Sample Assignments: Marquee Searches Across Industries
Consumer
Chief
Information
Security
Officer
Chief
Information
Security Officer
CISO, KFC
Healthcare
Chief
Information
Security
Officer
Chief
Information
Security Officer
Chief
Information
Security Officer
Chief Information
Security Officer
Financial
Services
Chief
Information
Security Officer
Non-Executive
Director
Specialized in
Cyber Security
Chief
Information
Security
Officer, North
America
Chief Security
Officer
Vice
President,
Information
Security
Global Chief
Information
Security Officer
Chief
Information
Security Officer
Chief Risk Officer
Assignments in Red = Diversity Hire
Global Chief
Information
Security Officer
Head of Business
Resiliency
18. Private and Confidential 18
Sample Assignments: Marquee Searches Across Industries
Technology
Industrial
Chief Information
Security Officer
Chief
Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Global Partner, Cyber
Security Assessment &
Responses
GM, Security
Business
Chief Information
Security Officer
Head of Global
Cyber Security
Practice
Chief Information
Security Officer
Global Leader of
Cyber Security
Chief Information
Security Officer
Chief Information
Security Officer
Corporate
Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Chief Executive
Officer
Chief
Information
Security Officer
VP and Chief
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Chief Information
Security Officer
Assignments in Red = Diversity Hire
Vice President,
Risk
Management
& Fraud
Prevention
Chief Information
Security Officer
Head of Security
19. Private and Confidential 19
Sample Search Process
Kick-off
Conduct org.
analysis
Draft position
specification
Tailor search
plan / timeline
Create list of
target
organizations
1 2 3 4 5 6 7 8
Enter the target
market
Revise position
specification
Identify target
organizations
Build list of
prospective
candidates
Screen perspective
candidates
Conduct RRA
interviews/
assess
competencies
Interview internal
candidates
Weekly status calls
RRA presents
candidates
Candidate reports
First round
interviews
with client
Client/candidate
interviews
Additional first
round of client
interviews, if
needed
Finalist undergo
RRA
psychometrics
& interviews
Create short list
Final candidate
selection
Prioritized 360o
reference call list
and background
checks
Compensation
overview
Identify the
successful
candidate
Make offer
and begin
on-boarding
Signed offer
letter
Announcement
of successful
candidate
Client and
candidate
feedback
Client feedback
results
Follow-up actions
Thorough post-
completion review
Successful
candidate review
0-3 weeks* 2-8 weeks* 4-12 weeks*
(+ 6 month review)
Open Search Narrow the Focus Complete Search
*All time periods are estimates only and actual times may vary.
With a proven and proprietary approach to finding exceptional leaders, we adapt to your unique
needs
21. Private and Confidential 21
46
Offices
in the Americas, EMEA and
Asia Pacific
350+
Experienced Consultants
supported by global research,
knowledge and marketing teams
45+
Years
of firm experience
3,500+
Engagements
Annually
allow us to see critical
patterns in the market
Who We Are – At a Glance
22. Private and Confidential 22
How Do We Help You?
We help
you stay
competitive
Working as one to
find the best solution
As collaborators we work closely
with each other and have done so for
decades. We not only enjoy working
with one another, we believe that the
diversity of thinking it brings is crucial
to finding the best solution for you
Connecting you to
the best people
As relationship-builders we
build long-term, meaningful
relationships with exceptional
people around the globe. We
are, therefore, able to identify
and connect you with expected
and unexpected candidates
that are right for your culture
Helping you see
around corners
As insight-seekers we identify
global trends and their
impact on talent and
leadership issues. We share
the most relevant ones with
you, along with an actionable
plan, so you are prepared for
what’s next
23. Private and Confidential 23
We Have the Expertise
Board Advisory Services
CEO Succession Planning
Cultural Assessment
Digital Transformation
Diversity
Executive Search
Family Business
Leadership Assessment
Board of Directors
Chief Executive Officers
Corporate Affairs
Digital Leadership
Financial Officers
General Counsel and
Legal Officers
Human Resources Officers
Marketing Officers
Risk, Information Security
and Compliance Officers
Sales Officers
Supply Chain Officers
Sustainability Officers
Technology Officers
Business and
Professional
Services
Consumer
Education
Financial
Services
Energy and
Natural
Resources
Healthcare
Industrial
Nonprofit
Private Equity
Technology
25. Private and Confidential 25
Search Leadership
Matt Comyns is the global co-head of the Cyber Security and Information Officers Practice within the firm's Technology sector. Matt
recruits Chief Information Security Officers and next level down top lieutenants in information security for large global corporations
and fast-growing private companies. He also recruits cyber security consultants for leading professional services firm's and top
executives for cyber security technology companies. Matt also has a successful track record of recruiting digital leaders for technology
companies and non-tech companies seeking transformative digital talent. He is based in Stamford.
