March 29, 2016 – Alta Associates has risen over the past 30 years to become the most prominent boutique search firm specializing in the cybersecurity function. Founding CEO Joyce Brocaglia is a highly sought-after strategic advisor to her clients in the areas of information security, risk management and privacy. In the following interview, she discusses the evolution of the information security sector and the holistic approach she uses to find risk management leaders – and where the pitfalls lurk.
ESR: What events led you to settle on recruiting security and IT risk talent? I know you were retained by Citigroup in 1994 after the Russian incident where they hacked into the bank’s computers. Was that your starting point?
Brocaglia: Not exactly. My starting point was IT audit. Believe it or not, that was a hot growth area at the time. But yes, in 1994 the Russians hacked into Citigroup’s computers and the bank then hired their first ever chief information security officer, Steve Katz. Steve then contacted me to build his information security organization. We knew that IT auditors were already looking at data centers and applications controls, and those people combined with folks coming out of the government and military made ideal candidates for what became the first ever information security organization for Citi. So fast forward 20-plus years and here we are.
ESR: How active were companies 20 years ago in this functional discipline and at what point did you see an uptick begin?
Brocaglia: Twenty years ago when we were recruiting information security officers the world was really a different place in terms of technology and the amount of data that employees, customers, and partners had access to. At the time the role was very focused on securing main frame systems and the perimeter. So we looked for people that were highly technical. There was a substantial pickup about four years ago when companies were starting to replace their existing technology leaders. A ‘new’ executive chief information security officer (CISO) evolved; one that had a much more holistic approach to risk management and who really enabled businesses by providing value and articulating solutions in a language that made sense to business leaders. Companies were asking us to find executives for them that really could become the face of their information security organization; who could increase the credibility of their department; who could influence their culture; and then constructively partner, sell and deliver their security initiatives globally to diverse businesses with various risk policies. So I would say, initially, that was the push of having a kind of an ‘ah ha’ moment where companies realized, the position itself needed to be re-elevated. I also think another driving force was the increased volume and complexity of cyber threats. So many companies were starting to see these types of attacks on their organizations. The result was that senior-level positions were being created because the board and the audit committee were starting to ask harder questions and regulatory requirements were demanding more compliance. These newly-created positions, therefore, began to really take more of a front office spot as opposed to just a back office technology function.
ESR: Obviously industries like financial services that need to protect the personal records of millions of individuals is clearly a prominent sector in need. What other industries are active?
Brocaglia: Financial services is probably the most evolved for obvious reasons: They have been moving large amounts of data and money for years and are huge targets to nation states and individual hacker attacks. There have been many high profile breaches where millions of credit card customers’ information has been compromised. These breaches were a wake-up call to many major retailers who thought that being compliant to regulatory requirements was enough to be secure. But now they are dealing with enhanced PCI requirements and they have received advice from consultants and auditors who were quick to point out there were vulnerabilities and risks in their policy-oriented security programs. They advised them to build more robust and formalized security organizations that quite often required them to bring on a first time CISO or elevate their current role by hiring someone who has much more strategic and leadership skills. Healthcare is another industry that has had a huge uptick in terms of their focus on information security, governance, IT risk, compliance and privacy. With the threat of cyberattacks on the U.S., the importance of protecting our energy grid and other utilities is more important now than ever. So the energy sector is really increasing its focus on information security as well.
ESR: Who’s most in demand at the moment?
Brocaglia: At the senior levels it is the chief information security officer. A lot of companies have developed what we call business information security officers. In essence it’s akin to being the right-hand person to the CISO and aligned to each of the business lines for that company. We see a lot of companies utilizing that person as a liaison relationship manager as a means by which to get security embedded into organizations through various business lines in kind of a partnership approach. For example, we are currently working for a financial services company, conducting a search for their chief information risk officer and, at the same time, we are currently placing candidates as business information risk officers in each of their divisions. We also are seeing a lot of companies that are looking for very strong architects – not architects from the general IT area – but carrying a specialty network security or applications security. So these are people who have both deep technical expertise and are actually able to design the framework and define the technical requirements to effectively drive a solution across the enterprise. These are some of the top positions that we are most frequently asked to find.
ESR: Have there been many newly-created positions as a result of this activity, and if so, what are they?
Brocaglia: Recently, for a large Fortune 100 healthcare organization, we conducted a search for a chief data officer. They work cross-functionally throughout an organization to re-evaluate the data as an asset, versus a side effect of the business like finding a timeline to store data, how to classify the data, how to share it, how to store it and how to leverage it. And, as you can imagine, they will work closely with the CISO, with the chief privacy officer as well as with the digital marketing team, enabling them to securely leverage the information. With a new value placed on data analytics, companies are hiring data scientists as part of the overall information security strategy around big data. Due to very stringent regulatory requirements, some of our clients are now separating the role of the chief information security officer and the head of IT risk. Many companies are now hiring an enterprise technology risk officer who manages the strategies, programs, governance and the oversight of everything to do with IT risk. So, again, they would partner with the information security officer. But I think it is important to note that it is not as much the newly created position that is important but, rather, the elevation of the roles in IT security and risk. These are positions that were once VP or director are now being graded as a senior vice president and those that were senior vice president are now being extended the opportunity to move into a C-level position. The majority of the head of the security and risk roles that we are placing all have the responsibility to present to the board of directors and to their risk and audit committees and they actually lead task forces or committees themselves.
“A driving force is the increased volume and complexity of cyber threats.” – Joyce Brocaglia, CEO, Alta Associates
ESR: Where are we all heading?
Brocaglia: Our theme for the Executive Women’s Forum National Conference is ‘Big Data, Big Risks, Big Opportunities.’ I think that really highlights the future of security as well. There is currently what I would describe as negative unemployment in our field, which reflects the current demand for cybersecurity professionals. The estimates are about 1.4 million information security jobs will be in existence by 2020, and there are statistics that show the demand for information security is growing 12 times faster than the overall market demand. This year alone there was a 46 percent increase in the number of breaches and 43 percent of companies were hit by an attack. And 60 percent of those companies were hit twice or more. There is a saying that there are two types of companies: Those that have been attacked and those that don’t yet know they’ve been attacked. I don’t see that as changing but only increasing. As I mentioned earlier, with the Internet and the connectivity of the world today, the complexity of the role of the information security officers and their teams is only going to continue to expand and grow.
Contributed by Stephen Sawicki, Managing Editor, Hunt Scanlon Media