by David Boehmer
For boards of directors and leaders across organizations, cyber security is no longer an IT issue but an urgent matter of risk management. The list of risks is long and continues to get longer: theft of intellectual property, breaches of customer information, denial of service, malicious code, viruses, disclosures of information by disgruntled employees and more.
Yet, for all the sound and fury, many boards and senior management have a hard time fully understanding what needs to be done. Cyber security is a technically complex subject; the IT structure is largely opaque to many. But this global issue goes far beyond IT — cyber security impacts every action a firm takes. Even the term itself can be confusing — information security, cyber security, information risk management, physical security — all these previously distinct fields are merging together quickly.
The Need for a CISO
Information and cyber security shifts are happening in real time today. Experts find it extremely difficult to stay ahead of emerging technology. As the complicated issues continue to unfold, leadership talent has evolved and stepped up to the task. Top consultants and CISOs from throughout the industry are more well-rounded with greater business acumen than in the past. The function, and need, now extends much beyond just information security to include risk management, data privacy, compliance and technology and security operations. There is, especially, much more interconnectivity between legal and risk than in the past due to the increase in regulatory pressures.
Embracing Security as an Organizational Goal
With new threats appearing at a dizzying pace, developing business processes that can operate in an unsecured world is vital to risk reduction. In addition to reacting to threats, there is a key need to be a strategic ambassador that represents the security milestones of the organization.
In the next year, security concerns hindering cloud adoption will come to a head. This increased demand for cloud computing will force organizations to find effective ways to evaluate their providers’ security controls to ensure they meet requirements, including implementing continuous and secure monitoring. Today, a cluster of disruptive innovations continue to transform enterprise IT, hammering at the very foundations of information security strategies.
Personal Devices and Security Roadblocks
Information Security teams must work to actively manage the risks of social media, including comprehensive policies and effective security controls. More employees are using their smartphones and tablets for work, creating a surge of consumer mobile devices accessing corporate networks and storing corporate data. Organizations and leaders within the C-Suite have to prepare for a world where the dominant endpoint is not a desktop, but a mobile device.
Cyber Threats and Hacktivists
Attacks carried out as cyber protests for politically or socially motivated purposes or “just because they can” have increased and are expected to continue. Common strategies used by hacktivist groups include denial of services attacks and web-based attacks, such as SQE injections. Once a system is compromised, the attacker will harvest data — such as credentials — to gain access to additional data, emails and other sensitive information. The type of data collected and inspected to detect advanced threats will balloon in both variety and volume by 2016, with a focus on finding the needle in the haystack. Security intelligence and cyber-skilled leadership is a key factor in helping companies get smart about what is actually happening within their systems.
Investing in Talent
Today, firms seek senior-level leaders that possess not only the technical know-how, but also those with a keen eye for judgment in high-risk situations. Traits such as leadership presence, regulatory savviness and an overarching vision of the risk framework — these are examples of the must-have qualities that our clients expect to see in top CISO candidates. Five years ago, data security barely cracked the top 10 concerns among corporate boards. Today, it’s the biggest concern. Throughout the financial services sector, we are seeing unprecedented demand for Chief Information Security Officers. This is a trend we anticipate will continue to escalate, particularly as data security risk is directly linked to operational risk.
The challenges are clear. Organizations need to take the leap and think creatively about structure and the talent they are putting into these vital roles. It is no longer acceptable to assume someone else is managing this risk. Boards must be ready to ask the tough questions, while senior leadership needs to fully understand the firm’s situation and structure their organizations around that need. None of these roles is the same as the other; each has the dial set slightly differently, and the talent in place must match that situation while having the leadership capability to take the organization on a journey where difficult decisions need to be made.
For more on this topic, watch this informative video: Cyber Security Attacks Spike Demand for CISO Talent.
David Boehmer is a Regional Managing Partner of Heidrick & Struggles’ Financial Services Practice for Europe and Africa. Before taking on the regional management role, David was head of the Financial Services Infrastructure Practice for the Americas. He was named a World Economic Forum Young Global Leader in 2012, and is an active board member of Komera, a not-for-profit focused on empowering young girls in Eastern Africa through education, entrepreneurship and mentorship. Find David on LinkedIn, or follow him on Twitter @DBVancouver.