Business leaders still in denial about cybersecurity threats

Many companies don’t see themselves as attractive targets for hackers. Matt Comyns, the global cybersecurity practice leader for recruiter Russell Reynolds Associates, begs to differ.

Much of the corporate sector remains in denial about the allure their information hold for hackers, nation-state spies and other malcontents, says Matt Comyns, the global cybersecurity practice leader for executive recruiter Russell Reynolds Associates. Despite the fallout at Target that saw the CEO and CIO lose their jobs and the catastrophic revelations of embarrassing emails at Sony Pictures in 2014, companies question whether their assets court the same risk as those brands.

matt comyns

Matt Comyns, global cybersecurity practice leader for executive recruiter Russell Reynolds Associates

Most companies aren’t targeted by hackers seeking to steal data or to spill information that results in public relations nightmares, but the what-me-worry stance misses the point -- badly, says Comyns. All it takes is one significant hack for a company to become Targeted, or Sonyed. "I still walk in the door of companies searching for a CISO who say: ’Who would come after us, we’re not Target, we’re not Sony?’But I think to myself: ‘I'm not so sure that's the right question’."

Comyns says roughly a third of the companies that call Russell Reynolds for CISO searches make a point of downplaying the value of their data. It could be a bargaining tactic to drive down the price of CISOs. It could also be wishful thinking wrapped in naiveté. Comyns, who says he expects his cybersecurity searches to double this year, recently spoke to CIO.com about the current state of cybersecurity.

Cybersecurity breaches continue despite more awareness

CIO.com: Why has it taken publicity on the scale of a Target or Sony to bring the gravity of cybersecurity defense to light?

Matt Comyns: Many companies were blissfully unaware that they’ve been breached, especially those that didn’t have credit card information. Companies learned they have been breached because the FBI knocked on their door and told them they had a problem, that they had traced the dots from stolen credit card information back to Home Depot, Target or somewhere else. But if you didn't have a lot of credit card information, how would you have known? You didn't know.

[ Related: 8 tips for recruiting cybersecurity talent ]

It seems so obvious now, so when we look back we ask: How could you be sleeping at the wheel? What were you thinking? But back then it wasn’t so obvious. It came upon everybody with such force that now everybody is in reaction mode and getting up to speed. In 2016 if you’re not doing the right thing now, shame on you. But I am still shocked about some of the mentality and lack of maturity in information security here.

CIO.com: To your point, the breaches are continuing, with hotels such as Starwood, Hyatt and Hilton all announcing breaches toward the end of 2015.

Comyns: I know another hotel company with 500 hotels in the U.S., they have a CISO who is an information security group of one. He doesn't even have a support deputy. He has to beg, borrow and steal help from IT and the CIO.

CIO.com: When you ask a CEO what he or she looks for in a CIO, they want someone who has a strong foundation in IT but can also communicate and relate to the business. What do CIOs or other senior executives look for in a CISO?

Comyns:It's not unlike the CIO position. You have to understand technology and communicate to the business. As a recruiter, you want a super technically savvy CISO, someone who understands what he or she is protecting, who can also wow the board and C-level executives. And talk intelligently to and influence and transparently manage risk for the business. That's a lot to ask ... but that's what everybody wants. What's out in the market? Not that at scale. So go with more of a techie who is a little rough around the edges and isn't perfect in the boardroom but good enough. Maybe we can get them some exec training, or flank them with somebody who can help.

[ Related: 8 tips for recruiting cybersecurity talent ]

Or maybe I get an enterprise risk manager who has got a decent handle on technology but is not going to be a CIO any time coon. Maybe they came out of PwC and are savvy enough, understand controls and technology well enough, and I flank them with more of an IT security expert. And then people don't have the budget. They say: I want all of that for $300,000. I placed three CISOs last year for $1.5 million and above. You can get creative out there ... there are hidden gems in the market but that's a tall task, especially if you say you need them to relocate.

Why CISOs need deputies

CIO.com: CIOs often have a CIO-in-training, essentially a deputy who handles day-to-day IT operations. Should the CISO have such a lieutenant?

Comyns: I was talking to a big cable network the other day and they have six people in information security and they just got the greenlight to hire 24 new ones this year. Another network has 30 to 50 people on their infosec team. Do they need a COO in their own group? Maybe not. But then you take a bank going from 400 to 500 [cybersecurity employees] and you say absolutely, they need a COO of cyber, especially with CISO pulled away to present to the board and go to D.C. to deal with the government or regulators, or to participate in recruiting or retention programs. The bigger programs absolutely need a deputy CISO.

CIO.com: Who do the majority of CISOs report to?

Comyns: The CIO, but increasingly I’m seeing more report to general counsel or chief risk officer. If there is great communications and trust, I have no problem with the CISO reporting to CIO. As long as it works. But if you have too much friction, tons of conflict, competing budgets, non-alignment, that's a problem, then it must report up to GC or risk officer.

CIO.com: Has cybersecurity has matured to a place where we at least have an idea of how to defend corporate assets?

Comyns: It's gotten better. But frankly what I continue to see in the market is a lack of consistency around understanding and investment in information security programs. We’re still several years away from a consistent market view in how to tackle this. How do we arrive at the right answer to protect companies and consumers that’s economical and scaleable? It’s all over the map. I can show you a $50 billion company that will pay $540,000 all-in for a CISO. And I can show you a $1 billion market cap company that will pay $1 million all-in for a CISO. And I can show you a multi-billion company that will pay $250,000 for a head of information security.

[ Related: Closing the cybersecurity talent gap, one woman at a time ]

In this kind of market, it’s never been more important for boards to shore up their expertise and understanding so they can drive that cybersecurity risk agenda. They have to embrace it, get a deep understanding and connection to it, and then drive the change at their companies so that they can make the proper investments. Because it’s a significant investment, and a significant change to your culture and budgets that is really difficult to drive from the bottom up. It has to come from top down. That’s a multi-year process and we’re nowhere near the finish line.

Join the CSO newsletter!

Error: Please check your email address.

More about FBIHome DepotRussell Reynolds AssociatesSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place