November 9, 2022 – Cyber attacks show no signs of abating. A report last year from Accenture, in fact, said the threat is only growing, with an average of 270 attacks per company, up 31 percent from 2020. A new report from McKinsey & Company, meanwhile, projects that damage from cyberattacks will amount to about $10.5 trillion annually by 2025, a 300 percent increase from 2015 levels. Globally, organizations spent close to $150 billion for cyber protection last year, a number that’s growing by 12.4 percent each year. The global cybersecurity total addressable market could eventually grow to as much as $2 trillion, said the management consulting firm.
Attacks from state supported operators, cybercriminals, business competitors, and even lone individuals have the potential to wreak havoc on businesses. Beyond the financial woes, there is the possibility of damage to reputation and trust, shutdowns, harm to the potential sale of a business, lawsuits, even legal penalties that can leave a company reeling. And when the U.S. government is the one under siege the concern only escalates.
Executive search firm Odgers Berndtson has been enlisted to find a chief information security officer (CISO) for the Office of the Chief Administrative Officer (CAO) of the U.S. House of Representatives. Partners Diane Gilley, a member of both the firm’s technology practice and CIO and technology officers practice, and Jon Barney, head of the U.S. aerospace, defense, and national security practice, are spearheading the assignment.
The CISO will be responsible for leading and operating the House cybersecurity program, maintaining and updating a comprehensive cybersecurity strategy that ensures the confidentiality, integrity, and availability of the House’s information systems and resources, said Odgers Berndtson. The CISO will lead a team of approximately 100 (30 full-time and 70 contractors) and a budget of about $29 million.
The Ideal Candidate
“The CISO role requires a visionary, positive leadership focused individual with sound knowledge of cybersecurity fundamentals for risk management, incident management/response, and offensive engineering,” said the search firm. “The ideal candidate is a thought leader, a consensus builder and bridge builder between the cybersecurity office, its policies and strategy with the members, committees, and leadership offices at the House, as well as with the other legislative branch agencies and oversight committees.”
The CISO must be able to translate complex technical concepts to non-technical audiences and to succinctly categorize and rank risk at higher and higher levels of leadership at the House. In addition, the individual must be customer oriented, hands-on, and action oriented, communicating the value of security to the organization to protect its reputational and data integrity.
The U.S. House of Representatives, CISO will be measured on the following criteria: maintains responsibility for the overall/comprehensive executive level management in the areas of information security; acts as a senior advisor to the CAO, the CIO, and various House and legislative branch constituents on issues related to information security; maintains responsibility for the development, socialization, approval, and implementation of security policies; and appropriately assigns and monitors the progress of special limited-term projects and initiatives from assignment through completion.
Other criteria include: briefing House leadership and officials on information security matters and issues; providing appropriate assistance with computer forensics investigations to other House entities; implementing, managing, and operating systems to control access to House systems and data; and coordinating members, committees, and House Support Office security audits to ensure continued security of the network.
Consistent Application of Policies
The right candidate must understand and interact with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance and business continuity management, said the search firm. He or she will work with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations.
The individual will also assist with the identification of non-IT managed IT services in use (“citizen IT”) and facilitates a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, the CISO will ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
The CISO will be expected to develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. He or she will also oversee the approval and publication of these information security policies and practices. The individual will also liase with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
With technology has come the insatiable – and merciless – need for talent. Having the right leaders and teams in place is now more critical than ever. Cyber technology leaders appear in various forms: chief information security officer (CISO), chief information risk officer, chief security officer (CSO), VP information security, chief trust officer, chief information officer (CIO), chief technology officer (CTO) and many others.
These executives are vital, front line leaders facing down increasingly numerous and sophisticated threats. Their job is to secure both the enterprise and its external products and solutions. They report to boards of directors and management committees on a regular basis, are considered strategic assets to be leveraged, and increasingly give organizations their competitive advantage. The cost of hiring one is rising – and that is good news to the scores of executive recruiters who hunt them down for clients around the globe. Read now >>
An essential part of the role will be to create a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties. The CISO will also coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a
security event; the individual will also provide direction, support, and in-house consulting in these areas. On a continuous basis, the CISO will evaluate overall information technology security direction of the House, ensuring that all activities are secure, effective, and efficient. Developing budget plans for the information security office personnel and non-personnel resources is also an integral part of the job.
Candidates must have demonstrated experience and success in senior leadership roles in risk management, information security, and IT or OT security, said Odgers Berndtson. A bachelor’s degree in information systems or in a discipline related to the position, or an equivalent level of professional work experience is required; an advanced degree is preferred. Prospects should also have 12-plus years of experience in professional, executive level information security roles, including administering information technology security policies, procedures, configuration management, and quality assurance preferred.
Successful senior-level experience in corporate, legislative, and/or government environments is required. Candidates should have experience successfully executing programs that meet the objectives of excellence in a dynamic environment. Experience in progressive managerial/supervisory positions including effective use of employee performance plans and evaluations, coaching, and mentoring techniques, and addressing employee conflicts and disciplinary actions is also required.
Established in 1995, the Office of the Chief Administrative Officer serves as an essential resource for the U.S. House of Representatives. CAO functions as a non-partisan, non-legislative office that provides support services and business solutions to a community of 10,000 House members, officers, and staff. CAO’s team is made up of more than 700 employees.
Odgers Berndtson delivers executive search, leadership assessment, and development strategies to organizations globally. The firm’s 250-plus partners cover more than 50 sectors and operate out of 59 offices in 29 countries. The U.S. wing of the firm launched in 2011 and has been one of the fastest growing search firms in the Americas. It now ranks No. 12 on the Hunt Scanlon Top 50 Recruiters ranking. Odgers Berndtson has U.S. offices in Atlanta, Boston, Chicago, Dallas, Houston, Los Angeles, Minneapolis, New York, San Francisco, and Washington, D.C.
Ms. Gilley, who works out of Chicago and San Francisco, has partnered with public, as well as private equity and venture capital backed clients, in software/SaaS, internet/E-commerce, fintech, IoT, and IT consulting. Along with her technology industry expertise, Ms. Gilley also brings a strong track record of successful executive search completions for chief information officer, chief technology officer, chief information security officer, chief data and analytics officer, heads of engineering and software development, as well as other technical related positions, across a wide variety of industry areas.
Mr. Barney has more than 20 years of executive search, leadership development, and management consulting experience. He is based in Odgers Berndtson’s Washington D.C. office. Before joining the firm, he was a senior partner at another global executive search firm where he advised aerospace and defense clients. Previously, he was a managing director at Avascent, a strategy consulting firm that focuses on government markets, where he oversaw strategy, consulting, and M&A engagements for aerospace defense, government services, and technology clients.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media