SlideShare una empresa de Scribd logo
1 de 4
Descargar para leer sin conexión
A SHEFFIELD HAWORTH WHITE PAPER
Why Hiring the Right CISO
is so Hard
And What You Can Do About It
ERIK MATSON,
Managing Director, Global Head of Insurance & Cyber Security Practices
matson@sheffieldhaworth.com | +1 (646) 597-7410
SCOTT SMITH,
Managing Director, Technology, Operations & Cyber Security Practices
ssmith@sheffieldhaworth.com | +1 (646) 597-7411
JOHN BUDRISS,
Executive Director, Technology, Data Science & Cyber Security Practices
budriss@sheffieldhaworth.com | +1 (646) 597-7431
With the brand and billions of dollars on the line, cyber
security has moved to the front burner for boards and
CEOs of financial services firms. One of their most critical
decisions? Choosing the right Chief Information Security
Officer (CISO). Here’s how to take the uncertainty out of
the decision.
The headlines bring word almost daily of major cyber-attacks. The weapons
grow more sophisticated while the vulnerabilities grow more numerous.
Today’s attackers include not only global super-criminals looking for financial
gain but also state sponsored groups intent on stealing intellectual property
and other strategic assets. For financial services firms, the stakes are high and
getting higher: potential business disruption, the compromising of customer
information, regulatory backlash, damage to the brand, and possible
destabilizing of the tightly interconnected global financial system itself.
www.sheffieldhaworth.com
2
Introduction
www.sheffieldhaworth.com
3
AShotin
theDark?Given the threats, it’s no surprise that demand for
outstanding CISOs far outstrips supply. But beyond
the challenge posed by short supply lurks an even
bigger hiring challenge: knowing how to choose the
right person for the job. Here’s why it’s so difficult:
The CISO role is relatively new and its definition
remains a moving target. As cyber-weapons grow
more sophisticated and the dangers greater, the
CISO role continues to evolve. In addition to technical
expertise, today’s CISOs must also have:
Gravitas and presence to influence people across
the firm
Change management skills to keep the organization
ahead of the bad guys
Superior relationship-building skills to work with
otherfirms,cloudservicesproviders,lawenforcement,
government, and cyber security associations and
watchdogs
The difficulty in defining the role is reflected in the
many different reporting structures in which it is
embedded. In some firms, the CISO reports directly
to the CEO or the board. In others, the CISO reports
to the COO, CIO, Chief Risk Officer, or Chief Security
Officer. In organizations that have been slow to adapt
to today’s new realities, the role hasn’t been separated
from the role of CIO, who must wear both hats.
Most hiring executives, including CEOs, lack a full
grasp of what is required in the CISO role. Do you
know what a zero day attack is? APTs? Metamorphic
malware? Polymorphic malware? All of these cyber
weapons have figured in successful attacks. Most
executives have no way of knowing whether a CISO
candidate has the experience to deal with them or
with all of the other ever changing and unknown
threats that could bring a company to its knees.
Should you look for a longtime corporate cyber
security professional? An IT generalist? A cyber
security consultant? Someone with a military or
intelligence background? Add these questions to
the challenge of defining the role and the difficulties
of this already difficult hiring decision multiply
exponentially.
Financial services firms are reluctant to share
information about cybersecurity. Some information
sharing does occur. The Financial Services Information
Sharing and Analysis Center (FS-ISAC), for example,
provides a central resource for cyber and physical
threat intelligence analysis and sharing. Nevertheless,
firms are understandably reluctant to admit that their
security has been breached, because it tarnishes the
brand. They also hesitate to share effective defense
strategies, because they regard them as a competitive
advantage. As a result, no uniform set of best practices
has emerged against which you could measure a
candidate’s knowledge and qualifications.
