Executive Monitor



Volume 2 : Issue 4 : 2015

Executive Monitor

Cybersecurity & Risk Management

Executive Monitor

Cybersecurity & Risk Management


As technology has evolved and grown increasingly powerful,

cyberattacks from malicious individuals and organizations have

escalated, both in frequency and magnitude. Thus cybersecurity

has become a hot topic for discussion over the past few years

among governments, companies and other organizations. Cyber

threats are now an undeniable reality, and attacks can originate

from virtually anywhere. Businesses, especially, are seeing

increasing threats to their systems and looking for ways to protect

their data and the data of their customers.

“In North America, and

certainly in Canada, there

is a dearth of talent in the

cybersecurity sector. The

competencies required

are highly specialized, and

at the senior level it’s not

just having someone who

is technologically savvy.

The cybersecurity leader

must also be well versed in

enterprise risk management,

corporate governance and

in the overall business

objectives. For those

reasons, compensation

levels have soared


Kevin Gormely, Partner,

Boyden Toronto



Due to increased threats to organizations, the cybersecurity market has grown a great deal in a short

time, and is expected to continue on this upward trajectory in the coming years. The estimated $75

billion global industry is anticipated to be valued at $170 billion by the year 2020. Specific areas most

likely to grow include security analytics, threat intelligence, mobile security, and cloud security. 1

Cyber threats are evident across industries globally; however, some markets place a higher priority on

security initiatives than others. North America and Europe, in particular, lead as revenue contributors,

and Asia-Pacific is likely to become the go-to market for solution providers. By industry, “the aerospace,

defense, and intelligence vertical continues to be the largest contributor to cyber security solutions.”

There is increased deal and M&A activity in the industry as well. Deals in the millions of dollars or more

are now more common. Additionally, seven-figure deals have increased by 40% since last year. 2

The vast majority of companies and organizations (91%) have at the very least adopted a security

framework. More than two-thirds use cloud-based cybersecurity services (69%) and over half

(59%) leverage big data analytics for security. Furthermore, a greater percentage of companies and

organizations are collaborating with each other to “improve cybersecurity and reduce cyber-risks,” at

65% today compared to just 50% in 2013. Partnership has its benefits, as companies claim working

together “allows them to share and receive more actionable information from industry peers.” 3

Additional insights from

cybersecurity and risk

management experts in the

US and Europe are featured

in a sidebar discussion with

FTI Consulting on page 17.

Survey says: cyberattacks on the rise, cybersecurity slowly becoming a priority for companies and









Executive Monitor

Cybersecurity & Risk Management

A 2015 survey from the Organization of American States reports that over half of its Member States

have noticed an increase in incidents to their computer systems over the past year, while only 7% report

a decrease. There is an overall consensus and awareness that threat levels are high. Additionally,

three-quarters of respondents report that attacks against infrastructures are becoming more sophisticated,

with only 5% saying the opposite. 4

No industry is immune. While organizations in the government and energy sectors are targeted most often,

the areas of communications, finance and banking, security, and manufacturing also face significant

challenges. 5 This indicates that there is not one “safe” industry; all must be alert and proactively protect

their information and the information of their customers.

“Now more than ever

before, because so many

high-profile companies

have suffered severe

security breaches, these

critical technical skills are in

serious demand to ensure

companies are able to save

themselves from meltdown.

Unfortunately, too many

INFOSEC professionals

have traditionally come up

the audit route and don’t

combine the tech savvy

with the business nous.

It’s the classic dilemma,

because someone who’s

very talented technically

often doesn’t carry the

senior executive skills

necessary from a business


Vicky Maxwell Davies, Partner,

Boyden London









Executive Monitor

Cybersecurity & Risk Management

Threats appear through a variety of tactics. Phishing is the most common type of attack used against

organizations, at 71%; however, many other methods are also popular, including attacking unpatched

vulnerabilities, DDos, SQL injection, cross-site scripting, and hacktivist-originated attacks, among

others. 7 This varied arsenal highlights the fact that hackers are growing increasingly sophisticated, and

organizations must enact and enforce greater security measures to protect themselves.

“First and foremost, it’s the

board’s responsibility to

challenge management to

understand the strategic

and systematic nature of

an organization’s cyber

risk vulnerability and

properly allocate resources

for risk management. It’s

also important to create

awareness holistically

within a company, going

beyond IT to include all

executives, HR and team

members to treat data

with the highest level of

security. Management must

understand that this issue is

about people and behaviors,

not just technology.”

Richard Fudickar, Managing Partner,

Boyden Germany







Executive Monitor

Chief Digital Officer

As the chart below (left) indicates, a majority of organizations in both North and South American

countries are only somewhat prepared to handle cyber incidents. In fact, there are five nations that say

they are unreservedly unprepared, and only two that say they are prepared.

