Risk Management Starts with Pinpointing Vulnerabilities

jeremy-kingBenchmark Executive Search, based in Reston, VA, is making its mark as a sought-after recruiter for both federal market and commercial companies in search of cyber talent. Jeremy King, the firm’s founder, has worked extensively with VC/PE backed firms that serve the government, building strong ties with leaders in intelligence, defense, and national security. Benchmark’s focus has been on helping start-ups, emerging growth and mid-cap companies find top executives with government backgrounds and strong connections in the defense and national security markets in areas like information technology, military communications, homeland security, and cyberwarfare, among others. Terrorism and cyberattacks are ratcheting up the call for hiring in these areas, he said, and the sector is thriving.

Benchmark is now directing its energy to Fortune 1000 companies, many finally awakening to how destructive security breaches of all types can be – from physical damage and real costs to reputation loss and customer recovery. Mr. King is now calling for industry to re-evaluate its approach to risk management. “Previously siloed risk-management functions must be reinvented, strengthened, and funded more aggressively,” he says. “Success will require unprecedented cooperation from board directors and those in the C-suite.”

Hardening People as Well as Networks

Mr. King advocates a stronger “culture of security,” strong executive leadership, and greater resources to manage network vulnerabilities with urgency and continual innovation. Top companies, in particular, must be vastly more vigilant about comprehensive risk management. “Fortune 1000 corporations face a clear imperative: decisively improve internal risk management assets, leadership and performance – or risk suffering at your company’s or shareholders’ peril,” says Mr. King.

In many respects, risk management starts at the top of these companies, and the key will be vigorous attention and collaboration between boards of directors and the C-suite. Of particular concern in keeping companies safe is the human element. “With an estimated $94 billion dollars to be spent on cybersecurity in the next decade, it is surprising most corporate investment in security today is directed to hardening networks rather than people,” Mr. King says. “Most organizations have not taken the time to map the vulnerability points of their employees or done a comprehensive risk management assessment.”

Predictions for 2016

Based on what he and his colleagues have gleaned from clients, advisors, and their network of security talent, Mr. King makes four predictions for 2016:

  • Public companies will increasingly empower a single leader or group to take charge of their integrated risk and security strategies;
  • Chief risk officers (CROs) will see a greater role at public companies and be regarded as peers to the COO. “With the COO having P & L, profit and loss, responsibility, the next generation CRO will have a new kind of P & L — prevention and loss,” says Mr. King;
  • Boards will increasingly follow the federal Sarbanes-Oxley Act compliance mandates, which among other things led to most public companies establishing a chair of the audit committee. “Soon we will see more public, and some private, companies implement a chair of the risk or cyber committee, or both, on their boards,” Mr. King predicts;
  • Public companies will undertake more extensive risk assessments to pinpoint where they are most vulnerable to attack. This would include facilities, communications, networks, and employees. “This new level of threat intelligence is partly due to increasing global corporate espionage and intellectual property theft,” he says.

Q&A: A Shifting Problem

Jeremy King has nearly two decades of cybersecurity knowledge and access to a vast network of the nation’s top cybersecurity experts. Here, he describes the corporate risk and security leadership needs of companies now in the crosshairs of a talent dilemma.

There seems to be a pervasive shortage of experienced senior leadership talent who can address the range and complexity of risk management. Why?

It is no small task for any organization to achieve consensus about what must be done, what organizational assets must be integrated into their broader risk-management mission and even a standard organizational structure to determine how the CRO, CIO, CSO and CISO fit together. Not to mention the cost of the mission, measured in both dollars and management focus.

Is everyone approaching the talent problem the same way?

For Fortune 1000 corporations convinced that they need enhanced security, it is not easy to find the right leaders to design and manage an effective program. And at the other end of the spectrum, most small organizations are not addressing the complexity of the challenge – nor can they justify the costs.

Is the problem priority or focus?

Both. Corporate security is today’s biggest talent management challenge and it needs to be given the highest priority and focus. Our experience tells us that the core skills and expertise gained from public sector leaders can be leveraged to inform private sector actions and strategies. In the end, only people can create strategy, policy, processes and implement the right technologies. The risk to preserving enterprise value is too high not to have an A-team to navigate the new landscape of threats.

Source: http://websrv1.huntscanlon.com/wp-content/uploads/2016/03/ESR_cyberSecurity_issue-1.pdf