With a number of high-profile security breaches making headlines of late, organizations are increasingly realizing they must beef up their security teams or risk catastrophe. Matt Comyns, global co-head of the Cybersecurity practice at Russell Reynolds Associates, an executive leadership and search firm, sat down with CIO.com to discuss the changing role of the Chief Information Security Officer (CISO), the global cybersecurity landscape and why finding and retaining elite security talent is critical.
CIO: How has the job description for a CISO changed over the last five to ten years?
Matt Comyns: Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role. Security breaches at companies like Target and Neiman Marcus have placed these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom. Leading companies recognize that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable.
CIO: What are some of the major challenges faced by today's CISOs, both technical and business-related?
MC: CISOs face a host of new and emerging challenges, including risks generated by the ubiquity of mobile devices, the global scope of information assets, the difficulty of complying with new regulations and the threat of state-sponsored attacks as well as global cyber criminals. In response to these threats, organizations have elevated the role of CISOs to become a direct report to the chief information officer, chief risk officer or general counsel.
[Related: CISOs Look to Hire White Hat Hackers to Head Off Security Breaches ]
CIO: Where do leading CISOs come from? Are there specific technical skills or business backgrounds that make a candidate more suited for the role?
MC: Our research reveals that CISOs have backgrounds that conform to one or more of the following classifications:
Corporate Cybersecurity 'Lifers'
These executives typically hold degrees in engineering or computer science and begin their careers in cybersecurity at large organizations.
Often holding a technical degree in engineering or computer science, these executives normally begin their career in corporate IT and migrate to a specialization in cybersecurity.
Military or Law Enforcement Professionals
These executives begin their careers in military service or law enforcement, gaining technical expertise through on-the-job experience before rising to a senior cybersecurity position within a corporation.
Or Cybersecurity Product Specialists
These executives begin their career with a vendor of cybersecurity products. Similar to military and law enforcement, they also earn their stripes through practical experience before rising to a senior position.
[Related: Hacker Puts Full Redundancy Code Hosting Firm Out of Business ]
CIO: What differentiates great CISOs from those who are just adequate? What fundamental skills, competencies and experiences are necessary to succeed in the CISO role today?
MC: While strong technical skills are 'table stakes' for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, successful CISOs tend to have the following skill sets in common:
- Business acumen and analytics
- Creativity and innovation
- Business-to-business communication
- Relationships, influence and presence
- People leadership
CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.
CIO: How do companies compete for, attract and retain top CISO talent?
MC: Exceptional talent in the CISO space is scarce. To attract the best candidates, companies must consider four tactics:
CIO: How are CISOs positioned for success? Are there specific support resources and environments that are better-suited to helping CISOs and their teams be successful?
MC: To be effective, cybersecurity must exist as a broad organizational priority that engages all employees. The following factors are critical for success:
Sharon Florentine covers IT careers and data center topics for CIO.com. Follow Sharon on Twitter @MyShar0na. Email her at firstname.lastname@example.org Follow everything from CIO.com on Twitter @CIOonline and on Facebook.