Some Thoughts to Guide Corporate CXO Teams Unwrap the Cybersecurity Staffing Mystery
Students of history might recognize that I draw my title from Winston Churchill’s now infamous October 1st 1939 remarks, broadcast across Great Britain on the BBC one month in to the War, referring to Russia as “. . . a riddle wrapped in a mystery inside an enigma . . .”.
From my many discussions with executive leadership teams, it may be said that cybersecurity in many quarters is viewed similarly.
And why is that? Corporate leaders—CXO and Board members—by mandate develop, implement and execute near and long range strategic plans largely based on ‘known knowns’. Contingencies are built in to these plans in anticipation of ‘known unknowns’. But what about the “unknown unknowns” (to borrow from a theoretical litmus test used by NASA senior engineers and scientists).
It is in our human nature to cherish and thrive on good news . . . and to feel quietly comforted when the path ahead is known, free of conflict and surprise. But many/most of us, at our basic level, don’t feel comfortable operating with uncertainty, maneuvering in the absence of information. Lack of certainty often results in quiet panic. . . which leads to lack of action.
By contrast, exceptional leaders are intrinsically wired to draw from prior experience to contend with bad happenings on the horizon and even pending calamity right around the corner, creating and driving alternate solutions for successful outcome. No sailor feels at ease navigating uncharted waters; but the veteran captain tucks fear aside and steers the ship with a nuanced but firm hand at the rudder . . . a steady hand that is innately linked to keen situational awareness, decisiveness and clear communication.
The cyber threat is real and pernicious. But in large part we, as the broad collective corporate leadership community, don’t quiteknow what it is, what to do about it, nor what specifically it means for our respective organizations.
To break through this cyber inspired inertia, we might just have to take the proverbial ‘plunge’ . . . dive right in and take things as they come. Usually (albeit not always) partial solutions are better than no solutions, and lead to new and better partial solutions . . . and so on.
You’ll excuse the worn out phrase . . . But with cyber, we truly are operating in a new paradigm. Therefore we must attack it with confidence in new, different and innovative ways. The one big upside in operating in an entirely new and unknown environment, against a heretofore unseen (aka unknown) challenge, is there are no hard ‘right’ answers written in stone. We can be creative; and maybe even make a few wrong turns along the way. Again, this is all very reasonable and practical when the alternative is to do nothing. Little by little we’ll figure this ‘cyber threat thing’ out. To be sure, it’s going to take a long time; probably at a minimum an entire generation until we can collectively say ‘the bad guys have lost . . .’. Indeed a more likely end result will be ‘the bad guys are not winning . . .’ or more realistically ‘. . . the bad guys are contained . . .’.
Back to Churchill. From a cyber headhunter’s perspective, cyber threats are the ‘enigma’ and cyber solutions are the ‘riddle’ . . . Hence, how we staff amidst this new threat environment is the ‘mystery’.
Presently corporate leaders are at a fairly significant crossroads with regard to recruiting cybersecurity talent. From my own survey of the corporate landscape these past 18-24 months alone, notional demand for security professionals is indeed high, across all corporate levels and particularly at the senior manager/decision-maker positions. But senior leadership at many of these same organizations are altogether bypassing confronting and addressing their cyber staffing challenges, in large part because they are resigned that adequate solutions “do not exist”.
This stance though is based on perception. . . not necessarily fact. Further, it misses the hidden force multiplier opportunity for companies to add to their next generation leadership pipeline.
There are in fact viable and actionable solutions to meet the cyber staffing challenge. As I initially referenced two years ago (see April 2014 National Cybersecurity Imperative. . .), first and foremost corporate executive leadership teams should/must view the cybersecurity challenge as simply another form of business risk. . . versus some purely high tech threat emanating in the ether net. As we all know, the risk function of any/all corporate organizations resides with the CFO, working in tandem with the CEO and Board. Many larger companies also deploy chief risk officers (CROs) to bolster and strengthen the day to day risk management function. By definition then, CXO teams and their Boards are well-versed and practiced in risk mitigation. Indeed navigating financial and reputational risk is embedded in their essential fiduciary responsibility.
Viewed through this risk prism, perhaps we can more clearly see potent ‘alternate’ solutions to meet the urgent cyber staffing challenge that seemingly dominates.
Let me suggest a quick Chief Information Security Officer (CISO) case study to illustrate my point. . .
