Cybersecurity is About Wins and Losses, Not Ones and Zeros

Jeremy King, the founder and president of Benchmark Executive Search, discusses the evolution of the chief risk officer, highlights the challenges in recruiting cybersecurity talent from the intelligence community and recommends talking about cybersecurity in terms of wins and losses rather than ones and zeros.

You’ve recruited many former U.S. government workers on behalf of big-name private sector clients. Are you seeing any trends among individuals, or in the industry?

Mr. King: Take the top 100 most-senior guys and gals who have protected our country’s networks, our secrets and our people, private corporations are starting to have the same problems our government has had when it comes to dealing with economic espionage from nation-states and criminal actors. Well, who but people from the government has a better playbook for defending against cases like this?

The biggest thing I look for is if they have the charisma to land consulting clients. Some are very technical and they’re brilliant, but they’re probably not so good at landing clients. Not everyone can go hang their own shingle. Others are rock stars, but very often even those people are nervous.

One client from the Central Intelligence Agency said, “Do you really think I’ll be in demand?” and they are just nervous about fitting in. These people are stars though, so I just have to laugh and say “You’re going to be okay.”

What’s that transition like?

Mr. King: I’ve been doing this for 20 years and I have never seen more demand for security people on the private side. But government people have had their head down and have been focused on trying to get their jobs done. Going private is almost like reading all the books about something and having all the information, but you still don’t know until you’re there. Some people pick the wrong position the first time, which I think is why there’s some churn and turnover, but typically the second position they will stick.

There’s a huge difference between mission and budget, and profit and losses. If their mission is great enough they’re going to have the ability to get the budget in government. All they’re doing is spending money, they’re not used to profit and loss. You need to make strategic plans in order to be profitable and the difference between those is night and day.

Do you have any advice for companies trying to hire new employees who have experience at the CIA or the Defense Department?

Mr. King: I see a huge talent shift where people in government are saying, “Wow, I see my skills are so transferable that I can double my money and just work in health care or the financial sector.” They’re also seeing more of their friends get out and see how happy they are.

Believe it or not, you can reach people directly on LinkedIn. That’s the one area where assistants aren’t acting as gatekeepers yet, versus someone’s phone or email. Even top generals and former top generals are looking at their own LinkedIn.

Often, they work through friends and channels, and it’s really when they leave the government when you can reach someone about an opportunity, but the direct route is still often the best.

Do you expect any changes in the private sector as organizations begin to understand cyberrisk?

Mr. King: I predict we will see more chief risk officers. Let’s compare NFL teams, where the person in charge is the owner, to corporate America, where shareholders have the money.

The next level down in the NFL is the general manager, and in corporate America it’s a board member. Both are working in governance, oversight and not really getting too much into the weeds. Then you can compare a head coach running a team to a chief executive running a company.

It’s pretty similar until you get to an offensive coordinator, whose job is to put points on the board, and a defensive coordinator, who is supposed to prevent points. Eventually, I think you’re going to have a CEO above a chief operating officer. The COO will run the offense in the form of points, revenue and market cap, and then a chief risk officer, who will run the defense.

The chief information security officer will report to the CRO because they’re information security. Then there’s the chief security officer, someone from compliance, someone from the legal team and someone from communications who can control the narrative around bad news.

They’re part of a team. Everyone on this team is enabling the offense to score points and also defending against the team losing points.

Are you seeing this model put in place?

Mr. King: You are seeing chief risk officers but we’re not seeing them elevated like this.

In this scenario the CRO is not a technical person but a former CEO or chief operating officer who can manage people and make sure the team is working together. They’re also the person who is accountable, which doesn’t exist now.

They will be equals. If the CRO doesn’t appear with the COO they won’t have enough clout and not enough budget. In our model now, we have a situation that’s too vertical. We have data breaches where IT teams are afraid to elevate a situation to the CISO, who is afraid to report situations to the CIO, and so on. We need to give the CRO the ability to say to the COO, “No, you’re missing this.”

It’s just not the way it’s done yet. Until something changes, no one is going to start doing this, that’s just the way it is. Individually, when companies are punched in the nose bad enough and they have an emotional connection to it, that’s what they’re going to need to change.