Many financial services firms don’t have a handle on
their security culture or needs. Is information security
second nature to employees at every level of your
organization? Or do many of them fail to follow even
the most basic security policies? Do various functions
work collaboratively with the information security
function or do they regard it as a nuisance or necessary
evil? Do top executives agree about the issues of
cybersecurity and how to address them?
Consider the discord and confusion Pricewater-
houseCoopers unearthed in its “2014 US State of
Cybercrime Survey.” Participants were asked what
the greatest obstacles were to improving their orga-
nization’s information security. CEOs identified lack
of capital funding. CFOs indicated a lack of leadership
from the CEO. CIOs and security executives cited a
lack of actionable vision or understanding within the
organization.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It
www.sheffieldhaworth.com
4
Clarifying
theRole
andthe
Hiring
Decision.To overcome those considerable challenges, you must
bring the CISO role and your firm’s specific needs into
sharper focus. How? By taking these critical steps to
set the context for cybersecurity in your organization:
Make cyber security a board-level concern. Few
board responsibilities are as important as oversight
of risk management, especially for financial services
firms. If cyber security and its risks aren’t already of
prime concern to your board, they should be. The
board should not only treat it as regular agenda item
but hear regularly from the CISO.
The board’s role helps clarify the role of the CISO.
Directors must make sure that management is
addressing cyber security adequately and within
the bounds of risk tolerance the board has established.
The CISO is therefore no mere technician, but a
critical resource for the board, helping it understand
cyber risks in general and in the context of business
actions the firm is weighing. Candidates for the role
should therefore have business acumen as well as
security expertise.
Determine where you currently stand. Identify
your crown jewels: your most valuable information
assets, from customer and employee information to
intellectual property. Then conduct a no-holds-barred
exercise designed to expose your vulnerabilities. (The
exercise might be facilitated by third-party cyber
security experts, including certified ethical hackers).
Immediately—not months later—follow the exercise
with a candid review. Such exercises can be eye opening.
You may discover hitherto unknown weaknesses and,
in some cases, exceptional strength.
If security is notably weak, consider CISO candidates
who have experience turning around similarly weak
organizations. If your security is exceptionally strong,
you should seek a CISO who can keep you on the
cutting edge. The types of vulnerabilities that you
uncover can also figure in the CISO job profile. For
example, if you find that the greatest danger lies with
cloud services providers or other vendors, your CISO
should have experience with supplier management
and contracts.
Assess your security culture. The carelessness—
and sometimes the malevolence—of employees
can be the greatest threat to cyber security. How
do employees throughout your organization treat
security? What kind of security culture do their
actions, along with policies and processes, add up to?
If it’s a lax culture, where security is sometimes treated
lightly, your CISO will need change management and
influencing skills to fix it. If it’s a strong security culture,
you have the luxury of seeking a CISO who can focus
on more pressing vulnerabilities.
Engaging the board, determining where you currently
stand, and assessing the security culture across your
enterprise are large undertakings. But with so much
at stake, few firms can afford to do less. Talent will
continue to be scarce and threats will continue to
multiply. Firms that know precisely what they need
will waste less time looking in the wrong places and,
ultimately, better prepare themselves to fend off
ever more sophisticated attacks, protect their most
valuable assets, and win the enduring confidence of
customers and investors.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It

