With a number of high-profile security breaches making headlines of late, organizations are increasingly realizing they must beef up their security teams or risk catastrophe. Matt Comyns, global co-head of the Cybersecurity practice at Russell Reynolds Associates, an executive leadership and search firm, sat down with CIO.com to discuss the changing role of the Chief Information Security Officer (CISO), the global cybersecurity landscape and why finding and retaining elite security talent is critical.
CIO: How has the job description for a CISO changed over the last five to ten years?
Matt Comyns: Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role. Security breaches at companies like Target and Neiman Marcus have placed these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom. Leading companies recognize that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable.
CIO: What are some of the major challenges faced by today's CISOs, both technical and business-related?
MC: CISOs face a host of new and emerging challenges, including risks generated by the ubiquity of mobile devices, the global scope of information assets, the difficulty of complying with new regulations and the threat of state-sponsored attacks as well as global cyber criminals. In response to these threats, organizations have elevated the role of CISOs to become a direct report to the chief information officer, chief risk officer or general counsel.
CIO: Where do leading CISOs come from? Are there specific technical skills or business backgrounds that make a candidate more suited for the role?
MC: Our research reveals that CISOs have backgrounds that conform to one or more of the following classifications:
Corporate Cybersecurity 'Lifers'
These executives typically hold degrees in engineering or computer science and begin their careers in cybersecurity at large organizations.
Often holding a technical degree in engineering or computer science, these executives normally begin their career in corporate IT and migrate to a specialization in cybersecurity.
Military or Law Enforcement Professionals
These executives begin their careers in military service or law enforcement, gaining technical expertise through on-the-job experience before rising to a senior cybersecurity position within a corporation.
Or Cybersecurity Product Specialists
These executives begin their career with a vendor of cybersecurity products. Similar to military and law enforcement, they also earn their stripes through practical experience before rising to a senior position.
CIO: What differentiates great CISOs from those who are just adequate? What fundamental skills, competencies and experiences are necessary to succeed in the CISO role today?
MC: While strong technical skills are 'table stakes' for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, successful CISOs tend to have the following skill sets in common:
- Business acumen and analytics
- Creativity and innovation
- Business-to-business communication
- Relationships, influence and presence
- People leadership
CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.
CIO: How do companies compete for, attract and retain top CISO talent?
MC: Exceptional talent in the CISO space is scarce. To attract the best candidates, companies must consider four tactics:
- Sell the vision for the role - CISOs will gravitate towards unique opportunities that stretch their capabilities and demonstrate impact against meaningful objectives. A clear vision that articulates this opportunity is essential.
- Ensure direct engagement of the CEO in the recruitment process - A strong message of strategic commitment must come directly from the CEO, who should play a vital role in the final assessment and recruitment of the finalist candidate.
- Prepare to pay for top talent - Scarcity is leading to rising pay for CISOs, with an annual cash compensation range of $400,000 to $600,000. Leading executives at top firms now often command annual compensation packages of more than $1 million.
CIO: How are CISOs positioned for success? Are there specific support resources and environments that are better-suited to helping CISOs and their teams be successful?
MC: To be effective, cybersecurity must exist as a broad organizational priority that engages all employees. The following factors are critical for success:
- Reporting Attitude - At minimum, the CISO must be a prominent member of the chief information officer's, chief risk officer's or general counsel's leadership team.
- Board and C-Suite Exposure - CISOs must maintain a consistent presence with the board and executive committee. Lacking this presence, CISOs will lack the influence and connectivity needed to ensure a forward-looking approach.
- Distributed Deployment - Cybersecurity readiness does not result from an isolated group, but rather a continued presence in the business units served by the CISO. Additionally, business unit-specific cybersecurity teams must maintain strong ties to company leadership for the entire operation to be effective.
Sharon Florentine covers IT careers and data center topics for CIO.com. Follow Sharon on Twitter @MyShar0na. Email her at firstname.lastname@example.org Follow everything from CIO.com on Twitter @CIOonline and on Facebook.