Expertise
Technology, Information Security, Business and Professional Services, Digital Leadership, Technology Officers, Executive Search, Digital
Transformation, Board.
Recent Client Experience
Matt has recruited more than 50 Chief Information Security Officers, top Partners at the Professional Services level, and C-level
executives in the Cyber Security Services. He is also actively working on several Chief Information Security Officer searches for Fortune
50 companies.
Previous Experience
Before joining Russell Reynolds Associates, Matt completed the sale of Pacific Epoch, a venture backed consulting and research firm
that specializes in market intelligence consulting and research projects for U.S.-based companies that are trying to invest in and expand
into China. There, he served as CEO and was responsible for the firm’s strategy and operations. He also directed many large research
and consulting projects. Earlier, he was a founding partner at BlackInc Ventures, a strategic advisory firm focused on providing clients
within the digital sector with market-leading solutions on an outsourced basis for business development, sales, and corporate
development. Before that, Matt was with the pioneering Internet content company CNET Networks Inc. (acquired by CBS) for nearly
seven years. There, he managed strategic partnerships and held various positions including Senior Vice President of Business
Development. At the start of his career, he was a Sales Manager for Dow Jones Interactive in Asia.
Additional Professional Activities
Matt was recently appointed Director of Columbia University’s Cyber Security Program where he will be a faculty member and mentor
to the new Cyber Security focus at Columbia University’s Executive Master of Science in Technology Management program. Matt also
was recently recognized by HuntScanlon as one of the industry’s leading cyber security recruiters. Matt served as a founding board
member of The Online Publishers’ Association, and he is a member of the board of directors for MusicianCorps, a national nonprofit
movement that supports music as a strategy for public good.
Education
Matt received his B.A. from Bucknell University. He is conversational in Mandarin.
Matt Comyns
26. Private and Confidential 26
Search Leadership
Tim Cook, global co-head of the Cyber Security and Information Officers Practice, also runs the HR Practice in London. He
focuses on high impact Chief Human Resource Officers as well as Chief Information and Information Security Officers. His U.K.
and international search experience includes a variety of appointments across sectors and geographies including the Middle
East, and he has conducted a large number of leadership assessments across sectors. He has 14 years of executive search
experience, and joined Russell Reynolds Associates in 2008.
Expertise
Insurance, Technology, Data and Analytics, Digital Leadership, Human Resources Officers, Technology Officers, Digital
Transformation.
Recent Client Experience
Tim's recent assignments include placing the Cyber Director at a critical infrastructure utility, Chief Information Security Officer
at a global Oil company, Chief Information Officer at a global retailer, Chief Information Officer of a global professional services
firm, HR Director at a global retailer, HR Director at two FTSE 100 companies and a FTSE250 company. Previous placements have
included Chief Information Officers in insurance and utilities companies and public sector service including NHS, HMRC and
MOD. He has placed Chief Technical Officers at major international media organizations and online businesses.
Previous Experience
Tim was previously the CEO of Cherwell Scientific Ltd, a company specializing in online genetic risk assessment and the
development and distribution of scientific software. Prior to that, he held both sales and strategy roles with International
Computers Limited (now Fujitsu Services). Earlier, Tim served with the U.K. Armed Forces for several years and the reserve
special forces.
Additional Professional Activities
In 2011 Tim successfully led the world's first rowing expedition along 1,000km of the Upper Zambezi, from the Angolan border
with Zambia to the Victoria Falls raising $40,000 to put fresh water into remote villages in Southern Africa. In 2014 Tim is leading
a joint UK/Zambian 500km expedition across Lake Kariba and the Lower Zambezi in Southern Africa, called the Moon Row. Tim is
a Governor at St John's Beaumont School and a Trustee of the Make A Wish Foundation.
Education
Tim has a B.A. in English literature from Newcastle University, a postgraduate diploma from The London School of Economics
and Political Science, an M.B.A. from London Business School and an M.Sc. in health informatics from University College London.
He is a graduate of the Royal Military Academy Sandhurst.
Tim Cook
Editor's Notes
Slide layout: RRA Cover
Intent is “Prepared by: Name, Name, Name”
Client logo should be within the box and top align with RRA logo
Slide layout: RRA Table of Contents
Hit tab once to place page number at the center of the page
Use shift+Enter to break to a second line for long titles
Logo, “Table of Contents” and page number are set in the slide master
After you complete the PNB, return to the this page to update page numbers for each of the sections
Slide layout: RRA Subhead Only
This is a table with a light grey outside border with the circles on top of the slide
Row heights are fixed
To move circles along the scale: select, hold shift and drag OR select and use the right and left arrows