Más contenido relacionado

La actualidad más candente

Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyIBMGovernmentCA
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 

La actualidad más candente (19)

Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
In the news
In the newsIn the news
In the news
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
 
CISO Case Study 2011 V2
CISO Case Study  2011 V2CISO Case Study  2011 V2
CISO Case Study 2011 V2
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 

Destacado (10)

Process of dem
Process of demProcess of dem
Process of dem
 
Alimentación saludable
Alimentación saludableAlimentación saludable
Alimentación saludable
 
Economic summit presentation
Economic summit presentationEconomic summit presentation
Economic summit presentation
 
DIARIOGOL.COM-09-10-2015-CUENTA ATRAS EN EL MUNDIAL DE RUGBY
DIARIOGOL.COM-09-10-2015-CUENTA ATRAS EN EL MUNDIAL DE RUGBYDIARIOGOL.COM-09-10-2015-CUENTA ATRAS EN EL MUNDIAL DE RUGBY
DIARIOGOL.COM-09-10-2015-CUENTA ATRAS EN EL MUNDIAL DE RUGBY
 
Presentación Futbol
Presentación FutbolPresentación Futbol
Presentación Futbol
 
Degree
DegreeDegree
Degree
 
Imp. Public Speeches of Alapati Srinagesh as of Jan'16
 Imp. Public Speeches of Alapati Srinagesh as of Jan'16 Imp. Public Speeches of Alapati Srinagesh as of Jan'16
Imp. Public Speeches of Alapati Srinagesh as of Jan'16
 
Ingebook: guía rápida
Ingebook: guía rápida Ingebook: guía rápida
Ingebook: guía rápida
 
Cubiloo PDF
Cubiloo PDFCubiloo PDF
Cubiloo PDF
 
Bonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logoBonfim studio-7-dicas-imbativeis-logo
Bonfim studio-7-dicas-imbativeis-logo
 

Similar a CISO_Paper_Oct27_2015

Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Matthew Rosenquist
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionRamón Gómez de Olea y Bustinza
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookChris Cornillie
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipMighty Guides, Inc.
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsJoyce Brocaglia
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence reportSimon Clements FIRP DipRP
 

Similar a CISO_Paper_Oct27_2015 (20)

Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
infosec-it
infosec-itinfosec-it
infosec-it
 
Untitled document.otd
Untitled document.otdUntitled document.otd
Untitled document.otd
 
Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attention
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused Leadership
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence report
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 

