For boards of directors and leaders across organisations, cyber security is no longer an IT issue but an urgent matter of risk management.
The list of risks is long and continues to get longer: theft of intellectual property, breaches of customer information, denial of service, malicious code, viruses, disclosures of information by disgruntled employees, and more.
Yet for all the sound and fury, many boards and senior management have a hard time fully understanding what needs to be done. Cyber security is a technically complex subject; the IT structure is largely opaque to many.
But this global issue goes far beyond IT — cyber security impacts every action a firm takes. Even the term itself can be confusing – information security, cyber security, information risk management, physical security – all these previously distinct fields are merging together quickly.
The Need for a Chief Information Security Officer (CISO)
Information & cyber security shifts are happening in real time today. Experts find it extremely difficult to stay ahead of emerging technology. As the complicated issues continue to unfold, so has the leadership talent evolved and stepped up to the task.
Top consultants and CISOs from throughout the industry are more rounded with greater business acumen than in the past. The function, and need, now extends much beyond just information security to include risk management, data privacy, compliance and technology and security operations.
There is especially much more interconnectivity between legal and risk than in the past due to the increase in regulatory pressures.
With new threats appearing at a dizzying pace, developing business processes that can operate in an unsecured world is vital to risk reduction. In addition to reacting to threats, there is a key need to be strategic, being an ambassador that represents the security milestones of the organisation.
In the next year, security concerns hindering cloud adoption will come to a head. This increased demand for cloud computing will force organisations to find effective ways to evaluate their provider's security controls to ensure they meet requirements, including implementing continuous and secure monitoring. Today, a cluster of disruptive innovations continue to transform enterprise IT, hammering at the very foundations of information security strategies.
Personal Devices and Security Roadblocks:
Information Security teams must work to actively manage the risks of social media, including comprehensive policies and effective security controls.
More employees are using their smartphones and tablets for work, creating a surge of consumer mobile devices accessing corporate networks and storing corporate data. Organisations and leaders within the C-suite (the company's most senior executives) have to prepare for a world where the dominant endpoint is not a desktop, but a mobile device.
Attacks carried out as cyber protests for politically or socially motivated purposes or "just because they can" have increased and are expected to continue.
Common strategies used by hacktivist groups include denial of services attacks and web based attacks such as Software Quality Engineering (SQE) injections. Once a system is compromised, the attacker will harvest data, such as credentials, to gain access to additional data, emails and other sensitive information.
The type of data collected and inspected to detect advanced threats will balloon in both variety and volume by 2016, with a focus on finding the needle in the haystack. Security intelligence and cyber-skilled leadership is a key factor in helping companies get smart about what is actually happening within their systems.
Investing in Talent:
What do global firms and organisations need?
Today, firms seek senior level leaders that possess not only the technical know-how but also those with a keen eye for judgement in high-risk situations. Traits such as leadership presence, regulatory savviness and an overarching vision of the risk framework—these are examples of the must-have qualities that our clients expect to see in top CISO candidates.
Five years ago, data security barely cracked the top 10 concerns among corporate boards. Today, it's the biggest concern. Throughout the financial services sector, we are seeing unprecedented demand for Chief Information Security Officers.
This is a trend we anticipate will continue to escalate, particularly as data security risk is directly linked to operational risk.
The challenges are clear. Organisations need to take the leap and think creatively about structure and the talent they are putting into these vital roles. It is no longer acceptable to assume someone else is managing this risk.
Boards must be ready to ask the tough questions, while senior leadership needs to fully understand the firm's situation and structure their organisations around that need.
None of these roles is the same as the other, each has the dial set slightly differently, and the talent in place must match that situation while having the leadership capability to take the organisation on a journey where difficult decisions need to be made.
David Boehmer is the regional managing partner of Heidrick & Struggles' Financial Services Practice for Europe and Africa.