Home Depot, JP Morgan Chase, EBay, Target, University of Calgary are among a growing list of organizations that have suffered a recent cyber security breach. These organizations all have sophisticated cyber security programs led by experienced professionals who can call on global consulting expertise for support. For every high profile public security breach there are scores of smaller firms such as the recently reported dog charity BARK and countless others that never hit the news or aren’t reported at all.
The increasing frequency of such incidents has turned the market for cyber security professionals into a burgeoning and competitive arena with demand far exceeding supply. For CIO’s and CTO looking to add to security talent to their rosters there are some important considerations.
- How mature is the organization with regard to cyber security? This is a difficult issue to measure but CIOs will need to understand this before they can properly determine the type of security leader the organization requires. The lowest level of maturity is focused on complying with regulatory frameworks and providing security that is focused on maintaining an effective technology based perimeter. In these scenarios the cyber security tends to be driven by the corporate compliance function, one that is often not technologically oriented, and by lower level IT professionals focusing more on the technology that secures the overall network. Any communication between the two functions tends to be more ad hoc than prescribed. The most mature organizations have a firm understanding of the cyber risk posture that is appropriate for the organization which is derived from the overall risk appetite for the enterprise. These organizations tend to have a defined cyber risk policy that has been driven by the board of directors and senior management involving the risk, compliance, and technology functions. The appropriate policies and procedures regarding technology risk are then communicated throughout the organization, with all staff members understanding the overall risks and potential threats. There are as many operational counter measures as there are technology counter measures within such organizations. The security function works to enable the business with the appropriate level of risk, and not create a security framework that stifles the enterprise activity. The level of maturity inside an organization is the key factor in determining the right skills sets for a security leader. If the organization is relatively immature, then the IT security leader will need significantly more change management and overall technology risk perspective than detailed IT security knowledge. Moreover, that person will have to spend a significant amount of time with the senior management team educating them on the realities and risks involved in cyber security and creating the organizational and operational changes needed to be more secure. If the organization is quite mature from a security perspective, then it has options in the type of leader that it can choose.
- Will security be outsourced or insourced? For many organizations the cost of running their own security operations centre is prohibitive or inappropriate, particularly when there are excellent providers of managed security services in the market. For organizations where the risks are very high and there is considerable organizational scale it may make good business sense to have the team internal. Even if the security operations are outsourced the governance and management of those activities will always remain with the management team. Those organizations that choose to outsource, however, will have the option of choosing an IT security leader that is either policy and risk oriented or technically oriented. Technical issues cannot be ignored, and outsource providers need to be challenged to do the full scope of their jobs.
- Does an organization need full-time cyber security leadership? For some organizations the leadership for this function can be “rented” from consulting organizations. Many of the top consulting firms have experienced and capable former CISO executives that can accurately create an effective cyber security framework for the organization and then oversee the implementation. This can be expensive but not as expensive as wading into a very competitive market place.
This is not an exhaustive list of considerations and many organizations will have to factor in particular circumstances, but the more focused an organization can be in its search for a IT security leadership professional the better off it will be in the long run.
About the Author
Paul Hudson is a partner with StoneWood Group, a leading executive search firm. He has helped organizations attract and select talent for over 20 years.
- What are the potential cyber security risks that the organization faces? All organizations now need to begin to ask themselves these questions and begin to assess the overall risk to the organization of various types of cyber-attacks. For high profile online businesses, the potential for cyber-attacks is very high and a well-timed and effective cyber breach could easily do significant damage to the overall organization from a commercial and reputations perspective.
- How much of the requirement is compliance driven? For many industries there are very strict cyber security requirements that are audited by partners, suppliers, and independent regulatory bodies. Some are so complex and comprehensive that they need very strong leadership within the business to ensure that the regulations are adhered to.