December 14, 2015 – Despite worrisome breaches in recent years, corporate America has a limited grasp of the growing and continually evolving threat of cyber incursions. Massive security lapses have left companies vulnerable and seemingly defenseless. And the ever-expanding convergence of web, cloud, social, and mobile technology makes the dangers greater than ever.
Most companies, according to Jeremy King, president of Benchmark Executive Search, lack even minimally adequate protections. This is less a technological issue and more of an understanding and behavior problem, he says. In short, cybersecurity has fast become a top priority management challenge – and finding best-in-class leaders to oversee the threat is about to catch up with the need.
A ‘Culture of Security’ Is Needed
Benchmark, based in Reston, VA, with offices in Dallas, TX is a boutique retained executive search firm that finds senior talent (board directors, CXO’s and SVP/GM’s) for companies that are typically VC or PE backed and provide innovative-capabilities and services to the federal and commercial markets.
Founded by Jeremy eight years ago, Benchmark focuses on helping startups, emerging growth and mid-cap companies recruit leaders with government or private public sector experience to work in the defense, intelligence and national security markets in areas like information technology, military communications, homeland security, cyberwarfare, cloud, analytics and more.
In his crosshairs now are Fortune 1000 companies who can tap Benchmark’s near two decades of cybersecurity knowledge and its vast network of the nation’s top experts to hone in on their own corporate risk and security leadership needs. The need for such roles is burgeoning and as Jeremy and other experts see it, it is going to continue trending upward, especially in light of world events, from terrorism to cyber-attacks on corporate infrastructure.
Jeremy advocates a stronger “culture of security,” strong executive leadership, and greater resources to manage network vulnerabilities with urgency and continual innovation. He says recently that retired Army Gen. Keith Alexander, CEO of IronNet Cybersecurity (former director of the National Security Agency, and former commander of the U.S. Cyber Command), told him that, in the general’s words: “The value of theft of intellectual property from American industry represents the single greatest transfer of wealth in history and the probability of significantly disruptive and destructive attacks is rapidly increasing.”
A recent study by Enterprise Risk Management Initiative revealed that 59 percent of 1,093 business leaders surveyed believed that the volume and complexity of risks their companies face have changed “extensively” or “mostly” in recent years, but that only 25 percent believe their organization has a “complete formal enterprise-risk management process in place.” That finding hadn’t changed from the year before.
That underlines how far companies still must go to get up to speed on what is perhaps the single greatest threat to their businesses. Top companies, in particular, must be vastly more vigilant about comprehensive risk management. “Fortune 1000 corporations face a clear imperative: decisively improve internal risk management assets, leadership and performance – or risk suffering at your company’s or shareholders’ peril,” Jeremy says.
CRO to Oversee All Risk Exposure
The savviest companies are looking beyond traditional roles like chief security officer, which predominantly handles physical security, and chief information security officer, which focuses on information technology protection. These days, they are seeking leaders for a newer role, chief risk officer, or CRO, to oversee the full range of risk exposure, Jeremy says. Bank of America went this direction in the wake of its big breach and more companies are following suit, he says. Jeremy expects the role to be among the hottest in the next few years.
Board risk committees are already a way of life in the financial services industry, but Jeremy thinks other industries will soon go the same route. The biggest challenge is that corporate leadership must come to terms with the enormity of the threat. “It seems like the best way to focus attention on this threat will be for CEOs to step out front,” he says. “We believe that boards are taking these threats seriously and will begin to assign an individual on the board to oversee all risks. Physical security, IT security, personnel security and certain aspects of compliance and legal are all components of risk. But with most new corporate initiatives, they do not bubble up but work top down….Companies need a holistic enterprise risk management framework tailored to their business and applied rigorously by management while routinely overseen by the board of directors.”
Risk Management Must Include the C-Suite
Too few companies, he says, have a formal risk management process in place. “But the more important question might be: How many companies have created a culture of security, implemented policies, and allocated real resources for implementation?” he asks. “Risk management is very complex. It takes strong people, processes, technology, and almost ruthless commitment by an organization’s top leaders.”
In many respects, risk management functions must be changed, and the key will be vigorous attention and cooperation between boards of directors and the C-suite. Of particular concern in keeping companies safe is the human element. “Clearly, human beings are the weakest link in any organization’s security posture,” Jeremy says. “Many incidents are due to external attackers who prey on human weakness to obtain sensitive information. With an estimated $94 billion to be spent on cybersecurity in the next decade, it is surprising most corporate investment in security today is directed to hardening networks rather than people. Most organizations have not taken the time to map the vulnerability points of their employees or done a comprehensive risk management assessment.”
A big part of the reinvention of risk management must be for boards to give more emphasis to devoting resources to strengthening that human factor. “Policies and training are important but they can lead to a checklist mentality on security,” Jeremy says. “Instead, corporations should aim for employee engagement and cultural change. In our view, only this will lead to more effective security and perhaps even competitive advantage in the marketplace.”
Based on what he and his colleagues have learned from clients, advisors, and their network of risk and security talent, Jeremy makes four main predictions for the upcoming year:
- Public companies will increasingly empower a single leader or group to take charge of their integrated risk and security strategies.
- CROs will see a greater role at public companies and be regarded as peers to the COO. “With the COO having P & L, profit and loss, responsibility, the next generation CRO will have a new kind of P & L – prevention of loss,” says Jeremy.
- He also believes that boards of directors will increasingly follow the federal Sarbanes-Oxley Act compliance mandates, which among other things led to most public companies establishing a chair of the audit committee. “Soon we will see more public, and some private, companies implement a chair of the risk or cyber committee, or both, on their boards,” Jeremy says.
- Public companies will undertake more extensive risk assessments to pinpoint where they are most vulnerable to attack. This would include facilities, communications, networks, and employees. “This new level of threat intelligence is partly due to increasing global corporate espionage and intellectual property theft,” he says.
Contributed by Stephen Sawicki, Managing Editor, Hunt Scanlon Media and Scott A. Scanlon, Editor-in-Chief, Hunt Scanlon Media