Four mistakes to avoid when hiring your next security chief (print version nov 2015)

Four mistakes
to avoid when
hiring your next
security chief
There is arguably no hire more important today than chief
information security officer, but companies may be making the
wrong calls when evaluating the role. Here’s how to feel more
secure about your next security leader.
15100747 - hs-00129-CISO article 2-DRAFT 02.indd 1 27/10/2015 11:17

2 Four mistakes to avoid when hiring your next security chief
For many organizations, recruiting a top-
notch chief information security officer
may be their most important hire.
If that seems like an overstatement, then ask the boards
of directors of Target, Sony Pictures, Home Depot, J.P.
Morgan, or any one of the long list of organizations whose
corporate data stores have been breached recently.
They’re the ones who, with their executive teams, still
have to deal firsthand with the reputational wreckage and
loss of customers’ trust, the financial impact, and all the
other consequences cyberattacks bring.
With cybersecurity calamities regularly making front-page
news, there’s clearly a crying need for better protections
and stronger, smarter responses. So a big question being
voiced in boardrooms these days is this: do we have the
right information security leader in place — and at the
right level and with the right skills?
But here’s the problem. Boards — not to mention their
CEOs — are still learning how to think about, and define,
the chief information security officer (CISO) role. For one
thing, the role is exponentially more complex than it used
to be — far more than keeping the security software and
firewalls up-to-date and anticipating and dealing with
the outcomes of a stolen laptop. The person (or persons)
now in the role might be a great match for yesterday’s
challenges, but too many are unequal to the complexity
and sheer volume of threats that organizations face
today . . . to say nothing about tomorrow’s threats.
The upshot: boards and their executive teams are in
danger of getting the CISO role wrong. In particular,
we’ve observed four ways in which that may happen:
1. The organization may shortchange the risk
savvy required.
2. The reporting structure may be off-track.
3. There may be (paradoxically enough) an
overemphasis on cyber qualifications.
4. The organization may hold out too long for the
“perfect” security leader.
We’ll look more
closely at each of
these pitfalls in
a moment. First,
though, it’s important
to underscore how
directors’ own roles are
changing as cyber risks escalate.

Heidrick & Struggles 3
The buck stops where?
It’s not the place of this article to grimace at the
growing list of cyberattacks. But it is our job to point
out that the buck for security, in all forms, stops squarely
in the boardroom. That was made crystal clear in a June
2014 speech to the New York Stock Exchange by Luis Aguilar,
commissioner at the US Securities and Exchange Commission:
“Ensuring the adequacy of a company’s cybersecurity measures
needs to be a critical part of a board of director’s risk oversight
responsibilities,” he stated.1
Moreover, directors and officers who fail
to assume this responsibility may find themselves individually liable
for any lapses that occur. Translated into action, this means that
boards must ensure that the appropriate teams are in place and that
there are adequate plans to not only respond to breaches but prevent
them.
The National Association of Corporate Directors (NACD) has crystallized
those themes into a set of guidelines. The first and foremost principle:
“Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.”2
In response, more and more directors are stepping up. In the United
States, nearly half of the respondents to a recent survey agreed that the
audit committee has responsibility for cyber risk today.3
“Boards now are
calling for clear and consistent cybersecurity policies,” said
Richard Goodman, a member of the boards of Johnson Controls,
Kindred Healthcare, Western Union, and Toys “R” Us. Speaking at
a recent gathering of CIOs, Goodman added: “You can’t give
people in the field decision-making authority about whether
you decide to do something or not on cybersecurity.”4
Indeed, we see many more boards becoming directly involved in the
search for a new CISO as the strategic importance of the role increases.
Similarly, we’ve seen an uptick in the number of boards seeking
directors with real cybersecurity know-how — for example, in the
form of sitting or retired CIOs (particularly those to whom the CISO
has reported).
1 Luis A. Aguilar, U.S. Securities and Exchange Commission, “Boards of Directors,
Corporate Governance, and Cyber-Risks: Sharpening the Focus” (speech, “Cyber
Risks and the Boardroom” Conference, New York Stock Exchange, New York,
NY, June 10, 2014), available on www.sec.gov.
2 National Association of Corporate Directors (NACD), Cyber-Risk Oversight Handbook,
June 10, 2014, available on www.nacdonline.org; The Institute of Internal Auditors
Research Foundation, Cybersecurity: What the Board of Directors Needs to Ask,
2014, available on www.theiia.org/bookstore.
3 Ken Berry, “5 Key Takeaways from KPMG’s ‘2015 Global Audit Committee
Survey,’” accountingWEB, February 12, 2015, available on
www.accountingweb.com.
4 Rachel King, “Cybersecurity Policies Need to Be Centralized: Board
Member,” Wall Street Journal, CIO Report (blog), June 30, 2015,
http://blogs.wsj.com/cio/2015/06/30/cybersecurity-policies-
needs-to-be-centralized-board-member.

