Rethinking Information Security in the Age of Enterprise-Threatening Cyberattacks

White Papers | August, 2015

By Peter T. Metzger

Recent events have helped sound the alarm, finally convincing corporations around the globe about the increasingly serious threat of cyberattack. In response, corporations across industries are moving quickly to seek hotly sought-after senior leaders with the combination of sophisticated information technology expertise and intelligence security backgrounds needed to protect corporate property from such cyberthreats. While the supply of such people is quite limited, their ability to deliver value in these risky times makes them a high-level priority.

During testimony to the U.S. Congress in March, the nation’s top intelligence official, James R. Clapper Jr., for the first time ever called cyberattack the greatest current threat to national security, even more pressing than the risk of land-based attacks from global terrorist networks. Potential perpetrators range from small-scale hackers to criminal organizations to state-sponsored entities. Attacks emanating from China and Iran have been cited by U.S. governmental officials. Significantly, the targets are corporate as well as governmental, with many U.S. banks among the targets of attempted penetrations, according to U.S. government officials. Unfortunately, the momentum behind this trend suggests that corporate and governmental risks will only continue to expand.

Corporate leaders need to be aware that both the frequency and scale of these attempted penetrations have ratcheted up significantly. It is also imperative that they recognize the nature of these threats. At risk are not, simply, specific data files which could be compromised. Rather, recent cyberattacks have played out on a scale that presents an enterprise-wide threat to a company’s finances, intellectual property, operations, and reputation.

It’s also worth emphasizing that these risks are widespread. While financial services companies come to mind first as likely targets, companies from healthcare to retail to infrastructure are at risk.

A single, significant enterprise breach can have a catastrophic impact on a company. But perhaps even more disconcerting is the reality that there are companies that may have already experienced a quiet leak of information or suffered a security breach without even knowing it has occurred.

Corporate cybersecurity is, indeed, one of the most pressing priorities for CEOs and boards of directors today, in addition to being a matter of grave national interest. Recognizing this, the U.S. Department of Homeland Security, the National Security Agency, and other government agencies are engaging in unique public-private partnerships to share best practices on cybersecurity with U.S. companies.

At the same time, corporations across all industries are reconceiving their organizational structures to add Chief Information Security Officers (CISO) to senior leadership teams, entrusted with devising and implementing effective, holistic cybersecurity strategies. This leadership role requires a unique combination of skillsets. The CISO role demands a highly sophisticated understanding of information technology systems and ideally, formative training at one of the U.S. law enforcement or intelligence services, where the individual would have gained firsthand experience with the best practices of cybersecurity and information protection.

Clearly, the CISO duties differ significantly from those of the Chief Information Officer. And while the CISO may officially report to the CIO, the CISO must have immediate and direct access to the CEO, board, and other tops corporate leaders when threats are detected. Response to a cyberthreat simply can’t wait for next week’s board meeting.

Corporations also are adding additional talent to their cyber protection teams: including people who might best be described as hackers. Working from the inside of an organization, these professionals will repeatedly test the company’s protection systems and identify areas for needed improvement. The best candidates for CISO and other critical cybersecurity roles often are leaders from the defense and intelligence establishment. For that reason, many of these leaders will be found outside the ready-contact list of most executive search firms.

I have a somewhat unique perspective on this complex and challenging situation. My background includes experience at the CIA and a role as Marine Military Assistant to President Ronald Reagan. With personal security clearance from the U.S. government, I have the privilege of being the only consultant in the executive search industry who is currently serving as a director for a company operating under a Department of Defense proxy agreement.

Cybersecurity is a business priority that corporations cannot afford to put on the back burner. Here at DHR International, we have unparalleled expertise, access, and resources in this rapidly-emerging field. I look forward to talking with you further about this important topic.