Some of the largest companies in the world are hiring security specialists, not just to fulfill security roles, but also to join corporate boards and provide cyber security guidance from the top down.
It follows a number of high-profile attacks that have seen companies losing hundreds of millions of customer records, including financial details, in attacks that have even affected internet companies such as eBay.
According to Reuters, global bank JPMorgan Chase, drinks company PepsiCo, US medical giant Cardinal Health, agricultural machine maker Deere & Co and the US Automobile Association (USAA) are just a few of the Fortune 500 companies looking to recruit chief information security officers (CISOs) in order to tighten up their organisations’ cyber defences.
Furthermore, claims Reuters, while CISOs typically report to the CIO, many of the companies now hiring CISOs are looking to make them report directly to the CEO and the board – in some cases, putting them on the board, too.
On top of that, CISOs at major organisations can typically command pay packets of more than $500,000, with some earning as much as $2m.
The explosion in pay coincides with the ousting of Target CEO Gregg Steinhafel over the US retailer’s catastrophic handling of a security breach that affected the company’s point-of-sale systems. Its CIO Beth Jacobs was accused of knowing and doing too little to minimise security risks, while Steinhafel was held responsible for taking computer security too lightly.
“This is ringing bells at the C-suite,” Charlie Croom, vice president of cybersecurity solutions at defense contractor Lockheed Martin Corp, told Reuters. JPMorgan, meanwhile, is increasing its already large cyber-security budget from $200m in 2012 to $250m by the end of the year, boosting IT security staff numbers from 600 to 1,000 in the process.
David DiBari, managing partner at the law firm Clifford Chance, said that boards fear that they lack the knowledge to make the right decisions on IT security. “Boards don’t feel they have the right expertise to draw upon. It is not that they don’t understand it is a risk; they don’t want to blunder uninformed into it,” DiBari told Reuters.
According to Reuters, retired Accenture CIO Frank Modruson, former US Department of Defense CIO Teresa Takai, Dell SecureWorks chief Mike Cote and AT&T CISO Ed Amoroso have all been approached to serve on various corporate boards in order to bring in their security knowledge.
Many other companies, meanwhile, are looking to shift responsibility for IT security to risk committees from audit committees – reflecting a change in thinking that IT security is merely about compliance and that it has become a critical business risk to be contained and managed.