CISO_Paper_Oct27_2015

  • 1. A SHEFFIELD HAWORTH WHITE PAPER Why Hiring the Right CISO is so Hard And What You Can Do About It ERIK MATSON, Managing Director, Global Head of Insurance & Cyber Security Practices matson@sheffieldhaworth.com | +1 (646) 597-7410 SCOTT SMITH, Managing Director, Technology, Operations & Cyber Security Practices ssmith@sheffieldhaworth.com | +1 (646) 597-7411 JOHN BUDRISS, Executive Director, Technology, Data Science & Cyber Security Practices budriss@sheffieldhaworth.com | +1 (646) 597-7431
  • 2. With the brand and billions of dollars on the line, cyber security has moved to the front burner for boards and CEOs of financial services firms. One of their most critical decisions? Choosing the right Chief Information Security Officer (CISO). Here’s how to take the uncertainty out of the decision. The headlines bring word almost daily of major cyber-attacks. The weapons grow more sophisticated while the vulnerabilities grow more numerous. Today’s attackers include not only global super-criminals looking for financial gain but also state sponsored groups intent on stealing intellectual property and other strategic assets. For financial services firms, the stakes are high and getting higher: potential business disruption, the compromising of customer information, regulatory backlash, damage to the brand, and possible destabilizing of the tightly interconnected global financial system itself. www.sheffieldhaworth.com 2 Introduction
  • 3. www.sheffieldhaworth.com 3 AShotin theDark?Given the threats, it’s no surprise that demand for outstanding CISOs far outstrips supply. But beyond the challenge posed by short supply lurks an even bigger hiring challenge: knowing how to choose the right person for the job. Here’s why it’s so difficult: The CISO role is relatively new and its definition remains a moving target. As cyber-weapons grow more sophisticated and the dangers greater, the CISO role continues to evolve. In addition to technical expertise, today’s CISOs must also have: Gravitas and presence to influence people across the firm Change management skills to keep the organization ahead of the bad guys Superior relationship-building skills to work with otherfirms,cloudservicesproviders,lawenforcement, government, and cyber security associations and watchdogs The difficulty in defining the role is reflected in the many different reporting structures in which it is embedded. In some firms, the CISO reports directly to the CEO or the board. In others, the CISO reports to the COO, CIO, Chief Risk Officer, or Chief Security Officer. In organizations that have been slow to adapt to today’s new realities, the role hasn’t been separated from the role of CIO, who must wear both hats. Most hiring executives, including CEOs, lack a full grasp of what is required in the CISO role. Do you know what a zero day attack is? APTs? Metamorphic malware? Polymorphic malware? All of these cyber weapons have figured in successful attacks. Most executives have no way of knowing whether a CISO candidate has the experience to deal with them or with all of the other ever changing and unknown threats that could bring a company to its knees. Should you look for a longtime corporate cyber security professional? An IT generalist? A cyber security consultant? Someone with a military or intelligence background? Add these questions to the challenge of defining the role and the difficulties of this already difficult hiring decision multiply exponentially. Financial services firms are reluctant to share information about cybersecurity. Some information sharing does occur. The Financial Services Information Sharing and Analysis Center (FS-ISAC), for example, provides a central resource for cyber and physical threat intelligence analysis and sharing. Nevertheless, firms are understandably reluctant to admit that their security has been breached, because it tarnishes the brand. They also hesitate to share effective defense strategies, because they regard them as a competitive advantage. As a result, no uniform set of best practices has emerged against which you could measure a candidate’s knowledge and qualifications. Many financial services firms don’t have a handle on their security culture or needs. Is information security second nature to employees at every level of your organization? Or do many of them fail to follow even the most basic security policies? Do various functions work collaboratively with the information security function or do they regard it as a nuisance or necessary evil? Do top executives agree about the issues of cybersecurity and how to address them? Consider the discord and confusion Pricewater- houseCoopers unearthed in its “2014 US State of Cybercrime Survey.” Participants were asked what the greatest obstacles were to improving their orga- nization’s information security. CEOs identified lack of capital funding. CFOs indicated a lack of leadership from the CEO. CIOs and security executives cited a lack of actionable vision or understanding within the organization. Why Hiring the Right CISO is so Hard ... And What You Can Do About It
  • 4. www.sheffieldhaworth.com 4 Clarifying theRole andthe Hiring Decision.To overcome those considerable challenges, you must bring the CISO role and your firm’s specific needs into sharper focus. How? By taking these critical steps to set the context for cybersecurity in your organization: Make cyber security a board-level concern. Few board responsibilities are as important as oversight of risk management, especially for financial services firms. If cyber security and its risks aren’t already of prime concern to your board, they should be. The board should not only treat it as regular agenda item but hear regularly from the CISO. The board’s role helps clarify the role of the CISO. Directors must make sure that management is addressing cyber security adequately and within the bounds of risk tolerance the board has established. The CISO is therefore no mere technician, but a critical resource for the board, helping it understand cyber risks in general and in the context of business actions the firm is weighing. Candidates for the role should therefore have business acumen as well as security expertise. Determine where you currently stand. Identify your crown jewels: your most valuable information assets, from customer and employee information to intellectual property. Then conduct a no-holds-barred exercise designed to expose your vulnerabilities. (The exercise might be facilitated by third-party cyber security experts, including certified ethical hackers). Immediately—not months later—follow the exercise with a candid review. Such exercises can be eye opening. You may discover hitherto unknown weaknesses and, in some cases, exceptional strength. If security is notably weak, consider CISO candidates who have experience turning around similarly weak organizations. If your security is exceptionally strong, you should seek a CISO who can keep you on the cutting edge. The types of vulnerabilities that you uncover can also figure in the CISO job profile. For example, if you find that the greatest danger lies with cloud services providers or other vendors, your CISO should have experience with supplier management and contracts. Assess your security culture. The carelessness— and sometimes the malevolence—of employees can be the greatest threat to cyber security. How do employees throughout your organization treat security? What kind of security culture do their actions, along with policies and processes, add up to? If it’s a lax culture, where security is sometimes treated lightly, your CISO will need change management and influencing skills to fix it. If it’s a strong security culture, you have the luxury of seeking a CISO who can focus on more pressing vulnerabilities. Engaging the board, determining where you currently stand, and assessing the security culture across your enterprise are large undertakings. But with so much at stake, few firms can afford to do less. Talent will continue to be scarce and threats will continue to multiply. Firms that know precisely what they need will waste less time looking in the wrong places and, ultimately, better prepare themselves to fend off ever more sophisticated attacks, protect their most valuable assets, and win the enduring confidence of customers and investors. Why Hiring the Right CISO is so Hard ... And What You Can Do About It