And there's little question of that. The number of phishing email messages that were opened hit 30 percent in this year, up from 23 percent last year, according to Verizon's 2016 breach report. Moreover, the gap between the time to compromise and the time to discovery rose from 62 percent in last year's report to 84 percent this year.
But most companies are tightening their purse strings and hedging their bets that they won't be breached. Comyns says a typical hiring search goes like this: Some executives will say they need CISO who satisfy 10 requirements. They'll ask what the market value is, and when they hear the $1 million-plus salary range, they'll say, "Don't bring in someone too high-powered, we're playing with bows and arrows not bazookas. I don't want to frustrate someone who won't be satisfied with our pace of change." When Comyns hears that, it gives him pause, "My concern is that in more difficult economic times, the progress is being stunted."
Chris Patrick, head of Egon Zehnder’s global CIO practice.
What you want in a CISO
Companies should hire CISOs who strike the right balance of business leader and risk assessor, says Chris Patrick, head of Egon Zehnder’s global CIO practice. You want someone who can architect a comprehensive security architecture and explain it clearly to the board when called to do so. And you want someone who can coordinate communications among the C-suite, general counsel, media relations and other necessary parties to respond to a cyber incident, Patrick says.
Egon Zhender consultant Kal Bittianda says a CISO must understand issues and know what data is important to protect but they needn’t be the most tech-savvy leader on staff – that is familiar with all of the latest detection analytics and other emerging technologies. Bittianda says it is better to hire a strong executive who has the ability to influence key strategic leaders in the business, and surround him or her with technical whizzes who know what tools to apply and how.
Choosing the right CISO is a matter of culture fit. Bittianda says there are two CISO archetypes: Those who run to the fires and those who run from the fires. Some CISOs prefer to build a cybersecurity program from scratch and then move on. Others prefer to come in after a breach because they will be more likely to enjoy an increased appetite for cybersecurity investment, as well as influence.
Patrick says that with such high demand for security leadership roles, price tags are going up and folks are moving fairly regularly. As a result, it’s also imperative for companies to help themselves by grooming cybersecurity leaders in house. “It’s an arm’s race and you’ve got to build capabilities internally as well,” Patrick says. “You can't hire your way out of this problem.”
Sign up for CIO Asia eNewsletters.