Moreover, government organizations in the countries that say they are only somewhat prepared have

not increased their budgets for cybersecurity at all over the past year. These include the U.S., Mexico,

and Colombia. Since most attacks cannot be detected using traditional security measures, an increased

cybersecurity budget to enable the implementation of new tools is truly vital. 9 This disconnect

should be a red flag to companies and organizations. It is imperative that resources be allocated to

cybersecurity efforts.

Most organizations surveyed (69%) report that they have a cybersecurity awareness program for

employees. However, only about half have a disaster recovery plan or a cyber incident response plan,

and just over one-third say they have adopted industrial security standards. 10 These underwhelming

levels of preparedness again indicate that while companies and organizations realize the potential

threats and do not feel prepared, they are not taking the necessary steps to better position themselves

in the face of threats.






Executive Monitor

Cybersecurity & Risk Management

According to a survey of 10,000 IT and security decision-makers, conducted by PwC in conjunction

with CIO Magazine and CSO, spending on information security is up year-over-year, and “financial

losses from cyberattacks have decreased from $2.7 million in 2014 to $2.5 million this year.” As

the chart above indicates, 87% say they have seen at least one or more security incident over

the past year, and roughly one-third say they have seen 50 or more incidents at their company or

organization. 11

“It’s not a question if 9-11

will be repeated, but when

it will be repeated. It may

not be the same thing as

the 9-11 event at the World

Trade Center, but it will be

similar. Next time it will

more likely be of cyber

origin, affecting power

grids, financial exchanges,

transportation assets or

public health infrastructure

instead of a building tower.

The problem remains that

key law enforcement and

intelligence communities

are silo-focused. Unless

companies and government

agencies take a holistic

and focused approach to

national cyber risks, we are

likely to see a disjointed and

ineffective response to a


Tim McNamara, Managing Partner,

Boyden Washington D.C.

“We are looking at a completely new paradigm for security. When you add always on, always

connected and couple all of that with the fact that we no longer are keeping data in our own

premises, it completely changes how we have to do security.”

–Tyler Shields, Security Analyst at Forrester Research


There are numerous reasons for attempts to breach security. According to a survey conducted by

FTI Consulting targeting employees in the UK, financial motivation is not necessarily the primary

driver behind cyber theft. Employees are actually more likely to steal data from their company when

they feel disengaged, rather than solely for financial gain. That, coupled with the finding that most

employees don’t expect to be with their employer for more than five years, sets the stage for

disgruntled employees being capable of cyber theft. To combat this internal issue, executives must

make employee engagement a part of their cybersecurity initiatives and programs. 13








Executive Monitor

Cybersecurity & Risk Management

“While most organizations have training programs about data risk, our research found 65 percent of

employees believe these programs are not adequate and 69 percent believe the greatest threat to

data security is still posed by their colleagues.”

–FTI Consulting


Risk Management

“Boards of directors and executives face a tremendous challenge in identifying, assessing, and

managing risks that may affect – both positively and negatively – the organization’s strategic

success.” 15


Risk management initiatives also warrant greater attention. In a survey conducted recently by the

AICPA (American Institute of Certified Public Accountants), Chief Financial Officers (CFOs) and

equivalent senior executives reveal some insight into their companies’ risk management policies,

procedures and initiatives. The survey found that nearly six in 10 say that the volume and complexity

of risks have evolved over the past five years.







Executive Monitor

Cybersecurity & Risk Management

And, 65% were caught off guard by an operational surprise – this is even more so for large

organizations and public companies. The survey also uncovered that only one in four is confident that

their organization has a “complete formal enterprise-risk management (ERM) process in place.” This is

consistent with last year’s findings, indicating that ERM has not been a top priority for executives and

no significant developments have been made year-over-year. In addition, less than a quarter (23%) say

their organization’s level of risk management is “mature” or “robust” – this is slightly higher for larger

companies, public companies, and financial services organizations, at one-third. Additionally, over half

of respondents say their organization’s risk management process is not viewed as a “proprietary

strategic tool.” 16

Nearly seven in 10 say that their board of directors desires increased involvement from senior

executives in risk oversight. However, only one-third have a dedicated Chief Risk Officer (or equivalent),

and just 45% have a risk committee at the management/executive level. 17

“With the globalization

of businesses and trade,

the CSO has to be a global

executive capable of

developing strategies and

implementing programs

globally, not confined to

his or her territory. The

cybersecurity threat can be

initiated from anywhere and

thinking locally is not an


“Risk managers have been concerned about being marginalized in their organizations. For years,

they have fought for acceptance by upper management to get their distinct perspective and abilities

absorbed into the senior decision-making process. Now, in light of current events, more risk managers

are taking their seat at the table, and are being tasked with demonstrating how they can safeguard

organizations and impact bottom-line performance on a strategic level.” 18

– Bill Coffin, head of publications for the Risk and Insurance Management Society

Magdy El Zein, Managing Partner,

Boyden Middle East


CEO Sentiment

“The central role of information places cyber security squarely on the CEO agenda.”