Legacy compliance
Privacy- and compliance-focused
individual who typically came up
through risk or the Big Four. Generally
not technical; limited understanding
of hacking or engineering.
Low demand
Cyber specialist
Knows how to identify the “black
hats” and keep them out; has a strong
technical background. Probably came
from communications,
government/defense, or financial
services company.
Strong demand
Enterprise CISO
Historically most common; came from
IT or infrastructure side; likely reports
to CIO. Very comfortable
implementing software, such as
identity and access management
software, or enhancements to
mobile/cloud security.
Strong demand
Product CISO
Embeds security in products such as
online video games or Internet of
Things; ensures that what the
company makes has security in it.
Currently low demand but growing
quickly
Know your CISO
Savvy boards and executive
teams realize that not all CISOs
come from the same mold. Just
as with any functional leadership
role, CISOs come from all sorts
of backgrounds. In our work, we
have identified four major types of
CISOs:
Four pitfalls to avoid
Yet the additional attention doesn’t necessarily equip
boards or executives to evaluate, let alone appoint, the
right CISO. And that’s part of the point: there is no one
true job description that will be as good a fit for a Silicon
Valley technology company as it would be for a Rust Belt
industrial machinery manufacturer. Furthermore, there are
many different stripes of CISOs — not all necessarily with
entrenched technology backgrounds. (See sidebar, “Know
your CISO.”)
In our experience, too many organizations appoint a CISO
based on legacy concepts rather than demand-driven ideas.
A tech company may select a CISO with a stellar track record
of rolling out and supporting robust security software but
who lacks the risk savvy to gauge and therefore guard against
as-yet-unknown cyber threats. Or an industrial company
may pick a CISO whose career in risk and compliance does
not equip him or her to assess the scope or scale of the
next cyberattack. Here are four common mistakes we see
companies make.
Thinking too tactically
Until relatively recently, it was usually enough for
organizations to have a technology-savvy leader on the
CIO’s team who would roll out robust security software
across the organization and make sure it was kept up-
to-date. The underlying principle involved was defense:
protect the organization against persistent yet fairly well
understood threats.
Not anymore. The speed of technological change has brought
with it more frequent and more complex attacks, even as
companies have come to rely more on technology and
technological connectivity for growth. Today, regardless of
industry or geography or size of the organization, the CISO
must have an enterprise-level understanding of the risks of
every form of cyberattack and other enterprise threats and be
able to communicate them not only to IT-focused colleagues
but to the board of directors as well. Some CISOs are already
headed in that direction. Speaking to Bank Info Security
recently, David Sherry, CISO of Brown University, indicated that
he sees the role transitioning completely to manage the risk
of an enterprise by setting the proper programs, policies, and
processes that are necessary to fulfill the IT security mission.5
5 Tom Field, “CISO’s Challenge: Security & Risk. Security Leaders Take on Dual
Responsibilities,” Bank Info Security, October 23, 2012 , available on
www.bankinfosecurity.com.

