Do You Have a Chief Risk Officer Onboard? If Not, You Will Soon…
December 15, 2015 – Despite worrisome breaches in recent years, corporate America has a limited grasp of the growing and continually evolving threat of cyber incursions. Massive security lapses have left companies vulnerable and seemingly defenseless. And the ever-expanding convergence of web, cloud, social, and mobile technology makes the dangers greater than ever.
Most companies, according to Jeremy King, president of Benchmark Executive Search, lack even minimally adequate protections. This is less a technological issue and more of an understanding and behavior problem, he says. In short, cybersecurity has fast become a top priority management challenge – and finding best-in-class leaders to oversee the threat is about to catch up with the need.
Benchmark, based in Reston, VA, with offices in Dallas, TX is a boutique retained executive search firm that finds senior talent (board directors, CXO’s and SVP/GM’s) for companies that are typically VC or PE backed and provide innovative-capabilities and services to the federal and commercial markets.
Founded by Jeremy eight years ago, Benchmark focuses on helping startups, emerging growth and mid-cap companies recruit leaders with government or private public sector experience to work in the defense, intelligence and national security markets in areas like information technology, military communications, homeland security, cyberwarfare, cloud, analytics and more.
In his crosshairs now are Fortune 1000 companies who can tap Benchmark’s near two decades of cybersecurity knowledge and its vast network of the nation’s top experts to hone in on their own corporate risk and security leadership needs.
The need for such roles is burgeoning and as Jeremy and other experts see it, it is going to continue trending upward, especially in light of world events, from terrorism to cyber-attacks on corporate infrastructure. Retired Army Gen. Keith Alexander, the CEO of IronNet Cybersecurity and former Director NSA, and Commander, U.S. Cyber Command, recently told Jeremy that, in his view, “the value of theft of intellectual property from American industry represents the single greatest transfer of wealth in history and the probability of significantly disruptive and destructive attacks is rapidly increasing.”
——————————————————–
What can you tell us about the skill sets that public companies are looking for and need to leverage in senior risk management leadership that they’re seeking?
Traditionally, the chief security officer (CSO) position was relatively straight forward – they managed and mitigated physical security risks. Then, ‘cyber’ was added to the CSO portfolio. Today, many of the top CSOs have law enforcement and/or intelligence community backgrounds and long careers in the U.S. Government. The chief information security officer (CISO) role came to prominence and distinguished itself from the more traditional CSO role. It’s now the CISO’s responsibility to manage and mitigate IT risks. But the landscape of risks is so widespread and evolving that forward-thinking companies are seeking a new leader – a chief risk officer (CRO) – who will oversee all areas of risk exposure: IT risk, physical security, personnel security and protection of assets – including intellectual and reputational capital.
There seems to be a pervasive shortage of experienced senior leadership talent who can address the range and complexity of risk management. Why?
It is no small task for any organization to achieve consensus about what must be done, what organizational assets must be integrated into this broader risk-management mission and even a standard organizational structure to determine how the CRO, CIO, CSO and CISO fit together. Not to mention the cost of the mission, measured in both dollars and management focus. Even for Fortune 1000 corporations convinced that they need enhanced security, it is not easy to find the right leaders to design and manage an effective program. And at the other end of the spectrum, most small organizations are not addressing the complexity of the challenge – nor can they justify the costs. Corporate security is, I think, today’s biggest talent management challenge and it needs to be given the highest priority and focus. And we believe that core skills and expertise gained from public sector leaders can be leveraged to inform private sector actions and strategies. In the end, only people can create strategy, policy, processes and implement the right technologies. The risk to preserving enterprise value is too high not to have an A-team to navigate the new landscape of threats.
For public companies, is chief risk officer going to become the hot new search sector in the next three to five years?
In our view, yes. The chief risk officer will be the most in-demand position over the next five years – a single leader who can create a culture of security, map organizational structures and set budgets. A single, unified leader must become the norm. In our view, the CSO and CISO would both report to the CRO (the CIO would be ‘dotted lined’ to both the CEO/COO and CRO). We are already seeing a shift from the CRO and CISO just monitoring risk to being empowered to veto key strategic decisions. A year after the Bank of America breach, the company announced it would realign its compliance function with risk management and that compliance would report into their new CRO. The CRO’s clout is growing.