The C-Suite recognizes the significance of cybersecurity and risk management. According to PwC’s

18th Annual CEO Survey, Chief Executive Officers have grown more concerned with technology-related

threats over the last year. 61% of CEOs say they are concerned about cyber threats – including lack of

data security – compared to just 48% a year ago. And, cybersecurity technologies are considered a top

priority, with nearly eight in 10 CEOs ranking this as strategically important for their organization. 20














Executive Monitor

Cybersecurity & Risk Management

“Organizations are

intensively seeking senior

cyber talent, though they

are having a difficult

time finding the right

candidates. It’s a very

complicated sector with

bifurcated responsibilities.

Consequently, there are

multiple strategies to

address cybersecurity needs

among the commercial,

military and defense, and

intelligence sectors.”

Tim McNamara, Managing Partner,

Boyden Washington D.C.

Role and Perception of the CSO/CISO

The Chief Security Officer (CSO) or Chief Information Security Officer (CISO) can be a powerful

position at companies and organizations that make security a priority and allocate proper resources to

its enforcement. Unfortunately, CSOs/CISOs are not always given the esteem they deserve, and are

not always considered an equal and integral part of the C-Suite.

The position faces many challenges. There is a general feeling among CEOs and others in the C-Suite

that CISOs would be unlikely to succeed in other leadership positions outside of information security. 21

This could be related to the technical nature of the CISO’s role, as compared to other C-level functions.

Moreover, blame is often cast on the CISO following any breaches of security within the company. In

fact, in a survey by ThreatTrack Security of C-level executives at companies that employ a CISO, 44%

say that CISOs “should be accountable for any organizational data breaches.” And surprisingly, more

than half of respondents (54%) say CISOs should not make purchase decisions for cybersecurityrelated

expenses. 22 This disconnect, where CISOs do not have decision-making authority but are

blamed when issues arise, can be a significant barrier within organizations.






Executive Monitor

Cybersecurity & Risk Management

As the pie chart indicates, only one-quarter of

C-level executives agree that “CISOs should be

part of an organization’s senior leadership team,”

with three-quarters disagreeing. And, regarding

CISO decision making, another quarter (28%)

say that “a decision by their CISO has hurt their

business’ bottom line.” 23

Despite the general lack of confidence and

respect for CISOs in the recent past, this notion

is slowly beginning to change. For example, in

the same survey, half of C-level respondents say

that CISOs “provide valuable guidance to senior

leadership related to cybersecurity.” Additionally,

one-third say that CISOs are “being hired to

address critical gaps in organizations’ information

security capabilities.” And, CEO respondents

were more likely to say CISOs should have

decision-making authority compared to COOs and

CFOs. 24

Only 26% of C-level executives agree that CISOs should be part of an

organization’s senior leadership team.

“In the not-so-distant past, the chief information

security officer seat at the executive table was

tentative at best. The role was seen as necessary

– we need someone to lead our security efforts –

but also tactical.” 25

“Companies that have

embraced the strategy of

giving the CISO a seat at the

executive table are better

equipped to prepare for any

breaches in cybersecurity.

Increasing resources,

including hiring the

strongest CISO available, is

a worthwhile investment.“

Ken Rich, Partner, Boyden New York

As CSOs and CISOs aspire to find their place in the C-Suite, shifting from technical conversations to

those focused on business strategy will be critical. A successful CSO/CISO can translate the work

they do in a way that CEOs, COOs, and CFOs will understand and find valuable. Additionally, there

is a certain perception that the CSO/CISO creates roadblocks because of the layers of security in

place. However, they must find ways to enable new technologies, rather than saying “no”, in order

to facilitate business and add value in their organization. Another underutilized strategy that can

aid CSOs/CISOs is partnering with the company’s internal marketing department. Educating the

marketing team, who can often be the biggest security risk due to the public-facing nature of their

work, and other employees will be a step in the right direction in achieving company-wide buy-in for

increased security efforts. 26

Maintaining corporate reputation is a significant task for the CSO, due to the natural business impact

of cyberattacks. While breaches are ultimately inevitable, the manner in which a company responds

to a breach is truly a test of brand reputation and customer loyalty. 27

A CSO must be technically skilled in order to understand security systems and think like potential

hackers. They must also understand how to detect attacks that do occur, and then contain and

remedy them. Additionally, it is imperative that CSOs be technically curious and never complacent.

They must always be thinking ahead about the next threats and new ways to prevent them. The CSO

is also tasked with speaking to the press and other stakeholders when breaches occur – therefore

they must inspire confidence and trust that the company is handling the situation in the best possible

way. 28
















Executive Monitor

Cybersecurity & Risk Management

Over the next few years, the role of the CSO/CISO will shift to focus on holistic business strategy

and communication to a greater extent. CSOs and CISOs are likely to come from more diverse

backgrounds and from different industries and areas of expertise. While they may be slightly less

technically skilled than their predecessors, they will have other important leadership and management

skills that are also necessary in this transforming role. The responsibilities of the role will evolve as

well; however, the immense pressure the job currently comes with is unlikely to abate. 29

“Boards, CEOs and CIOs

should be proactively

assessing risks with a

constant sense of urgency.

