December 31, 2020 – Matt Comyns is managing partner of the cybersecurity practice at Caldwell. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cybersecurity consultants for leading professional services firms and top executives for cybersecurity technology companies. Mr. Comyns also serves as a strategic advisor for ClearSky, a venture capital/growth equity firm with offices in Florida, New York, Boston and San Francisco.
Mr. Comyns recently sat down with Hunt Scanlon Media to share his first-hand experiences on cyber recruiting for the private equity industry. He sees a big uptick in the need for chief information security officers. Following are excerpts from a recent discussion.
Matt, give us a 30,000-foot overview of cybersecurity recruiting.
It has been nearly seven years since the Target breach—the catalyst for the meteoric rise of the chief information security officer. In the spring of 2013, cybersecurity was a relatively new space. Most companies, private equity or otherwise, were not investing in this function unless they were an early mover. I had placed a handful of CISOs, but most of the CEOs I spoke to were thinking about hiring a head of security but just were not there yet. When news of Edward Snowden’s colossal disclosure of classified information hit that summer, I was sure it would be the start of something, but the consensus amongst those CEOs was that Snowden was just a rogue weirdo and not really a concern. Boardrooms across America started to buzz about cybersecurity. But it was not until the Sony Pictures hack one year later that security became the No.1 topic in boardrooms. The risk exposure and publicity made the cyber market for talent beyond noisy. It was almost impossible as a recruiter to make sense of the madness. The demand was outrageous; everyone was hiring, but no one knew what to spend. They just knew they needed someone in the role immediately. As it was a relatively new space, there was, and frankly still is, a shortage of qualified candidates and almost every senior cyber executive gets a counteroffer when they go to change companies. This has led to a fast rise in compensation packages.
How has comp evolved?
To put it in perspective, six months after the breach Target hired their first CISO at a total compensation package at $1 million. It was an unheard of comp package for a security leader at that time. Since then, those numbers have increased three-fold, with a few tier-one CISOs in 2020 commanding a package north of $3 million. Additionally, there are several next-level-down cybersecurity executives at major tech firms making between $1.5 million and $2 million. Despite the skyrocketing compensation packages writ large, not everybody pays for a tier-one CISO. That has certainly been the case for most of private equity, which has lagged the market by a considerable degree. It makes sense given the business model – PE firms pay up for a CEO but will likely be more balance-sheet-sensitive for other C-level executives. Compensation packages for private equity CISOs after the Target breach were in the $300,000 range, if not lower. Fast forward to today: PE firms have doubled their budget for security leaders, paying in the neighborhood of $500,000. But they clearly have not tripled the packages as we have seen in the private sector, and they’ve certainly not kept pace with the top of the market.
What is the current demand for CISOs?
The CISO function is seen as a good Moneyball category – a place to get value for a reasonable price if you recruit in the right way. The market’s tough, and if companies plan to thread the needle to find the best player at the best cost, they will recognize they’re not the only ones trying to do that. The market is still red hot, and candidates have choices. They’re also often not terribly polished executives, so the recruitment process gets that much more tricky. I heard a story the other day about a candidate who accepted a role with a well-funded PE-backed cyber risk company, and strung them along, pushing his start date back to wrap things up at the cybersecurity firm he was leaving. When his start date finally came around, he was a no-show on day-one, having used the extra time to ink the deal on his counteroffer. A recruiter who really knows the space would have known that candidate was ‘Mission: Impossible’ because the PE fund that had acquired that cybersecurity firm would never let him walk out the door without throwing huge money at him. If you are trying to play Moneyball, you need to work with a recruiter who really knows the space.
What value do CISOs bring to private equity outfits?
CISOs will know where you can get value, and they will have a much better sense for the utter madness that is the current market for security talent. PE firms, particularly, need to find the right talent partner to keep-pace with an evolving security market. In the last 12 to 24 months, increased regulatory requirements, pressure from customers via RFPs related to security, and a rise in cyber incidents at the company level have driven private equity firms to invest more in security and, in some cases, pay top dollar. The recent TikTok news is a great example of a situation where a strategic CISO, in this case, Roland Cloutier, can play an oversized role in a company’s future. We worked on a similar type of search with a fast-growing tech company started by non-Americans, where we hired a seasoned veteran who had both U.S. government and commercial market experience to bring credibility and stability to the platform. Strategic hires like this come at a high price, but when there is a calculated need, they will make an exception and pay for the most valuable CISOs. Some PE funds have taken a shared services approach, hiring high-level CISO executives to help with the PE company itself, but also to strategically advise portfolio companies and vet potential investments, M&A and otherwise. This allows them to centralize resources, leverage buying power, share best practices and build a community among their CISOs. It also means that within their portfolio companies, they can take a chance on decent athletes at a much better value, without having to break the bank on every investment. It is a great model, and it is surprising to me that it has not caught on faster with more firms. We expect it will continue to gain traction due to the modeled success.
What do CISOs need to know moving forward as technology continues to evolve?
At a minimum, funds are going to need to invest heavily at the holding company level to help their portfolio companies manage the function. This is going to trend upwards at the portfolio level as well, and it is likely that 10 years from now it will be a much more rational market. The next generation of leaders – those currently in high school – will be better educated in security, more digitally fluent, and there will be more of them, tempering the market’s pricing by addressing the talent gap. In the meantime, for the next decade, PE firms are likely to spend more than they want in security – something organizations will view as a necessary evil. Regulatory pressure is only going to worsen, and customers are only going to kick the tires harder on security as they become more sophisticated in the function.
What are some recent trends you have seen with private equity firms and the cybersecurity market?
Beyond the security function within all portfolio companies, we have also seen private equity players becoming big buyers of cyber vendors. The huge gap in talent and capabilities has created a tremendous opportunity for new solutions, while also raising more talent challenges. As a result of these investments, thousands of cyber companies have emerged since 2013, with many private equity funds taking advantage of it. The smarter firms, particularly those investing in technology in general, have moved aggressively into this space. Thoma Bravo is a great example of a fund that bought into this idea early, buying up cyber vendors and then selling them at 4X just two years later. The approach is smart, as doubling down on security on the investment front can help companies get smarter about how they run their own security both at the fund level and at the portfolio level. The talent gap in the security function is real. The velocity, and the short period of time in which the market has changed, makes this a unique functional area to attract and recruit top-talent. Although the market for talent at the top may seem picked-over, and overly expensive, the reality is that by choosing the right search partner, success can be attained. Recruiters who know the PE space, and understand how the security market for talent has evolved over the last decade, can lead to strong successful partnerships that will benefit PE firms for years.