With a number of high-profile security breaches making headlines of late, organizations are increasingly realizing they must beef up their security teams or risk catastrophe. Matt Comyns, global co-head of the Cybersecurity practice at Russell Reynolds Associates, an executive leadership and search firm, sat down with CIO.com to discuss the changing role of the Chief Information Security Officer (CISO), the global cybersecurity landscape and why finding and retaining elite security talent is critical.
CIO: How has the job description for a CISO changed over the last five to ten years?
Matt Comyns: Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role. Security breaches at companies like Target and Neiman Marcus have placed these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom. Leading companies recognize that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable.
CIO: What are some of the major challenges faced by today's CISOs, both technical and business-related?
MC: CISOs face a host of new and emerging challenges, including risks generated by the ubiquity of mobile devices, the global scope of information assets, the difficulty of complying with new regulations and the threat of state-sponsored attacks as well as global cyber criminals. In response to these threats, organizations have elevated the role of CISOs to become a direct report to the chief information officer, chief risk officer or general counsel.
CIO: Where do leading CISOs come from? Are there specific technical skills or business backgrounds that make a candidate more suited for the role?
MC: Our research reveals that CISOs have backgrounds that conform to one or more of the following classifications:
Corporate Cybersecurity 'Lifers'
These executives typically hold degrees in engineering or computer science and begin their careers in cybersecurity at large organizations.
Often holding a technical degree in engineering or computer science, these executives normally begin their career in corporate IT and migrate to a specialization in cybersecurity.
Military or Law Enforcement Professionals
These executives begin their careers in military service or law enforcement, gaining technical expertise through on-the-job experience before rising to a senior cybersecurity position within a corporation.
Or Cybersecurity Product Specialists
These executives begin their career with a vendor of cybersecurity products. Similar to military and law enforcement, they also earn their stripes through practical experience before rising to a senior position.
CIO: What differentiates great CISOs from those who are just adequate? What fundamental skills, competencies and experiences are necessary to succeed in the CISO role today?
MC: While strong technical skills are 'table stakes' for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, successful CISOs tend to have the following skill sets in common:
- Business acumen and analytics
- Creativity and innovation
- Business-to-business communication
- Relationships, influence and presence
- People leadership
Sign up for CIO Asia eNewsletters.