The costs of data breaches

affect not only IT operations

but also impact reputation,

client relations, suppliers,

partners and other

stakeholders, in addition

to the consequences with


Francis Vaningelgem, Managing

Partner, Boyden Belgium &


“New CISOs originate from other areas of the business already aligned to risk. Fewer will originate

from an audit and compliance background but a closer understanding of legislation, governance and

ultimately risk is important with a necessary skillset to demonstrate understanding in this area. The

traditional route to the role of CISO may also continue with technical, consultant and adviser skills all

considered as a good background to the role.”

–Neil Thacker, Information Security and Strategy Officer, Websense


Expected Trends

As cyberattacks and data breaches grow more ubiquitous, the demand for cybersecurity professionals

dramatically increases. According to the Cisco 2014 Annual Security Report, there is a worldwide

shortage of information security professionals, with 1 million open positions. 30 According to the

2015 (ISC)2 Global Information Security Workforce Study of 14,000 security professionals, 31 the

information security workforce shortfall is widening. In 2015, 62% of survey respondents reported

that their organizations have too few information security professionals, compared to only 56% when

the survey was last conducted in 2013. The reasons for the dearth also changed. In 2013, budgetary

restraints were the main reason cited for a lack of security staffing, but as the economy has improved

and organizations have placed greater priority on security measures, the main rationale cited for the

shortfall in 2015 is a lack of qualified candidates.

In this landscape, there has been a rise in CISO and CSO hiring within the executive suite, and there

are no signs of a slowdown anytime soon. Companies recognize that cybersecurity is not simply a

function of the IT department, but rather an area that warrants focus in and of itself. 32 To effectively

build robust network security programs or enhance preexisting ones in a risk-fraught world, companies

across all industries are targeting leaders that can adapt at a moment’s notice. 33

CSO Qualifications

“Often one vulnerability

could cost over $100 million

for a single breach, so if

you’re good at cybersecurity

and related areas, today you

can demand what you like.”

Vicky Maxwell Davies, Partner,

Boyden UK

There is no definitive career path to becoming a CISO or CSO. In general, the ideal candidate must be

well-versed in all parts of a business, not technology alone. According to Bruce Schneier, CTO of Co3

Systems Inc., “If you want to be a CISO you need tech skills and people skills and that’s pretty hard

to find.” 34 CSOs will not only need to be able to communicate to the IT department, but also to the

C-Suite, the legal department, and even the PR/marketing department, in the event of a crisis.

Additionally, CSOs need to be able to keep up with ever-evolving technological and political

landscapes. On the technology front, cloud computing, BYOD (bring-your-own-device), and mobility

trends in the workplace are constantly forcing companies to rethink their practices as the boundaries

between corporate networks blur and the outside world poses new security challenges. 35 A CSO must

have the skillset to protect valuable company systems and data as technology changes and is adopted.

On the political front, a CSO must be able to deal with the issues related to compliance with corporate

















Executive Monitor

Cybersecurity & Risk Management

security policies, especially when it is difficult to limit corporate use of cloud computing to approved

certified cloud providers and very simple to access work emails on a personal cell phone. 36 In today’s

workplace, CSOs must create a secure environment while also giving employees some level of

freedom and flexibility.

Prior leadership experience and certain credentials are also desirable in a CSO candidate. While it is

not required to have served on the executive board of another company, having expertise on a smaller

scale as a project manager, technical lead, or even a mentor to a team helps candidates stand out. 37

“In life sciences and

healthcare, cybersecurity

is a high priority, though

international Swiss

companies tend to be better

prepared to tackle the

issues than local players.

In addition, more executive

committees and supervisory

boards are focused on better

collaboration in terms of

cybersecurity strategy,

particularly given the

increasing threats to patient

and other sensitive data.

An important part of this

stronger focus includes the

right people, and that often

means new talent with the

right skills and experience.”

Sabine Brunthaler, Partner,

Boyden Switzerland

With respect to formal education, organizations may look for candidates with an undergraduate degree

in computer science, information security, IT management, or another related field, as well as a

graduate degree such as an MBA. 38 Proven technical and business acumen demonstrate an ability to

understand how cybersecurity fits into the greater context of a company’s operations. Certifications,

such as the Certified Information Systems Security Professional (CISSP) credential, are also viewed

favorably. According to Certification Magazine, a “CISSP [credential] is to information security what the

CPA is to accounting. While job descriptions might not state a formal requirement for the credential,

candidates lacking the certification face an uphill battle.” Furthermore, ISACA’s Certified Information

Security Manager (CISM) certification – which requires passing a 200-question exam on security

governance, risk management, security incident management, and compliance – may also enhance

the qualifications of a CSO candidate. 39

Lastly, CSOs must be able to establish a sense of authority within a company and be a cultural fit. 40

Along with the other executives in the C-Suite, CSOs must exert influence and have a public presence

within the company.

