Much of the corporate sector remains in denial about the allure their information hold for hackers, nation-state spies and other malcontents, says Matt Comyns, the global cybersecurity practice leader for executive recruiter Russell Reynolds Associates. Despite the fallout at Target that saw the CEO and CIO lose their jobs and the catastrophic revelations of embarrassing emails at Sony Pictures in 2014, companies question whether their assets court the same risk as those brands.
Most companies aren’t targeted by hackers seeking to steal data or to spill information that results in public relations nightmares, but the what-me-worry stance misses the point -- badly, says Comyns. All it takes is one significant hack for a company to become Targeted, or Sonyed. "I still walk in the door of companies searching for a CISO who say: ’Who would come after us, we’re not Target, we’re not Sony?’But I think to myself: ‘I'm not so sure that's the right question’."
Comyns says roughly a third of the companies that call Russell Reynolds for CISO searches make a point of downplaying the value of their data. It could be a bargaining tactic to drive down the price of CISOs. It could also be wishful thinking wrapped in naiveté. Comyns, who says he expects his cybersecurity searches to double this year, recently spoke to CIO.com about the current state of cybersecurity.
Cybersecurity breaches continue despite more awareness
CIO.com: Why has it taken publicity on the scale of a Target or Sony to bring the gravity of cybersecurity defense to light?
Matt Comyns: Many companies were blissfully unaware that they’ve been breached, especially those that didn’t have credit card information. Companies learned they have been breached because the FBI knocked on their door and told them they had a problem, that they had traced the dots from stolen credit card information back to Home Depot, Target or somewhere else. But if you didn't have a lot of credit card information, how would you have known? You didn't know.
[ Related: 8 tips for recruiting cybersecurity talent ]
It seems so obvious now, so when we look back we ask: How could you be sleeping at the wheel? What were you thinking? But back then it wasn’t so obvious. It came upon everybody with such force that now everybody is in reaction mode and getting up to speed. In 2016 if you’re not doing the right thing now, shame on you. But I am still shocked about some of the mentality and lack of maturity in information security here.
CIO.com: To your point, the breaches are continuing, with hotels such as Starwood, Hyatt and Hilton all announcing breaches toward the end of 2015.
Comyns: I know another hotel company with 500 hotels in the U.S., they have a CISO who is an information security group of one. He doesn't even have a support deputy. He has to beg, borrow and steal help from IT and the CIO.
CIO.com: When you ask a CEO what he or she looks for in a CIO, they want someone who has a strong foundation in IT but can also communicate and relate to the business. What do CIOs or other senior executives look for in a CISO?
Comyns:It's not unlike the CIO position. You have to understand technology and communicate to the business. As a recruiter, you want a super technically savvy CISO, someone who understands what he or she is protecting, who can also wow the board and C-level executives. And talk intelligently to and influence and transparently manage risk for the business. That's a lot to ask ... but that's what everybody wants. What's out in the market? Not that at scale. So go with more of a techie who is a little rough around the edges and isn't perfect in the boardroom but good enough. Maybe we can get them some exec training, or flank them with somebody who can help.
[ Related: 8 tips for recruiting cybersecurity talent ]
Or maybe I get an enterprise risk manager who has got a decent handle on technology but is not going to be a CIO any time coon. Maybe they came out of PwC and are savvy enough, understand controls and technology well enough, and I flank them with more of an IT security expert. And then people don't have the budget. They say: I want all of that for $300,000. I placed three CISOs last year for $1.5 million and above. You can get creative out there ... there are hidden gems in the market but that's a tall task, especially if you say you need them to relocate.
Why CISOs need deputies
CIO.com: CIOs often have a CIO-in-training, essentially a deputy who handles day-to-day IT operations. Should the CISO have such a lieutenant?
Comyns: I was talking to a big cable network the other day and they have six people in information security and they just got the greenlight to hire 24 new ones this year. Another network has 30 to 50 people on their infosec team. Do they need a COO in their own group? Maybe not. But then you take a bank going from 400 to 500 [cybersecurity employees] and you say absolutely, they need a COO of cyber, especially with CISO pulled away to present to the board and go to D.C. to deal with the government or regulators, or to participate in recruiting or retention programs. The bigger programs absolutely need a deputy CISO.
CIO.com: Who do the majority of CISOs report to?
Comyns: The CIO, but increasingly I’m seeing more report to general counsel or chief risk officer. If there is great communications and trust, I have no problem with the CISO reporting to CIO. As long as it works. But if you have too much friction, tons of conflict, competing budgets, non-alignment, that's a problem, then it must report up to GC or risk officer.
CIO.com: Has cybersecurity has matured to a place where we at least have an idea of how to defend corporate assets?
Comyns: It's gotten better. But frankly what I continue to see in the market is a lack of consistency around understanding and investment in information security programs. We’re still several years away from a consistent market view in how to tackle this. How do we arrive at the right answer to protect companies and consumers that’s economical and scaleable? It’s all over the map. I can show you a $50 billion company that will pay $540,000 all-in for a CISO. And I can show you a $1 billion market cap company that will pay $1 million all-in for a CISO. And I can show you a multi-billion company that will pay $250,000 for a head of information security.
In this kind of market, it’s never been more important for boards to shore up their expertise and understanding so they can drive that cybersecurity risk agenda. They have to embrace it, get a deep understanding and connection to it, and then drive the change at their companies so that they can make the proper investments. Because it’s a significant investment, and a significant change to your culture and budgets that is really difficult to drive from the bottom up. It has to come from top down. That’s a multi-year process and we’re nowhere near the finish line.