BUILDING WORLD CLASS CYBER SECURITY TEAMS – Joyce Brocaglia, Founder and CEO of Alta Associates, Examines the Evolution of the Information Security Sector
The full article can be viewed as a pdf here: Building World Class Cybersecurity Teams
Twenty years ago the world was really a different place in terms of technology and the amount of data that employees, customers, and partners had access to. At the time, recruiting information security officers was very focused on securing main frame systems and the perimeter. Companies looked for people that were highly technical. In the following interview, Joyce Brocaglia, founder and CEO of Alta Associates, discusses the substantial pickup in recruiting when companies started to replace their existing technology leaders. Ms. Brocaglia outlines how the “new” executive CISO evolved; one that had a much more holistic approach to risk management and who really enabled businesses by providing value and articulating solutions in a language that made sense to business leaders. Since its founding in 1986 Alta Associates has become a prominent boutique executive search firm specializing in information security, IT risk management and privacy. Ms. Brocaglia is a strategic advisor to her clients. She founded the Executive Women’s Forum on Information Security, Risk Management and Privacy. She has acted as the career advisor of CSO Magazine and author of the monthly “Career Corner” column for the Information Systems Security Association (ISSA) Journal. Ms. Brocaglia also served on the board of advisors for the ISSA and International Information Systems Security Certification Consortium (ISC2). She also tells us why the financial services and healthcare sectors are focusing in on information security.
What events led you to settle on recruiting talent for the security and IT risk sector? I know that you were retained by Citigroup in 1994 after the Russian incident where they had hacked into the bank’s computers. Brocaglia: I actually founded Alta in 1986 and, at that time, one of our largest specialties was IT audit. Believe it or not, that was a hot growth area at the time. Then, in 1994, the Russians hacked into Citigroup’s computers and the bank then hired their first ever chief information security officer, Steve Katz. Steve contacted Alta to build his information security organization. We knew that IT auditors were already looking at data centers and applications controls, and those people combined with folks coming out of the government and military made ideal candidates for what became the first ever information security organization for Citi. So fast forward 20 years and we are the leading boutique firm specializing in cyber security and IT risk management. That’s why when a major retailer was breached last year, they came to Alta to perform what was probably the most high profile CISO search ever conducted, and that was just one of many CISO searches we did last year. What I can tell you is by the end of the search quarter this year we have been retained for over 50 searches specifically in information security and IT risk.
How active were companies 20 years ago in this functional discipline and at what point did you see a substantial uptick? Brocaglia: Twenty years ago when we were recruiting information security officers the world was really a different place in terms of technology and the amount of data that employees, customers, and partners had access to. At the time the role was very focused on securing main frame systems and the perimeter. So we looked for people that were highly technical. There was a substantial pickup about four years ago when companies were starting to replace their existing technology leaders. A “new” executive CISO evolved; one that had a much more holistic approach to risk management and who really enabled businesses by providing value and articulating solutions in a language that made sense to business leaders. Companies were asking us to find executives for them that really could become the face of their information security organization; who could increase the credibility of their department; who could influence their culture; and then constructively partner, sell and deliver their security initiatives globally to diverse businesses with various risk policies. So I would say, initially, that was the push of having a kind of an “Ah ha” moment where companies realized, the position itself needed to be elevated. I also think another driving force was the increased volume and complexity of cyber threats as well. So many companies were starting to see these types of attacks on their organizations. The result was that senior-level positions were being created because the board and the audit committee were starting to ask harder questions and regulatory requirements were demanding more compliance. These newly-created positions, therefore, began to really take more of a front office spot as opposed to just a back office technology function.
Obviously industries like financial services that need to protect the personal records of millions of individuals is clearly a prominent sector in need. What other industries are active? Brocaglia: Financial services is probably the most evolved for obvious reasons: They have been moving large amounts of data and money for years and are huge targets to nation states and individual hacker attacks. There have been many high profile breaches where millions of credit card customers’ information has been compromised. These breaches were a wake-up call to many major retailers who thought that being compliant to regulatory requirements like PCI was enough to be secure. But now they are dealing with enhanced PCI requirements and they have received advice from consultants and auditors who were quick to point out there were vulnerabilities and risks in their policyoriented security programs. So they advised them to build more robust and formalized security organizations that quite often required them to bring on a first time CISO or elevate their current role by hiring someone who has much more strategic and leadership skills. Healthcare is another industry that has had a huge uptick in terms of their focus on information security, governance, IT risk, compliance and privacy. We are working with a number of healthcare organizations and technology healthcare companies that are making very dramatic changes in enhancing and increasing their budgets specifically around information security and IT risk. With the threat of cyber-attacks on the U.S., the importance of protecting our energy grid and other utilities is more important now than ever. So the energy sector is really increasing its focus on information security as well.
What types of positions are most sought after by companies today in security and IT risk? At the senior levels it is the chief information security officer which is, by far, the most senior position in demand in information security. A lot of companies have developed what we call business information security officers. In essence it’s akin to being the right-hand person to the CISO and aligned to each of the business lines for that company. We see a lot of companies utilizing that person as a liaison relationship manager as a means by which to get security embedded into organizations through various business lines in kind of a partnership approach. For example, we are currently working for a financial services company, conducting a search for their chief information risk officer and, at the same time, we are currently placing candidates as business information risk officers in each of their divisions. We also are seeing a lot of companies that are looking for very strong architects – not architects from the general IT area – but carrying a specialty network security or applications security. So these are people who have both deep technical expertise and are actually able to design the framework and define the technical requirements to effectively drive a solution across the enterprise. These are some of the top positions that we are most frequently asked to find.