Industry Focus: Healthcare

While obtaining financial data is often the primary goal for hackers, some now methodically attack

medical data. 41 Because credit card companies, banks, and financial institutions have been a target

for many years, they have evolved and have learned ways to protect customer data and prevent

cyberattacks. However, the same cannot be said about institutions dealing with medical data, such as

insurance companies and hospital systems. The argument can also be made that medical data are far

more valuable than a stolen credit card, making them even more enticing for hackers. 42

Despite the potentially straightforward solutions that now exist, there are industry-specific

complications that make cybersecurity initiatives challenging to implement for healthcare enterprises.

For example, each insurance company, hospital, clinic or office has its own system and interface.

Implementing cybersecurity solutions will not be seamless across these often different platforms,

and yet these organizations work together and share data, leaving apparent holes of which hackers

can easily take advantage. Adding to the dilemma, the Affordable Care Act requires electronic health

record implementation. 43 Together, these issues make cybersecurity initiatives a challenge for the

healthcare industry, despite the growing need for security.

According to a survey from the SANS Institute of professionals involved in promoting better security

and privacy in healthcare organizations, the industry faces some significant weaknesses. More than

four in 10 respondents say that current data breach detection solutions are ineffective; over one-third

say training and awareness initiatives are ineffective; and over half consider the negligent insider as

the chief threat. Survey respondents are aware that there is a deep need to increase cybersecurity

efforts and make them a priority. Respondents also display consensus in reporting drivers of security

and compliance, which include the following:
















Executive Monitor

Cybersecurity & Risk Management

1. Complying with standards and regulatory requirements (HIPPA, PCI, FISMA, FDA)

2. Ability to respond to new or emerging threats or advanced persistent threats

3. Ability to recover quickly from a breach incident

4. Assuring resiliency of IT operations

5. Managing the workforce, including security training and awareness

6. Improving efficiency and lowering the cost of IT operations

7. Supporting consumer-facing applications (patient portal, mHealth, wearables)

8. Managing vendors and business associates

9. Adopting or developing mobile health initiatives (mHealth)

10. Supporting new cloud applications (electronic health records, health information exchanges)

11. Supporting telemedicine/telehealth 44

“Cybersecurity has become

a critical focus and top

priority for all financial

services firms. It is no longer

‘if’ they will get attacked

– it’s when and how often.

Firms, until recently,

reacted in crisis mode, but

are now hiring top talent,

brilliant technologists to put

standards and processes

in place to be ahead of the

hackers and protect their

customers. This will remain

a priority as technology is



Jeanne Branthover, Leader of

Boyden’s Global Financial Services

Practice and Managing Partner,

Boyden New York

Industry Focus: Financial Services

The financial services sector has been a target of cyberattacks for many years, since the types

of information to which banks have access are both highly confidential and valuable to hackers.

Regulators have stressed the importance of taking risk management very seriously. 46 According to

PwC’s State of Information Security Survey for 2016, three key findings stand out for the financial

services sector in the coming year.

First, assessing third-party security capabilities will be a challenge. Because financial services

companies share data and information with third-party vendors, it is important to be aware of

vendor security efforts. Second, the use of mobile devices and apps for banking and payments has

significantly increased among consumers, and these transactions must be secured. This is a major

priority for financial services companies, and advanced authentication is one way in which they have









Executive Monitor

Cybersecurity & Risk Management

begun to minimize risks. Finally, financial services companies are concerned with complex attacks

from abroad. Some actors appear to be working in conjunction to attack companies, and there is

speculation that organized crime in other countries is entering the realm of cybercrime. 47

“There has been a great

degree of formal and

informal cooperation

among the large Canadian

financial institutions

around cybersecurity

issues including the

sharing of information

and best practices.

There is recognition by

these organizations,

many of which are direct

competitors, that they are

all likely to be victims of

a cybersecurity breach at

one time or another. These

players recognize that in

the case of cybersecurity,

it’s preferable to cooperate

rather than compete.”

Kevin Gormely, Partner,

Boyden Toronto

Some financial services firms are proactive on this front, even using cloud-enabled cybersecurity

tools and services and big data analytics, as well as advanced authentication and biometrics. 48

In fact, Bank of America, under the direction of CEO Brian Moynihan, says there is no spending

limit for its cybersecurity team. Moynihan says the bank will spend approximately $400 million

on cybersecurity this year. He explains that while this policy is rare and even unprecedented, it is

imperative in order to prevent financial and customer data from falling into the wrong hands. 49

“I go to bed every night feeling comfortable that the group [cybersecurity team] has all the money

– they never have to ask. The only place in the company that doesn’t have a budget constraint is

that area.”

–Brian Moynihan, CEO, Bank of America

Industry Focus: Consumer & Retail

The consumer and retail industry has also been a target of cyberattacks in the recent past.