It wasn’t too long ago when CISOs in general were perhaps not paid due attention by their senior management. More recently and in relatively short time, the cyber risk mitigation function has risen in prominence and stature and widened in scope within corporate organizational structures. Almost overnight, CISOs have been called on to . . . think strategically . . . communicate across the entire organization . . . support and service all business units . . . brief their Boards . . . defend the perimeter (e.g. ‘don’t let the bad guys in’) . . . and in doing so neither obstruct nor impede their company’s day-to-day business cycle. Hmm . . . Sounds a lot like a senior business unit manager position specification. In any case, a tall order by any measure.
Some uber-talented, forward thinking CISOs have been doing this all along; good on them. Others possess the latent capability to rise to the challenge; and they should be encouraged and applauded. In both cases, these CISOs likely will have already been proactively and aggressively locked-in by their respective companies with new and attractive terms. As well they should. A great many more CISOs, however, simply do not possess the training, experience nor innate situational awareness to meet this higher bar. This is not entirely their fault; rather it’s largely a case of the gap becoming too wide too fast. What to do?
What about that tech-savvy COO at a same-sector Tier 2 platform—someone who very likely fundamentally understands corporate risk? Or what about the talented CFO who works risk mitigation day in day out at a same-sector Tier 3 company—whose CIO has dotted line reporting in to her/him? Perhaps both the COO and CFO here quietly seek to elevate to a same-sector Tier 1 and Tier 2 platform respectively. A lateral move—e.g. slotting in to the higher echelon COO/CFO seat Day 1—is unlikely.
Fewer than ten years ago, that COO or CFO candidate rightly would never have considered nor even contemplated a CISO mandate if presented; even a highly attractive offering by a Tier 1 competitor company. Given the relatively lower importance/influence weighting perceived of the CISO mandate then, such a move would not at all have been career enhancing.
Fast forward . . . The paradigm has shifted—and we’re at an entirely different place today. Driven by the cyber menace onslaught, the CISO (and/or CSO) position is now a dynamic mandate; one that carries significant importance and influence within a company’s leadership team. And we see that it is being coveted by a widening candidate pool. Hence, in the absence of a deep pool of talented and ‘recruitable’ lateral hire CISO candidates, there are quality COO and CFO candidates who are and will increasingly be drawn to these new CISO opportunities. These ‘alternate’ candidates therefore should and must be included in the target candidate list.
This scenario presents an important added advantage for companies. That is, companies gain another channel for adding to and developing their senior executive leadership ranks. With the benefit of 2-5 years added experience as that Tier 1 company’s CISO, the same highly talented former Tier 2 company COO is now well positioned (internally) to gracefully transition to the CRO or COO seat when called. The same holds true for the Tier 3 company CFO who is recruited by the Tier 2 company as its CISO; in time a seamless and smooth move to COO and ultimately CFO awaits.
Some readers here may recall, from the early 2000’s post Enron+WorldCom, a chief compliance officer (CCO) recruitment surge by many US organizations across sectors and regions. Without going in to great detail, seemingly overnight the CCO mandate was rewritten with law degree as the new priority requirement. With that, the CCO mandate gained in prominence and garnered wide attention and interest. I myself happened to be very active in this CCO recruitment movement. Many/most CCOs up to then had not attended law school. Thus, as defined by the ‘new’ CCO remit, I needed to move beyond the traditional lateral hire CCO target list and widen the candidate pool. We principally vectored to law firms and federal agencies, along with assistant chief legal officers at peer competitor companies. Suffice, we pushed through the initial staffing hesitancy and inertia (borne by uncertainty) felt by key parties and achieved marked success via tapping these ‘alternate’ profile candidates.
The cyber staffing imperative today is much more complex and cumbersome than the CCO recruitment challenge of over a decade ago. But the approach is distinctly similar and thus a useful reference point . . . thoughtfulness, expansiveness, creativity and transparent messaging.
The essential service of any thoughtful headhunter is to develop and present to her/his clients relevant, exceptionally talented and highly vetted options that support and enhance their client companies’ strategic momentum. And really that’s all we’re suggesting here . . . A roadmap for expanding and deepening the candidate pool from which to draw a wide and diverse slate of highly qualified target candidates.
These and other alternate cyber risk recruitment solutions will require creative thinking, open-mindedness and close collaboration among all stakeholders. We do this . . . And we can collectively take a big leap forward in attacking the pressing cyber challenge before us.