Escalating Risks from Cyberthreats Require a New Breed of Information Security Talent
White Papers | August, 2015
It is sometimes startling to remember that only a decade ago, cybersecurity was almost an afterthought for corporate leaders around the globe. Today, few topics are more present and pressing in C-suites and boardrooms than that of cybersecurity. The escalating risk of theft, disruption, or destruction from cyberattack for companies, consumers, and government bodies alike is documented daily in news reports of cybersecurity breaches and corporate espionage, as well as the increasingly regular experiences of consumers who have been ‘‘hacked.’’
While the specific nature of the threat might vary by industry, companies in all business sectors and all global regions must confront this rapidly expanding and business-critical management challenge.
In response, cybersecurity matters have skyrocketed to the top of priorities lists of CIOs across all industries. Companies increasingly are building out or upgrading their information security teams, often adding a Chief Information Security Officer----for the first time----to partner with the CIO.
Among the greatest challenges as companies grapple with information security is identifying and retaining the expert leaders who possess an information security skill set that is as sophisticated as the cyberthreat itself---and capable of evolving just as quickly. Frequently, such talent comes from the federal intelligence or defense establishment. Needless to say, such talent is scarce, the competition for this talent is nothing less than fierce, and that competition seems bound only to grow in the future as companies fully recognize the essential nature of information security roles.
In this kind of environment, companies must be able to turn to an executive search partner with the marketplace knowledge and resources to access the very best candidates. DHR International’s unparalleled knowledge of the top information security leaders, including the federal intelligence and defense community of leaders, provides clients with unique access to the experienced professionals who possess the technical and strategic expertise for critical information security roles.
The Scope of the Threat
Addressing corporate cybersecurity, of course, must begin with understanding the scope of the threat and defining priorities. Thomas Nealon, former CIO of J. C. Penney, Southwest Airlines Co., and Frito-Lay, currently serves on the board of directors of both Southwest Airlines and Fossil, Inc. Mr. Nealon recently shared with DHR International his perspectives on the magnitude of the cybersecurity challenge, stating, ‘‘I think the real challenge for the CIO and CISO today is, how do you shrink the problem?’’
He goes on to explain, ‘‘Too many companies are trying to put fortifications around the whole beachhead, and you just can’t. If you are going to build a wall across the entire beach, it will be a pretty low wall. Instead, you have to know what you are really trying to defend against, which means that you need to have some level of intelligence and understanding as to who are the adversaries that present the highest threat to your industry.’’
Paul Nguyen, who recently stepped into the role of VP Cybersecurity Solutions at CSG International, a leading business support solutions provider, agrees that it is critical for companies to identify their ‘‘crown jewels,’’ from an information security perspective, as well as to understand the tremendous scope of the threat.
Mr. Nguyen, who began his career as an ‘‘ethical hacker’’ and has extensive experience serving federal government cybersecurity initiatives, says, ‘‘It is relatively easy to start hacking. Anyone with a computer can do it, pretty much instantly. There are a lot of resources out there, both common tools that people use and custom tools. Sometimes there are supply chain issues, such as when software is embedded in a product after it comes from the manufacturer. There have been cases, for instance, where bad software was embedded in digital picture frames, so that when people connected to their computers, it became infected.’’
‘‘We just don’t know all the threats that we are impacted by,’’ Mr. Nguyen goes on to explain. ‘‘They evolve almost daily, both in terms of who the threats are coming from and the tactics that they utilize. That is the challenge that we are wrestling with----a masked enemy that we really don’t know a whole lot about.’’
Motivations: Gain or Pain?
Understanding the motivations and capabilities of that ‘‘masked enemy’’ is critical.
In a nutshell, is the motivation of the attacker gain or pain? Mr. Nguyen explains, ‘‘In terms of financial threats, there is a large black market now for packaging and selling credit card data. That has become a huge criminal element. There is also corporate espionage taking place overseas, where companies are hacking their competitors to get sensitive information, such as pricing data to win a deal. And then there are the attackers that are motivated purely by what we call ‘hacktivism.’ They may not agree with a political position and they take action to disrupt.’’
While the primary threats for most companies are financial and intellectual property theft, there are other threats as well. Mr. Nealon notes, ‘‘you have a whole new cast of characters whose motivation is not gain, but inflicting pain. And there are different levels of pain. Some want to inflict pain via service disruption, perhaps operational or customer service disruption. Then the next dimension is destruction, which can be as fundamental as wiping out customer databases, shipping databases, or operational systems. That is a serious problem, and there can be a political dimension to it’’.
Avoiding that False Sense of Security
One of the most difficult challenges of information security is not knowing what you don’t know. Stated differently, it is important to remember that an information security breach can remain undetected for weeks or months, maybe longer. And effectively combating many attacks does not mean the company is prepared to dodge that one significant attack.
Thomas Nealon, former CIO of J. C. Penney, Southwest Airlines Co., and Frito-Lay, describes the challenge by saying, “You might have a dangerous false sense of security if you hear from your security team, ‘In the past month, the company had 10,000 potential breaches and we stymied them all.’ Well, those might have been fairly innocuous, low-risk kinds of things. That is going to happen everywhere. The real question is, are you aware of the five or six that were really significant, potential risks? What was the level of sophistication of those attempts, who was it that was making the attempt, and are they a big risk to you?”