As technology and the use of mobile increase, more customer data and payment information

are at risk. In fact, in 2013, 95% of attacks were in the consumer and retail sector alone. 50

Understandably, these breaches significantly impact consumer confidence, which also negatively

impacts the bottom line. For example, one company saw a 46% drop in profits immediately

following a data breach. Despite the clear risk for retailers, companies in the industry have been

slow to adopt cybersecurity strategies. This is especially perilous considering that the majority of

attacks originate with outsiders who attempt to penetrate company networks, and succeed. 51

“The financial and reputational damage that can be inflicted on a retailer by a major security breach

can be so severe, and so destructive, as to approach the financial and reputational damage a

commercial airline might suffer from a serious accident.”

–IBM’s Global Retail Solution Lead

One strategy that banks and credit card companies are utilizing increasingly to make transactions

more secure is two-factor authentication. Retailers adopt this method to protect customer

payments, especially when transactions are completed online or via mobile. 52 A few more of the

largest priorities and expected trends through 2016 in the industry include:

• Real consumer protection over “empty” marketing promises

• Investment in technology to increase security from store to mobile to the cloud

• Providing end-to-end payment security (EMV, ApplePay)

• Protecting company profits by reducing fraud

• Upgrading point-of-sale systems

• Increasing transparency 53
















Executive Monitor

Cybersecurity & Risk Management


The following firms epitomize the changes taking place across a set of diverse industries facing

cybersecurity threats.


Uber is a US-based transportation company that connects millions of riders to drivers through a mobile

app. Currently, the company is valued at more than $50 billion and operates in 300 cities across

56 countries. 54 In April 2015, the company hired Joe Sullivan, former Facebook Security Head, as

its CSO. At Facebook, Lynch helped defend the company from hackers looking for users’ valuable

personal information, and prior to that, he led security operations at eBay and PayPal and prosecuted

cybercrime at the Department of Justice. 55 His hire indicates that cybersecurity has become a greater

area of focus for Uber as the company rapidly expands along with their data infrastructure. 56

“I’m excited about Uber’s mission of revolutionizing transportation and, like Travis and the leadership

team at Uber, firmly believe building world-class safety and security are critical to that mission. I had

the good fortune to work at two amazing companies – eBay and Facebook – when they were growing

rapidly. I look forward to bringing the best practices that I’ve learned along the way to Uber and doing

defining work in bridging the divide between the digital and physical worlds. There’s a great foundation

of safety already in place; my goal is to make it even stronger.”

–Joe Sullivan, Chief Security Officer, Uber


In June 2014, Target – the second-largest discount retailer in the United States – hired Brad Maiorino,

who served as a CISO at General Motors and General Electric. At Target, he oversees the company’s

information security and technology risk strategy. He came at a crucial time in Target’s history,

as the company had previously experienced a data breach that impacted the payment card data

and information of millions of customers. He reports directly to the CIO. Maiorino’s appointment

underscores a concerted effort to overhaul the company’s information security practices and have an

advocate for IT security investment at the executive level. 57

“Having led this critical function at two of the country’s largest companies, [Maiorino] is widely

recognized as one of the nation’s top leaders in the complex, evolving areas of information security

and risk. As an organization, we have made a commitment to our guests and our team that Target will

be a retail leader in information security and protection. We believe [Maiorino] is the right person to

lead that change.”

–Bob DeRodes, Chief Information Officer, Target










Executive Monitor

Cybersecurity & Risk Management


Since 2013, Jim Routh has been spearheading Aetna’s cybersecurity strategy, first as the company’s

CISO, and since 2015, as its CSO. Formerly, he served as the Global Head of Application and Mobile

Security for JP Morgan Chase, and was a CISO for KPMG, DTCC, and American Express. When

Routh joined Aetna, the company was facing a barrage of email spam and cyberattacks, millions of

which were using Aetna’s name to scam consumers into providing their personal information. 58 Since

joining the company, Routh has endeavored to educate its board members about the importance

of cybersecurity and managing risk. According to the Wall Street Journal, Routh has helped Aetna

approach security breaches as investable business risks that need to be managed, much like

fluctuating currency prices and the threat of lawsuits. 59

“We’re transparent about the risks to pretty much anyone inside the company because knowing the

risk is the first step towards mitigating and managing that risk long term.”

–Jim Routh, CSO, Aetna


NATS is a UK-based provider of air traffic control services. Each year, the company handles over 2.2

million flights and 220 million passengers in UK airspace alone, in addition to working with more

than 30 countries across Europe, the Middle East, Asia and North America. 60 According to NATS, air

traffic control services face cybersecurity threats such as being a soft target for hackers, who could

potentially spoof a fake aircraft by transmitting a fake signal. 61 In 2014, NATS hired Andrew Rose as

its CISO and head of cybersecurity. Prior to joining NATS, Rose served as the Principal Analyst for

Forrester Research’s Security and Risk practice, and as a CISO in the legal sector. 62 In his role at NATS,

Rose is less involved with on-the-ground decision making, and instead focuses on communicating the

importance of spending money on cybersecurity to the executive board of the company.