Heidrick & Struggles 5
Yet many companies still have tactically focused security
leaders — oftentimes because they’ve simply had no
cause to reexamine the issue from a broader perspective.
This was the case for a large technology company we
know that was spinning off a large subsidiary. It was only
during the spin-off process that the NewCo’s general
counsel recognized how immature its security operations
actually were.
Meanwhile, a technology services firm recognized that
its cybersecurity leader wasn’t sufficiently business-
minded or strategic enough to help grow the company’s
solutions business — a business, ironically enough,
focused on cybersecurity. The leader was capable of
managing the security challenges but less capable of
operating effectively across a matrix organization as a
peer to senior business leaders, something the company
needed to ensure that its solutions business achieved its
growth objectives.
Similarly, a diesel engine manufacturer recognized that
its director-level cybersecurity leader was well prepared
to handle the everyday tactics of the role but out of
his depth when it came to engaging with the board of
directors on cybersecurity strategy. The manufacturer’s
general counsel clarified the need for a CISO “upgrade”
and put a search in motion.
The push for a top-level CISO can come from several
sources. Oftentimes, the general counsel is a prime mover
because of the risk component of the role. But it can come
from the CEO, the audit or risk committees, or a director
whose other boardroom experiences heighten his or
her awareness of the risks. That was the case recently at
a leading pharmaceutical company; one of its directors
had been on the board of a national retailer that had
been hacked — and whose brand suffered as a result. The
director knew firsthand the importance of hiring a top-
level CISO who could handle the cybersecurity risks and
thus pushed the board to do so.
Mismanaging the reporting structure
It’s a mistake to assume that since the CISO job touches
technology, the role should always report in to the CIO.
A security chief who comes from the legacy compliance
world will be entirely out of place working for the head
of IT. Similarly, a CISO who is steeped in cyber everything
may not work well if the job is required to report to, say,
the chief risk officer.
In our experience, who the CISO reports to and what
access and influence he or she has are at least as
important as the CISO’s qualifications and experience.
The reporting structure will always be specific to the
organization — to its strategy, its structure, and its
culture. Companies respond to this issue in different ways.
Some elevate the function, while others split the role so
its risk component reports to the chief risk officer, the IT
security part answers to the CIO, and physical security is
under the general counsel.
There are two dimensions to the issue of reporting
structure that are most important to consider. The first is
influence. The role has to be at a senior enough level for
the CISO to be able to have the respect of the other C-level
executives and the board. (If the CISO is really at only a
manager level, he or she faces an uphill battle to get the
respect required to meet the broad mandate of the job.)
The second dimension is the potential for conflict of
interest. Let’s say the CISO reports to the CIO. It’s the
CIO who controls the purse strings for the company’s
technology networks. But if the CISO’s job is to audit
those networks, there’s a built-in difficulty. It’s never easy
to tell your boss that his or her network is the source of
the organization’s cybersecurity problems, particularly
if the implication is that it will cost money to fix the
predicament and therefore potentially conflict with the
CIO’s other priorities. Indeed, given how often CIOs are
asked to cut costs, this issue is quite often an overlooked
source of tension in the reporting relationship. “The
CISO is there to give an independent view of what the
CIO is doing. That’s why the reporting line needs to be
separate,” said one participant at a recent meeting of
the North American and European Audit Committee
Leadership Networks.6
6 “Board and audit committee oversight of cyberrisk,” ViewPoints for the
Audit Committee Leadership Summit, July 13, 2015, available on
www.ey.com.

