Nickel in demand
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
technology<br />
them fully to understand the potential<br />
impact on corporate strategy.<br />
The CSO’s position must <strong>in</strong>terface<br />
with other bus<strong>in</strong>ess areas such as IT,<br />
Legal, Human Resources, operations and<br />
corporate communications. Therefore,<br />
even though heads of IT possibly could<br />
take on this role, suitable candidates must<br />
have a strong commercial ethos as well,<br />
with a global view on the impact of the<br />
cyber threat and a solid understand<strong>in</strong>g of<br />
the chang<strong>in</strong>g threat landscape.<br />
The scope of this level of awareness<br />
needs to encompass a range of assets,<br />
systems and activities, <strong>in</strong>clud<strong>in</strong>g some<br />
perhaps not previously considered as<br />
‘at risk’. These will <strong>in</strong>clude assets held<br />
by external organisations – such as<br />
suppliers – s<strong>in</strong>ce attacks frequently come<br />
<strong>in</strong>directly through these third parties.<br />
Earlier this year, Target, the USA’s second<br />
largest discount retailer reported that<br />
the personal <strong>in</strong>formation of as many as<br />
110 million customers was compromised<br />
after hackers reportedly <strong>in</strong>stalled malware<br />
onto the retailer’s po<strong>in</strong>t-of-sale mach<strong>in</strong>es<br />
through one of its suppliers.<br />
Given the need to establish a balance<br />
between creat<strong>in</strong>g and susta<strong>in</strong><strong>in</strong>g a<br />
secure environment, whilst also enabl<strong>in</strong>g<br />
end-users to work unh<strong>in</strong>dered, an<br />
experienced CSO should also be a strong<br />
team player capable of embrac<strong>in</strong>g and<br />
manag<strong>in</strong>g change and collaborat<strong>in</strong>g<br />
with others through <strong>in</strong>formation and<br />
<strong>in</strong>telligence shar<strong>in</strong>g. F<strong>in</strong>d<strong>in</strong>g someone<br />
with the right credentials for the role is<br />
a challenge. Grow<strong>in</strong>g <strong>demand</strong> is already<br />
outstripp<strong>in</strong>g supply of the most qualified<br />
people, so CEOs may need to consider<br />
executives who have some – but maybe<br />
not all – the skills required, and provide<br />
the time and facilities for that person<br />
to develop accord<strong>in</strong>gly.<br />
How the board views and responds to<br />
the cyber threat is equally important. As<br />
“the cyber threat is a question<br />
of ‘when’ rather than ‘if’, and<br />
organisations need to prepare<br />
accord<strong>in</strong>gly”<br />
with many aspects of the board’s role, this<br />
is as much about know<strong>in</strong>g what questions<br />
to ask – and be<strong>in</strong>g satisfied as to the quality<br />
of the answers – as it is about expert or<br />
technical knowledge. Indeed, discuss<strong>in</strong>g<br />
the technical m<strong>in</strong>utiae is almost certa<strong>in</strong>ly<br />
not the best use of the board’s time.<br />
Rather, and this will become <strong>in</strong>creas<strong>in</strong>gly<br />
an issue to be reviewed <strong>in</strong> annual reports<br />
and regulatory processes, the board will<br />
need to demonstrate to stakeholders<br />
– <strong>in</strong>vestors, customers, employees and<br />
regulators where relevant – that they are<br />
fulfill<strong>in</strong>g their responsibility of assurance:<br />
sett<strong>in</strong>g the strategic framework and<br />
hold<strong>in</strong>g management to account.<br />
In the f<strong>in</strong>al analysis, the cyber threat is<br />
a question of ‘when’ rather than ‘if’, and<br />
organisations need to prepare accord<strong>in</strong>gly,<br />
even though the nature and target of the<br />
threat are constantly chang<strong>in</strong>g . What hasn’t<br />
changed, however, is the responsibility<br />
of security specialists, management<br />
teams and boards to provide technical<br />
capability, bus<strong>in</strong>ess resilience and strategic<br />
oversight respectively.<br />
About the author<br />
Rob<strong>in</strong> Murray Brown<br />
Partner at executive search<br />
consultants, Tyzack.<br />
www.tyzackpartners.com<br />
BE Monthly [ Aug 2014 ] 41