“My role is about influencing, stakeholder management, positioning and communication. My role is not

terribly about making decisions, doing risk assessments or understanding the latest technology solution

out there on the market. It’s all about getting the board’s head in the right place so that they’re okay

with spending money and putting resources into this, and they realize the benefit in it. I don’t think I am

alone as a CISO operating at that level, and I think more CISOs will have to do that in future.” 63

–Andrew Rose, CISO, NATS

Continue to the following section for additional insights from experts in the US and Europe.














Executive Monitor

Cybersecurity & Risk Management


FTI Consulting (NYSE: FCN) is a global business advisory firm

dedicated to helping organizations protect and enhance enterprise

value in an increasingly complex legal, regulatory and economic

environment. Boyden sat down with two of FTI’s cybersecurity

and risk management experts from the US and Europe for their


Scott Corzine is a Managing Director at FTI Consulting in New York. He is in the Global Insurance

Practice in the Forensic & Litigation Consulting segment and co-heads the Risk Management

Consulting group. Corzine is considered an expert in operational resilience, business continuity and IT

disaster recovery management, cybersecurity, and emergency and crisis management.

Alejandro Sánchez is a Senior Director in FTI’s Brussels office. He is the former Head of Cabinet of the

Spanish Secretary of State for Security as well as the former Head of the Spanish delegation to the EU

Standing Committee on Operational Cooperation on Internal Security. Sánchez is also a member of the

American Chamber of Commerce EU Security and Defence Committee.

Boyden: What are companies facing cybersecurity threats doing to protect themselves?

Corzine: Across the board, in some cases more aggressively and proactively than others, companies

are stoking up their weaponry to keep the bad guys out, as assessments highlight areas of technical

vulnerabilty. When the bad actors create a new offensive weapon, defenses have to be upgraded.

So, as the bad guys get better at how they attack, the good guys are getting more aggressive with

how they defend themselves, in an endless and unavoidable cycle of escalation. That includes all the

“toys” that companies buy around perimeter defense, access control, intrusion detection, and all

those kinds of issues. Good companies are spending aggressively on those defenses, some as much

as 10 percent or more of their IT budgets. Lesser companies often are spending less aggressively,

averaging less than five percent of IT spending.

Boyden: Are boards and senior management taking greater notice in terms of their actions?

Corzine: Ten or 15 years ago, in the directors’ board book that they receive before every quarterly

company meeting, the meaty sections were on financial results, manufacturing operations, executive

compensation and the like. Risk management might have been all of a paragraph or a page.

Today, smart companies are spending a lot more board attention and C-Suite preparation on risk

management, and cybersecurity is certainly a key topic.

But, it goes further than that. Directors are interested in the implications of any personal D&O liability

exposure. A significant data breach – and a bungled response by management – can immediately

impact share price and reputation, and it takes somewhere on the order of 80 weeks on average to

begin reputation recovery.

So, in addition to having faith in their CIO and having a CISO in place, we’re seeing boards hiring

outside. Also, third-party experts are coming in and independently “kicking tires,” reporting to the

board on alignment with an information security standard or framework, and then benchmarking the


Executive Monitor

Cybersecurity & Risk Management

organization against its industry peers. This typically can lead to a vulnerability remediation plan and

a more robust cyber incident response plan. It’s all part of an increased emphasis we’re seeing on

governance, risk and compliance at the board level around operational risk, especially cybersecurity.

Sánchez: I’m convinced that it has become a bigger priority for most companies. If you follow the

amount of cyberattacks that big companies receive – as well as small- and medium-sized companies

– and discover at the end of the year that you have spent a lot of money in order to remedy the

situation, boards and companies realize they must invest in resources and human capital to avoid the

same situation down the line. The CIO, CISO, HR and the communications teams must be closely

linked to the senior executive levels.

Boyden: Do you see cybersecurity as something organizations know they need? Or do you see some

reluctance in implementing measures that they know may be necessary?

Sánchez: In Europe, there is initiative to fight terrorists, organized crime and cyberattacks. But, due

to the European Union’s privacy policy, it’s very delicate. The EU policies that favor more privacy

protection subject companies to greater vulnerability to breach, and also further prevent them from

blocking criminals or governments involved in breaches. We are moving a bit closer to the more

proactive US approach to policy, but it’s a slow process and there will be a lot of drama and debate

before we see real changes.

Corzine: Cybersecurity should be on everyone’s radar. In the US, you still have a continuum of

companies from the ones that are quite aware of how vulnerable they are, down to companies that are

still of the old “ostrich” mindset, where they think, “Hey, we haven’t been hacked yet, so we must be

safe and we must be doing something right.”

But the problem is that there are essentially two kinds of companies in the world, in our view –

companies that have been hacked and know it, and companies that have been hacked that haven’t

figured it out yet. So, if it’s not on their top line of awareness from a risk management perspective at

the board level, they’re probably doing something wrong.

Boyden: How does resilience play a role in cybersecurity strategy?