“I think the trajectory of this risk is accelerating,” Mr. Nealon continues. “Certainly, it is becoming more widespread as payment systems become more mobile. There are new risks that we have not even identified yet. Just think about what people are carrying on their cell phones now. They have mobile apps for their banks, for their investments, for everything. There is a level of security in place around that, but these are new areas that are ripe for my potential exploration—if I were a hacker.”
“For me, the key message of cybersecurity today is having intelligence,” Mr. Nealon said. “Once you have installed all the tools that can help with the blocking and tackling, you really must understand who the adversaries are, their motives, tactics, and capabilities. That implies that you have some level of understanding of what the threat factor looks like and an antidote. For that, you need intelligence and the insights of expert professionals.”
Grappling with cybersecurity challenges often requires a multi-prong strategy, involving outside consultants, software and hardware solutions, and an upgraded internal information security team. Mr. Nealon estimates that while many companies might spend about 3% of their IT budget on information security, that percentage may more commonly be 10-15% in certain industries, such as financial services.
While the greatest threats vary across industries, from the theft concerns of financial services firms to the risk of lost private data for healthcare companies to concerns regarding service disruption for critical utilities and transportation companies, Mr. Nguyen says, ‘‘There are core security principles to employ, regardless of what industry you are in, and they evolve. But it also goes down to the hardware and software providers we buy from, so it is a much more complex problem than just what the company can do from their own side. We have to evolve our practices as the hackers evolve theirs.’’
Noting the development of new information security products from CSG International in response to client demand for such services, Mike Henderson, EVP of Sales and Marketing at CSG International, also notes the trend toward larger, internal information security teams. He says, ‘‘In our business interactions, we are seeing more and more CISO positions being created, whereas five or ten years ago, this was not the case. There seems to be a clear recognition of just how important this role is within a company today.’’
Commenting on the trend, Mr. Nealon says, ‘‘The responsibilities of information security do fit squarely within the CIO’s domain, but this is a highly technical and complex area which takes attention every day. So I think companies do need to have a CISO who has the influence and ability to act within the organization. Boards also need to attend to cybersecurity, probably through the audit committee, as that committee is typically responsible for assessing enterprise risk management matters.’’
Technical Skills and Gravitas
Of course, among the many challenges companies face related to information security, one of the greatest is procuring talent with the truly unique blend of skills required to effectively lead corporate cybersecurity initiatives. Information security leaders must possess the necessary understanding of the population of cyber attackers including their skills, tactics, and motives, the most current information technology skills, and the access and gravitas to interact in a timely and effective manner with the CEO, senior team, and board.
Given the burgeoning demand for sophisticated information security talent, those leaders are, understandably, in short supply. DHR International Vice Chairman Pete Metzger notes, ‘‘Working with an executive search partner to identify and retain CISOs and other top cybersecurity leaders is simply critical given the intense marketplace demand and fierce competition for these professionals.’’
Looking across industry sectors for talent is one effective strategy, as protection protocols have sufficient commonality to allow information security specialists to effectively step across industry sectors. Systems engineers, internal audit professionals, and others are developing expertise in information security. Still, some of the most hotly sought after talent comes out of the federal government. Referring to executives who are familiar with government information security strategies as the ‘‘gold standard’’ among cybersecurity professionals, Mr. Henderson, who is also a hiring officer at CSG International, said, ‘‘When we were interviewing people for the role Paul (Nguyen) has taken on, so many of the candidates were out of the federal government. There just seems to be a lot more advanced thought there directed toward the importance of information security.’’
These ‘‘gold standard’’ candidates for information security roles often are leaders from the defense and intelligence establishment, either from a uniformed or a corporate background. For that reason, many of these leaders will be found outside the ready-contact list of most executive search firms.
Mr. Metzger states, “As is appropriate, our federal government is taking a leadership role in developing effective information security strategies, and therefore is one of the best sources of cybersecurity expertise.” Mr. Metzger is well -positioned to appreciate this, given his former roles in the CIA and as a former Marine Military Assistant to President Ronald Reagan. At a time when companies face an imperative to bolster their internal information security efforts, Mr. Metzger provides unique access to this population of desirable information security professionals. Mr. Metzger also has the distinction of being one of the few consultants in the search industry to have a current U.S. Government Top Secret (SSBI) clearance.
One thing is clear; the responsibilities of today's CISO are all-encompassing. Paul Groce, a graduate of the United States Military Academy at West Point, explains, "Look at what that role encapsulates. The best CISOs have a strong understanding of the technical aspects. They also understand the business, as we realize now that security is so integrated into the business.”
Meanwhile, Mr. Groce adds, "The CISO must understand the company's risk management policy as well. Considering those elements, information security is probably one of the most cross-cutting domains that we have today, impacting almost every part of a company's business.”
Fulfilling this tall order for a company's mission-critical CISO and other information security professionals simply requires a partnership with an industry-leading executive search team. In today's world, the high stakes for ensuring corporate information security demand nothing less.