Overemphasizing cyber and technical qualifications
Yes, cyber savvy does matter for any top security job
today, but it must not eclipse other crucial capabilities —
notably communication, collaboration, influencing ability,
and the candidate’s fit with the organization’s culture.
For example, a CISO who is technically sound but who
has had little exposure to the business, or comes from a
rigid, “security is the only priority” background, may not
be effective at encouraging colleagues to change deeply
ingrained behaviors in order to avoid cyber risks.
To be sure, companies screening CISO candidates
should be aware of the candidate’s technology
credentials and even insist on them. Yet organizations
that view the role solely through this lens, or weight
the technical requirements too heavily, risk a variety of
unintended consequences.
For example, a CISO who puts the board to sleep with
tech talk has just failed and will not be invited back
to the boardroom; one who consorts largely with the
organization’s tech community — and who cannot
speak the language of business — is not doing the job.
Interviewed by Healthcare IT News, Meredith Phillips, CISO
of the Henry Ford Health System in Detroit, explained
what needs to happen: “If we can’t capture the hearts
and minds of individuals that are engaging with data and
systems and applications in order to take care of patients,
no amount of technology that I put in place will ever solve
that problem.”7
Unfortunately, though, CISOs and boards aren’t always
communicating as they should. According to the 2015
US State of Cybercrime Survey, nearly one-third (28%)
of respondents said their security leaders make no
presentations at all to the board, while only 26% of CISOs,
or their organization’s equivalent, provide an annual
presentation to their board of directors.8
By contrast,
forward-looking companies look for smart ways to
introduce CISOs to the board: for example, by bringing
them in to copresent to the audit committee, or by pairing
the CISO with a seasoned executive elsewhere in the
business to learn the ropes of managing a relationship
with the board. Absent a thoughtful approach, there’s
a risk that CISOs will be sent from the “backroom to the
boardroom” too quickly and damage their cause (and
their credibility) in the process.
7 Erin McCann, “Time to ditch the ‘security team of yesterday,’” Healthcare
IT News, Sept 1, 2015, available on www.healthcareitnews.com.
8 “US cybersecurity: Progress stalled. Key findings from the 2015 US State
of Cybercrime Survey,” PwC, July 2015, available on www.pwc.com.
Holding out for the “perfect” security leader
We have seen instances where corporate leaders have
waited and waited and waited in vain in an attempt to
land the ideal security leader — someone who bundles
tremendous risk savvy with executive chops and
collaborative skills and a terrific suite of cyber skills —
only to find that in the interim they lost well-qualified
candidates to more agile companies. One company
we know lost seven months and several candidates in
this way.
For any role, “perfect” is rarely manifested in one person,
and cybersecurity is no different. To our earlier point
about the many different types of CISOs out there, rather
than searching for the perfect candidate, a more practical
approach is to understand the different degrees of fit and
to systematically gauge the candidates’ strengths against
the organization’s future needs.
The CISO role is new enough, layered enough, and
now essential enough that it’s often worth considering
splitting the role among two or three individuals, each
the master of a key component of the job, or to come as
close as possible to the ideal with one candidate and then
complement his or her shortfalls with a highly qualified
second-in-command. The large technology company
that was spinning off a subsidiary took a variation of
this approach. When company leaders realized that
the “perfect” CISO wasn’t to be found, they decided to
spread cybersecurity across three roles — corporate
security, information and application security, and risk
and compliance.
These kinds of composite, flexible approaches may
seem messy, but they will be far better than waiting for a
candidate who doesn’t exist.
The tasks of evaluating, hiring, and placing the right
security chief aren’t easy. They are exacerbated by the
supply–demand mismatch, with demand far outstripping
supply as cyber risks ripple outward from familiar sectors
such as financial services and become headaches for
industrial, governmental, and even nonprofit companies.
But there can no longer be any excuse for inaction by
the board on the cybersecurity front. The SEC has made
it clear that boards are entirely responsible because
enormous risk is involved. Insurers and attorneys and the
NACD are driving that message home. And what matters
to boards matters to executive leadership teams.
It’s past time for business leaders to figure out how to hire
the security chief who’ll keep those risks in check. n

Cybersecurity
For more than a decade, Heidrick & Struggles has developed expertise for finding
talent for cybersecurity roles and security firms of all sizes, with consultants
focused across industries and functions around the world. Our experience includes
placing executives for information security, operational and enterprise risk, privacy,
compliance, and senior leadership roles for firms providing security services,
software, and hardware.
Our cybersecurity team has a world-class knowledge base to advise clients on the leadership they need to
deliver against their security strategy.
For more information, please write
cybersecurity@heidrick.com.

Heidrick & Struggles is the premier provider of senior-level executive
search, culture shaping, and leadership consulting services. For more
than 60 years we have focused on quality service and built strong
relationships with clients and individuals worldwide. Today, Heidrick
& Struggles’ leadership experts operate from principal business
centers globally.
www.heidrick.com
Copyright © 2015 Heidrick & Struggles International, Inc. All rights reserved. Reproduction without
permission is prohibited. Trademarks and logos are copyrights of their respective owners.
hs-00120

Four mistakes to avoid when hiring your next security chief (print version nov 2015)

More Related Content

What's hot (20)

Similar to Four mistakes to avoid when hiring your next security chief (print version nov 2015) (20)

Recently uploaded (20)

Four mistakes to avoid when hiring your next security chief (print version nov 2015)