Corzine: Because vulnerability to a hack is so pervasive, “resilience” is a rational objective for

CISOs and for boards. “Prevention” is a nice aspiration, but an irrational objective that will forever be

thirsty for funding. We believe that some of organizations’ IT security spend needs to move from the

prevention and detection side over to the response and recovery side, in terms of a budget remix.

The costs for reputation recovery can be staggering. Hiring a top cyber forensics team, paying for

crisis communications expertise, and having experts who can prepare executives for regulatory or

Congressional testimony, are all key relationships companies should explore, because it’s hard to do all

that internally after they’ve suffered a breach.


Executive Monitor

Cybersecurity & Risk Management


Banham, R. (2015). Rising Trends in Risk Management. Retrieved from:


Beasley, M., Branson, B. & Hancock, B. (2015). 2015 Report on the Current State of Enterprise Risk

Oversight: Update on Trends and Opportunities. Retrieved from:



Bednarz, A. (2015). Cisco estimates a million unfilled security jobs worldwide. Retrieved from:


Bonderud, D. (2014). Cyber Security Challenges: How Do Retailers Protect the Bottom Line?

Retrieved from:


Boulton, C. (2015). More CISOs Needed to Battle Cybersecurity Threats in 2015. Retrieved from:


Boulton, C. (2014). Target’s Lack of CISO Was ‘Root Cause’ of Systems Breach. Retrieved from:


Bowman, H. (2015). 2015 Consumer Markets Trend: Cybersecurity/Retail Fraud. Retrieved from:


Bruemmer, M. (2015). The CSO’s New Role: Guarding Company Reputation. Retrieved from:


Chapple, M. (2015). IT job profile: So you want to be a CISO. Retrieved from:


Cisco. (2014). Cisco 2014 Annual Security Report. Retrieved from:


Deign, J. (2014). What Might it Take to Be a Chief Security Officer in 2014? Retrieved from:


Drinkwater, D. (2015). What will the CISOs of 2020 look like? Retrieved from:


Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care

Organizations. Retrieved from:


FTI Consulting. (2015). Strong Employee Engagement is First Line of Data Defense Against Cyber

Crime. Retrieved from:




Executive Monitor

Cybersecurity & Risk Management

Hulme, G. V. (2015). Survey says enterprises are stepping up their security game. Retrieved

from: http://www.csoonline.com/article/2988168/security-leadership/survey-says-enterprises-arestepping-up-their-security-game.html

Kalanick, T. & Sullivan, J. (2015). Joe Sullivan Joining Uber As First Chief Security Officer. Retrieved



King, R. (2015). Cybersecurity at Aetna Is a Matter of Business Risk. Retrieved from:


Li, S. (2015). The Next Cybersecurity Target: Medical Data. Retrieved from:


Lynch, D. (2015). Uber Hires Facebook Security Head As Chief Security Officer. Retrieved from:


MacMillan, D. & Demos, T. (2015). Uber Valued at More Than $50 Billion. Retrieved from:


Morgan, S. (2015). Worldwide cybersecurity market continues its upward trend. Retrieved from:


NATS. (2015). Company Website. Retrieved from:


O’Daniel, A. (2015). Moynihan: BofA’s cyber security given unlimited budget ‘to keep us safe’.

Retrieved from:


Palm, S. (2015). Risk Trends to Watch for in 2015. Retrieved from:


PwC. (2015). 18th CEO Survey 2015: Key Findings. Retrieved from:


PwC. (2015). Cybersecurity challenges in an interconnected world. Retrieved from:


PwC. (2015). Supersizing cyber security investments. Retrieved from:


PwC. (2015). The Global State of Information Security Survey 2016 – Financial services summary.

Retrieved from:



Executive Monitor

Cybersecurity & Risk Management

PwC. (2015). The Global State of Information Security Survey 2016: Key Themes. Retrieved from:


SC Magazine. (2015). Andrew Rose: Chief Information Security Officer and Head of Cyber Security.

Retrieved from:


Schlein, T. (2015). The Rise of the Chief Security Officer: What It Means for Corporations and

Customers. Retrieved from:


Shaw, K. (2014). In High Demand, CISOs Need Boardroom Skills to Succeed. Retrieved from:


Sheidlower, N. (2015). The Rise in the Demand for CISOs. Retrieved from:


Suby, M. & Dickson, F. (2015). The 2015 (ISC)2 Global Information Security Workforce Study.

Retrieved from:



Thomson Reuters. (2015). Top Compliance Trends for 2015. Retrieved from:


Threat Track. (2015). No Respect: Chief Information Security Officers Misunderstood and

Underappreciated by Their C-Level Peers. Retrieved from:


TrendMicro. (2015). Report on Cybersecurity and Critical Infrastructure in the Americas. Retrieved



Tripwire. (2015). Why Hackers Are After The Healthcare Industry. Retrieved from:


Veracode. (2015). 3 Ways CISOs Can Improve Security’s Reputation. Retrieved from:


Walker, G. (2013). Is air traffic control a soft target for hackers? Retrieved from:


Zweig, D. (2015). What payers can learn from Aetna’s CISO. Retrieved from:



Similar magazines