Cybersecurity Leadership Role Evolves to Meet New Threats

Strategic abilities and communication skills are vital in today’s CISO role, says a new report from Spencer Stuart. But where the job fits in the corporate structure remains a point of debate. This is the second of a two-part report on the changing face of cybersecurity.

August 2, 2017 – Increasingly, organizations of all sizes are awakening to the perils posed by cyber attacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate.

These days, more groups are coming to understand how ruinous such intrusions could be. A recent report by Juniper Research, in fact, predicts that over the next five years, companies will suffer $8 trillion in damages because of data breaches. And that’s to say nothing of the intangibles, like harm to reputation, loss of customer trust, and more.

So it is that recruitment firms and their clients are paying close attention to a new report just released by Spencer Stuart, ‘The Evolution of Leadership in Information Risk and Cybersecurity,’ that homes in on what the most progressive companies are doing to keep cybercriminals at bay as well as how security leadership is changing to meet the threats. Indeed, one of the biggest changes as cyber attacks continue to evolve and cybersecurity matures, is the role of the chief information security officer (CISO).

“A new kind of cybersecurity leader is emerging as the discipline matures: one who is deeply technical, yet highly strategic and knowledgeable about the business, and a skilled communicator,” wrote the report’s authors, Peter H. Hodkinson and Tarun R. Inuganti.

No one is working harder to transform America’s healthcare system than Aetna. To fuel its growth, the insurance giant needs six contract recruiters fast! The positions are based in NYC, Boston, and at its headquarters in Hartford, Conn. This is an amazing opportunity to conduct full life-cycle recruiting on intermediate through complex positions. Use your sourcing, screening and assessment skills to their fullest. Apply Now!

A Broader View

In the past, the CISO’s job was more technical, said the report. It involved responsibilities like handling firewalls, for example, or seeing that IT portfolios were protected. Now, the position demands a big-picture vision of risk management. In other words, what broad-scale risks does technology pose for the company and the business as a whole?

“To do this well, CISOs have to be able to communicate effectively with other senior leaders and the board, earning credibility through the clarity and consistency of their communication, as well as the ability to think on their feet and speak about risk and security issues in business terms,” said the report.

Further, the authors quote Richard Puckett, vice president for security operations, strategy and architecture at Thomson-Reuters, who described the more sophisticated CISOs as “social butterflies,” who are “very collaborative.”

“They’re interested in their peers’ challenges,” Mr. Puckett told Messrs. Hodkinson and Mr. Inuganti. “They’re able to provide a very balanced view when they’re speaking about a problem. Even during a breach, they don’t throw people under a wheel, but they say, ‘Well let’s see, there are systemic problems and here’s some opportunity to fix them,’ focusing much more on what to do about them than how you got there.”

Special Traits

Mr. Hodkinson, who co-leads Spencer Stuart’s cybersecurity practice, is a member of the search firm’s financial services and technology officer practices. Mr. Inuganti, who heads the firm’s technology officer practice for Europe, the Middle East and Africa, is a consultant in Spencer Stuart’s digital, technology, media and telecommunications and technology officer practices.

Their report in many respects mirrors what other researchers have been finding. In one recent study, Stephen Spagnuolo, a managing director at ZRG Partners, identified a number of traits that according to their research are found in successful CISOs. Among them: “They are smart, thoughtful and intellectually curious; they are excellent communicators; they tend to be analytical; they are energetic and able to multi-task and take action; they tend to be even-tempered and steady; they are comfortable operating both independently and collaboratively; they can be decisive and make decisions without delay.”

Recruiter Rankings: Cyber 20
Hunt Scanlon presents its listing of search firms dedicated to cyber security – a nod to the ever expanding convergence of web, cloud, social and mobile technology that made massive security breaches a reality of modern day business. These 20 recruiters are well-positioned to identify your next best-in-class leaders to oversee this growing threat.

Cyber 20

The Spencer Stuart report said that organizations are looking into different ways that the CISO can best fit into their overall hierarchy. Some prefer to have the position as part of technology, reporting to the chief information officer. Lou Steinberg, chief technology officer for TD Ameritrade, told the authors that the two areas are in large part intertwined. “The information security space is so deeply technical right now and things are unfolding so rapidly that having any kind of separation between the people doing the execution — designing and developing controls — and those responsible for policy — who identify the need for those controls — is a serious problem,” he said. “You lose the communication channel, the tight feedback, when you organizationally separate them.”

Accountability First

Others prefer a more independent CISO, which in the case of GE, reported directly to Jeff Immelt, chairman of the board and CEO. That creates a natural tension between the cybersecurity function and IT, some believe, that can ultimately benefit the company.

“For others, the question is less about who the CISO should report to than who the CISO is accountable to,” said the report authors. “Indeed, increasingly, CISOs are also accountable to the board of directors or the board’s audit or risk committee, as well as to their ‘hard line’ executive manager.”

Phoebe Henderson, a managing director at ZRG, who had no involvement in the Spencer Stuart report, said the question of where a CISO should fit into an organization’s structure continues to stir questions and debate. “Should the CSO/ CISO report to the CIO or is that too close of a relationship and one that might prohibit the CSO from fully executing his or her responsibilities?” she said. “Should the CSO report to the CFO? If so, how will the CFO support this individual and understand the requested actions, strategies and safe-guards being recommended? Should the CSO report to the CEO? Is that the right move?”

It is an open and evolving state of affairs, she noted. “Ultimately, the reporting structure must be determined by the size and type of firm housing the talent. What is not disputed is the fact that the CSO must have direct access to the CEO and board and the board should want to have regular reports from the CSO. The role of CSO/ CISO must not be enveloped deeply in the reporting structure of the firm, but at a sufficiently senior level so as not to be obfuscated.”

Security Threats Create Talent Challenges, Opportunities
Cybersecurity might well be the greatest challenge facing corporate America today. The threat to reputation, private information and dollars — both from immediate theft and the cost of repairing the damage of a cyber-attack — can be staggering.

The Next Generation

As the CISO role evolves and wields greater influence across the organization, the attributes necessary for those moving into the position will change as well. “As CISOs break out of their functional boxes and have impact across a variety of executive functions — engineering, digital, data, risk and even sales, while regularly engaging at board level, there is a ‘blurring of the lines’ in terms of the route up for tomorrow’s leaders,” said the report. “The next generation of CISOs are likely be to more versatile, senior, business- and externally facing than has been the case to date, yet, in many cases still highly technical.”

ZRG’s Phoebe Henderson said that just as the threat of cyber attacks is wide-ranging and continually in flux, the CISO role will likewise evolve. If anything, she said, the job will become even more essential. “Industry will need individuals that are deeply technical, creative, highly communicative and collaborative,” she said. “They must be able to look across companies, industries, sectors, and across borders to understand threats, emerging technologies and current best-practices.”

Over time, businesses will grow more efficient and better able to respond to attacks quickly. The pressures from numerous sources will be too great to do otherwise. “Large firms will have a form of SWAT team, led by the CSO, to employ continuous monitoring, analytics, development of KPIs, incident response protocols, media communication protocols and more,” said Ms. Henderson. “Smaller firms will have to outsource their CSO/ CISO requirements, or possibly even establish an in-house ‘CSO quarterback’ to manage the outsourced needs. All of this effort will be required in order for firms to adequately meet their fiduciary and corporate governance requirements, not to mention their corporate insurance ones.”

Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media

Share This Article


Notify of
Inline Feedbacks
View all comments