Will we see public companies establish board risk/cyber committees?
We are already seeing it. Under the Dodd Frank Wall Street Reform & Consumer Protection Act, the Fed released guidelines for establishing board risk committees that apply to large financial services companies. But with or without a federal mandate, in our view it is likely other industries will follow suit. The problem, however, remains focus. A recent NACD survey found that nearly 50 percent of boards still view cyber as an IT matter rather than an enterprise-wide risk issue. Today, virtually everyone is playing a high-stakes catch up game. Clearly, no organization can eliminate risk entirely, but the complexity of mitigating known vulnerabilities grows daily – the financial, reputational, IP and operational consequences of ignoring these risks are high. It seems like the best way to focus attention on this threat will be for CEOs to step out front. We believe that boards are taking these threats seriously and will begin to assign an individual on the board to oversee all risks. Physical security, IT security, personnel security and certain aspects of compliance and legal are all components of risk. But, yes, with most new corporate initiatives, they do not bubble up, but work top down. As Randy Sabett, vice chair of the privacy and data protection practice at Cooley, LLP shared with me recently: ‘To successfully address risk, most successful organizations have established an appropriate tone from the top, particularly focusing on cyber risk and this usually necessitates action by the board.’ Without board oversight, governance, and allocating resources to implement new policies, then its unlikely major changes will be adopted or implemented. In time, best-in-class companies will adjust their culture to the current threats and view security as a value proposition – not merely as a deduction from the bottom line. Companies need a holistic enterprise risk management framework tailored to their business and applied rigorously by management while routinely overseen by the board of directors.
How many companies do you think have a formal risk management process in place today?
Not nearly enough. But the more important question might be: How many companies have created a culture of security, implemented policies and allocated real resources for implementation? Risk management is very complex. It takes strong people, processes, technology and almost ruthless commitment by an organization’s top leaders.
How can the risk management function be reinvented and strengthened?
Previously siloed risk-management functions must be reinvented, strengthened and funded more aggressively. Success will require unprecedented cooperation from board directors and those in the C-suite. According to Albert Schultz, a CIA veteran who serves on the security committee of a private board, one of the biggest challenges will be to incorporate the human element into risk management. And according to a 2014 IBM security services cyber study, 95 percent of all security incidents involve human error. Clearly, human beings are the weakest link in any organization’s security posture. Many incidents are due to external attackers who prey on human weakness to obtain sensitive information. With an estimated $94B to be spent on cyber security in the next decade, it is surprising most corporate investment in security today is directed to hardening networks rather than people. Most organizations have not taken the time to map the vulnerability points of their employees or done a comprehensive risk management assessment. Boards of the future can reinvent risk management by encouraging (or even mandating) corporate management to invest resources into hardening their human assets. Policies and training are important but they can lead to a check list mentality on security. Instead, corporations should aim for employee engagement and cultural change. In our view, only this will lead to more effective security and, perhaps even, competitive advantage in the marketplace.
Jeremy, give us your predictions for 2016 and beyond?
Based on insight we have gained from our clients, our advisors and our network of risk and security talent, here are four predictions for 2016:
- Public companies will empower a single leader/group to develop, adopt, and implement an integrated risk and security strategy.
- Public companies will elevate the role of CRO and see these leaders as peers to the COO. With the COO having P&L (profit/loss) responsibility, the next generation CRO will have a new kind of P&L: prevention of loss.
- Board directors will increasingly follow the Sarbanes Oxley compliance mandates which resulted in most public companies establishing a chair of the audit committee. Soon we will see more public (and some private) companies implement a Chair of the Risk or Cyber Committee (or both) on their boards.
- Public companies will conduct begin doing more extensive risk assessments to identify vulnerability points to include facilities, communications, networks, and employees. This new level of threat intelligence is partly due to increasing global corporate espionage and intellectual property theft.
Contributed by Scott A. Scanlon, Editor-in-Chief, Hunt Scanlon Media and Stephen Sawicki, Managing Editor, Hunt Scanlon Media