Bank of America CEO Brian Moynihan recently explained why cybersecurity is the one function within the company with no budget constraints. In pointing out his own firm is now spending more than $400 million per year, he said simply, “You’ve got to be willing to do what it takes at this point.”
At the urging of the board, CEOs are putting a premium on hiring a first-rate Chief Security Officer (CSO) to lead the charge to protect company and consumer data.
I often say that the CSO is the “corporate rock-star of the future” because exceptional ones possess a combination of skills that rarely appear in one person. The qualities that boards are looking for in today’s CSOs reflect the complexities of safeguarding company and consumer data in this new threat environment.
Technical Curiosity is as Important as Aptitude
First, of course, the CSO must be technically adept, with an intuitive understanding of a company’s systems, how hackers might penetrate them, and how to defend against attacks. And because no company, no matter how invested it is in cybersecurity, is fully immune from cyber threats, the CSO must also understand how to detect, contain, and remediate the attacks that do occur.
Beyond technical skill, the CSO must be technically curious. The biggest mistake that CSOs make is when they become complacent and think they’ve solved the problem they are facing. In this business, you’ve never solved the problem. Instead, great CSOs are always scanning the horizon: They consider what mistakes they may be making and learn from the mistakes that others in their position make. They also never believe that trusting one vendor will solve all problems. While it’s convenient to hand off all responsibilities to a Symantec or McAfee, the CSO role is not about convenience. As I tell CSOs: “You have to try new stuff.” The best-in-breed solution that enables you to quickly detect, contain, and remediate an attack is only useful if you can find it and adopt it. Only the CSO can do that.
The CSO is Chief Politician, Communicator, and Crisis Manager
Technical skill and curiosity are necessary but they’re not enough. The CSO needs to be politically adept too. CSOs must be organizationally skilled– in carving out the security budget, in influencing other verticals within the company, and in earning the trust of top executives. The best CSOs get the company to build in security as a core feature from the earliest stage of product development. We hear this about designers too, but you can have bad design and stay in business; if you have bad security, you’re out of business. So if a company’s task is “selling shoes online,” it’s the CSO’s job to tell the company that the task is now “selling shoes online securely” and to get the company moving quickly in that direction. The CSO must also strike a careful balance with the board, acknowledging the security risks but explaining how they will be managed.
Finally, the CSO must inspire confidence when speaking with reporters and to the public when the inevitable breach occurs. I often say that there are two kinds of companies in the world: Those who’ve been breached and know it, and those who’ve been breached and don’t know it. Customers have demanded more transparency, and President Obama recently proposed a national mandate that would require notifying customers of a breach within 30 days. So the CSO of the future must be a crisis manager, adept at handling the type of breach that spills onto the front pages, solving the problem while projecting calm and keeping the public informed. Put all of this together, and you see why CSOs may soon be the highest-paid executives in the C-suite.
CSOs are Rare – But There’s No Mold for the Model CSO
The good news is that there is no single set of experiences that a great CSO must have. Just as the role of data scientist barely existed a few years ago, the CSO role is evolving. I’ve seen successful candidates from a number of backgrounds. Some come from government, combining experience handling classified data with the know-how from working in agencies with tens or even hundreds of thousands of people. Others have long backgrounds in the corporate world. A few have been in the trenches with startups developing the best-in-breed solutions of the future. So focus less on whether CSO candidates fit a specified checklist and more on how they combine a security background with the attributes needed to push change in the organization.
And while the list of attributes is daunting, know that there are great examples out there – CSOs like Jim Routh at Aetna, James Shira at Zurich Insurance, Phil Venables at Goldman Sachs, and Richard Hale at the Defense Department. They work in different industries, but all are well respected and well spoken, technically adept, progressive with trying new technologies, and committed to holding themselves accountable. Just as the U.S. Air Force began as a unit within the other military services before evolving into the unique fighting force it is today, security has now moved from an organizational feature to an organization in its own right, with companies committing hundreds of millions of dollars to the challenge.
In the current threat environment, with the dangers of cyber attacks rising every day, business leaders must do more to restore trust. It’s time to seek out the CSOs of the future to lead the way.