CIOs: Between a Cyber-Rock and a Risk Place
Modernizing Authentication — What It Takes to Transform Secure Access
With the board of directors asking questions about security readiness, CIOs are under pressure to assess their organization’s ability to respond to threats.
By Katie Graham Shannon and Phil Schneidermeyer
CIOs are under more pressure than ever to accurately assess their organization’s ability to respond to both internal and external threats. The board of directors and its audit committee are asking questions about information security readiness, and the CEO, CFO and general counsel are looking to the CIO for real-time answers.
Currently, there are two trends that are moving in opposing directions, putting CIOs between a rock and hard place.
The first trend: Social, mobile, analytics and cloud (SMAC) provide opportunities for criminals to, at a minimum, damage a company’s brand, and, at the worst, kill someone—possibly by damaging pacemakers or other medical devices. There is no turning back the clock on this one. The chief marketing officer and other customer-facing roles have gone digital, and organizations have seen the benefits with increased sales and improved customer experience. But these benefits bring increased risk.
The second trend: Explosive demand for chief information security officers (CISO) has created a dramatic shortage of information security, risk and cyber-talent at all levels. However, it is especially true at the senior level. There, technical skills are lower on the list of priorities, and communication skills, relationship-building skills, and gravitas (executive presence) are required.
The CIO needs a CISO with these leadership soft skills because this person will be presenting to the board and must work seamlessly with functional leaders, including the CFO, general counsel and other business line executives, in order to succeed. Externally, they must also work closely with their peer CISOs, security technology vendors and government agencies.
The Cyber-Skills Mix
In the recruiting process, CIOs are comfortable with the challenge of getting the right mix of technical and managerial skills. However, in an information security market that is currently experiencing negative unemployment, CIOs will need a go-to-market strategy that emphasizes speed and flexibility.
In terms of speed and reducing the recruiting cycle-time, consider minimizing both the number of interview rounds and the number of executives that need to interview the candidates. Get early buy-in from the candidates by quickly meeting them via video to share your company’s information security strategy, and expect to be in sell mode as the chief brand ambassador of your firm.
A key stakeholder like the CFO or general counsel should be involved in the first round, versus the approach that most CIOs take: Having their direct reports do the round-one interviews.
If a candidate is considering your opportunity, then he or she is likely considering other positions as well, and the great candidates are looking for challenges and career growth. They will be attracted and intrigued by what they hear when they are meeting with non-IT leaders for the job opportunity.
Also, you should understand both the short-term and the long-term components of the candidate’s compensation. Expect that for the right talent, CIOs may be pushed to do extraordinary and unique things with compensation to attract the candidate. There is an opportunity here for CIOs to work closely with their HR partner from the beginning to ensure that the offer stage is expedited.
It goes without saying that the more flexible a hiring manager can be, the chances improve that he or she will land the best candidate. For information security roles, the list of qualifications can be long. Historically, these have included specialized training, education and certifications such as CISSP. CIOs in the retail and hospitality sectors have pushed for PCI experience.
Today, with these qualifications held by others in the organization, CIOs are forgoing these requirements. Instead of them being a “must have,” they are now “nice to have.” Many CISOs have not kept these certifications current, and some never had them.
Many CIOs are looking beyond their own industry for talent, and they often target sectors such as financial services, which has years of experience building information security and risk programs. While this strategy will yield “been there, done that” experience, it also has two areas of caution: the ramp-up to learn a new industry and transition challenges. That’s combined with the fact that there will likely be a compensation premium when recruiting from financial services.
With recent examples like the Sony Pictures hack, it is becoming abundantly clear that there is no mote wide or deep enough to reduce the penetration risk to zero. The C-suite and the board may accept this if the CIO is successful at recruiting a CISO who has the leadership and communication skills to be a trusted advisor.
The most important point is that an organization looking for top CISO talent needs to be prepared to hook, land and keep this sought-after talent.
Katie Graham Shannon is a global managing partner and Phil Schneidermeyer is a partner for the Information & Technology Officers Practice at Heidrick & Struggles.