July 31, 2017 – The threat of cyber attacks, and the damage they can cause, continues to grow. As technology develops and companies evolve, cyber hoodlums find more ways into the systems of organizations, raising the potential to wreak havoc. What took years to build can be destroyed in just a short time. The costs on so many fronts are astronomical. Meeting the challenge is critical for any organization’s protection and even its survival.
“It’s not just that the bad guys are getting more ‘professional’ and sophisticated, the very nature of organizations today has opened new fronts of vulnerability,” said the new report, “The Evolution of Leadership in Information Risk and Cybersecurity,” from Spencer Stuart. “Intrusions occur not just via traditional IT systems and email scams, but also through the ever-growing number of devices and systems connected to a company’s network, including shop floor systems, public websites, customer portals and the explosion of data housed in the cloud. The consequences of a security breach can be dire, including regulatory investigations, loss of intellectual property, financial losses from theft or fraudulent transactions and damage to the company’s reputation.”
The good news, said authors Peter H. Hodkinson and Tarun R. Inuganti, is that cybersecurity is maturing and the role of the chief information security officer (CISO) is evolving to counter attacks.
Mr. Hodkinson, who co-leads Spencer Stuart’s cybersecurity practice, is a member of the firm’s financial services and technology officer practices. Mr. Inuganti, who heads the firm’s technology officer practice for Europe, the Middle East and Africa, is a consultant in Spencer Stuart’s digital, technology, media and telecommunications and technology officer practices.
Executive Search Firms are now turning to Ezayo to find recruiters! Chicago-based Kensington International is seeking a Search Consultant to support its new biz dev, client engagement, and relationship management activities. Just five to seven-plus years’ experience required. Best of all – success here means you’ll share in its profitability through equity participation as a partner. Apply Now!
They cite five main behaviors that the most forward-thinking and successful organizations are following as they mature in defending their turf against intruders:
1) Leverage analytics and automation to help predict, detect and mitigate risk. “More mature security organizations are investing in analytics capabilities, artificial intelligence and other automated, intelligent systems to help guide security planning and response,” said the report authors.
They quote Lou Steinberg, chief technology officer for TD Ameritrade, who spoke of embracing a strategic approach that answers both short-term and long-term cyber threats: “The single biggest thing we did was create a dedicated threat and vulnerability analytics team whose job it is to understand, both in the moment and over time, how threats and vulnerabilities are unfolding, which help define both how roles are evolving and what we need to be doing strategically for the next couple of years.”
Matt Comyns, managing partner of the cybersecurity practice at Caldwell Partners, who was not involved in the study, agreed that it is vital for organizations to look beyond mere humans for protection. “In today’s sea of data and cyber alerts, human beings simply don’t scale without leveraging analytics and automation,” he said. “Like in other aspects of business, it is vital to invest in intelligent systems to handle the complexity of our digital environments.”
Also a critical differentiator for organizations: being able to attract, develop and retain top talent, he said. “By reducing complexity and automating as many individual tasks and analyses as possible, talent is freed up to perform their most meaningful work. This leads to better organizational performance and improved morale/ retention.”
2) Create an organizational culture where information security is everybody’s business. For the best businesses, information security is no longer a second-tier consideration. “That’s changed dramatically as companies come to realize that secure software can be a competitive advantage, and that the ‘ROI’ of investing in reputational risk mitigation can be compelling,” said the report. “This recognition has changed the relationship between security and other functions, increasing collaboration on important initiatives. So, no longer is the security review the last stop before a product launch; security is embedded in the development team.”
The chief information security officer plays a big part is creating an environment in which everyone understands that cyber protection is a team effort, said Mr. Comyns, and each individual, in his own way, holds the keys to keeping intruders out or inadvertently allowing them in.
“A good CISO tends to listen first, then talk,” he said. “By taking the time to understand the company’s existing culture and in-flight initiatives, such as quality and safety, they can find opportunities to build security culture in, versus bolt it on. Security awareness programs are often successful by first making security personal: teaching employees the skills to protect their own identity, their own money, their home network, and kids. Then ask them to take those same skills to the workplace and protect their livelihood, their coworkers, and their brand.”
Recruiter Rankings: Cyber 20
Hunt Scanlon presents its listing of search firms dedicated to cyber security – a nod to the ever expanding convergence of web, cloud, social and mobile technology that made massive security breaches a reality of modern day business. These 20 recruiters are well-positioned to identify your next best-in-class leaders to oversee this growing threat.
3) Assemble diverse, focused security teams with a problem-solving orientation. Hackers continually change their methods. Vulnerabilities change. Modes of attack change. Protection teams, the report said, are actually at a disadvantage if they consist only of those whose backgrounds are heavy in IT security because they are too attached to the old approaches and defenses. “Facebook, for example, looks for a range of subject matter experts from ‘the business’ who may have an interest in security, and then trains them in the discipline,” said the report. “This increases the intellectual diversity of security teams, as well as their gender and racial diversity”
This demands a certain awareness among an organization’s leaders to not only look beyond the typical IT experts but to listen and encourage new ideas and approaches. That’s a shift in mindset that’s not always easy for those in command. “Diversity of thought and experience is critical to defend against siloed thinking – especially in light of the creativity of modern threat actors,” said Mr. Comyns. “However, it must be coupled with the right leadership style to ensure that this diversity is properly leveraged and new ideas have an opportunity to be heard and nourished. Leadership is more about being right at the end of the meeting than at the beginning. ‘The smartest person in the room is the person that invited the smartest person in the room.’”
4) Develop security and risk metrics that are meaningful for the business. Companies can make informed decisions about where to spend their money and deploy resources in the fight against cyber attacks. “By mapping security investment to measured risk reduction, organizations can assess the return on investment of security spending as it relates to specific vulnerabilities,” said the report.
5) Adopt a default position of transparency and openness, and define a clear response. In years past, companies often tried to keep the public from learning about security breaches. But social media being so widespread, that’s much more difficult these days. “Mature companies have a response plan in place that defines the actions they will take and who is responsible for making decisions,” said the report authors.
The Lapham Group Places Cyber Risk President at Chubb
The hunt for seasoned cybersecurity talent has seen a dramatic increase in the last several years, according to executive recruiters who hunt for talent in the space. Today, the need for such leaders reaches across virtually all industries.
They quoted Troels Oerting, chief security officer for Barclays, who said that secrets were hard to keep in today’s environment. “A very small incident could spark into a big issue if we handle it wrongly,” said Mr. Oerting. “People will tweet about it. Journalists and regulators will ask about it. The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.”
What’s more, the report said, businesses are increasingly letting each other, even their rivals, know about attacks. The hope is that they can learn from each other and even join forces to keep the intruders out.
Organizations that are getting a step up on the cyber intruders are those that are doing more than merely following the trends, said Mr. Comyns. The best-protected firms know that the best strategy is a broad approach that includes even the least compelling aspects of cyber defense.
“As much as executives like to learn about whatever cyber story is in the Wall Street Journal, the latest jargon, and the latest technologies or ‘toys’ to thwart attacks, successful organizations know how to execute on the less sexy aspects of cybersecurity – risk and financial modeling, strategy deployment, organizational design, and management operating systems,” said Caldwell’s Mr. Comyns. “This can be a significant challenge for organizations that simply promote their most technical security resource to the executive ranks.”
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media