Have there been many newly-created positions as a result of this activity, and if so, what are they? Brocaglia: Recently for a large Fortune 100 healthcare organization, we conducted a search for a chief data officer. They work cross-functionally throughout an organization to re-evaluate the data as an asset, versus a side effect of the business like finding a timeline to store data, how to classify the data, how to share it, how to store it and how to leverage it. And, as you can imagine, they will work closely with the CISO, with the chief privacy officer as well as with the digital marketing team, enabling them to securely leverage the information. With a new value placed on data analytics, companies are hiring data scientists as part of the overall information security strategy around big data. Due to very stringent regulatory requirements, some of our clients are now separating the role of the chief information security officer and the head of IT risk. Many companies are now hiring an enterprise technology risk officer who manages the strategies, programs, governance and the oversight of everything to do with IT risk. So, again, they would partner with the information security officer. But I think it is important to note that it is not as much the newly created position that is important but, rather, the elevation of the roles in IT security and risk. These are positions that were once VP or director are now being graded as a senior vice president and those that were senior vice president are now being extended the opportunity to move into a C-level position. The majority of the head of the security and risk roles that we are placing all have the responsibility to present to the board of directors and to their risk and audit committees and they actually lead task forces or committees themselves.
What differentiates your firm from others? Brocaglia: I love this question because I don’t think there’s another firm out there that’s like us. I’ll give you a couple of words that I think describes us and then I’ll tell you how I think that those are truly values of our firm as well as why I think we are different. First, is just simply the knowledge that we possess. We were really the first firm to build teams of information security officers and those that support them. Our recruiters are all seasoned professionals and work every single day with security and risk leaders and hiring managers and candidates. They live, eat and breathe this industry and they know the players; they know the nuances, and they know the function inside and out. They are not just looking at the resume; they are looking at what is behind it. The second word that best describes us is ‘trust.’ Clients do business with people they trust. We are not just a recruiting firm, but rather truly a trusted advisor. Since we’ve been placing these professionals for so long we have relationships with industry leaders because we’ve placed them a couple of times in the course of their career progression. We’ve built their teams at various companies. We’ve earned their trust as their career coach personally. And professionally they know that we deliver. They know that we deliver in ‘building world-class organizations.’ I think what’s really cool, and incredibly satisfying, is that the information security industry itself recognizes us in ways that most search firms are not. I was named as one of the 25 most influential women in information security. In 2014 CIO Review named Alta to their top 20 most promising enterprise security consultant firms. This year SANS Institute gave me a “Person Who Makes a Difference” award and CSO Magazine honored me with their very prestigious Compass Award, which is given for outstanding achievement in security and risk management leadership. So, I don’t believe there are any other recruiting firms that are recognized by the industry for their specific contribution to the industry they serve. So we are truly a part of that community and not just a vendor. I know we’re not specializing in security because it’s the new ‘hot’ thing that we could make a lot of money at. We’re vested in this. And then when you talk about being vested and why they choose us, they do so because we’re more efficient and we’re a better value than our big box competitors. During a launch call we are already thinking of people who we know we are going to reach out to. We’re not pushing it down to some researcher who’s ‘screen scaping.’ We know these people. And our team utilizes something that we created called the Alta Advantage Framework. It’s basically a process that includes a system that we have developed to assist our clients that includes job descriptions, identifying and preparing interviewers, determining what the market value is (because so many times people come to us without really knowing what it’s going to cost to hire someone. Or, if I have $300,000 to spend what kind of CISO can I get versus $700,000 to spend). So they look to us as a subject matter expert. We include compensation estimates around real market data, and we help them define a timeline for the interviews to streamline the process which is very important in this incredibly competitive market. In most cases we are able to deliver our first qualified slate of candidates within the first 21 days from the launch of the search. Our goal is always to complete a search within 90 days. We don’t charge a lot of administrative fees or anything like that. Our clients get highly customized service with the personal commitment of our recruitment relationship manager that they will own that search from beginning to end. We also stay up on all issues within this sector by attending and participating in major conferences. For example, at RSA, the industry’s largest security conference, I spoke on a panel, led a peer discussion group, we hosted a cocktail party for industry VIP’s and hosted a meet and greet for over 200 women where the CEO of RSA did our kick off.
Alta Associates is also a strategic advisor to companies on security and risk issues. Please give me an example of a typical scenario where a company would call you to advise them. Brocaglia: I’ll give you a couple of examples. I think the most prominent example was in 2014 when a major retail company had a very high profile breach. They turned to us and retained us to find their first executive-level CISO. We met with their head of HR, their general counsel, and their executive team and we worked with them to define the role and responsibilities of this newly elevated position. This organization was really in the news spotlight. So not only did they have to deal with the financial and the legal ramifications of their breach, they had concerns over the damage to their reputation and how that might affect their relationship with their customers. We knew that time was of the essence so we went right to work. We partnered with a great team of their top executives and, together, we were able to identify and interview a very high quality slate of candidates. So, from the launch of the assignment to acceptance took 60 days. I am proud to say that that CISO we put in is doing extremely well today and the company has recovered and is much healthier almost a year later. Another example was from this year. We were contacted by a Fortune 500 manufacturer who reached out to us with the consent of their board of directors and their audit committee. This was a priority initiative in which they wanted to hire their first CISO. Prior to the decision to create a CISO position, the company’s information security was very decentralized through the CIO’s organization. They recognized that they needed to bring in a cybersecurity executive at a much more advanced level who could set strategy and direction and then define the overall security posture by creating a centralized function. So, we were retained, not only to place that CISO, but to also build a team of over a dozen sitting members in areas such as security architecture, project management, IT risk, incident response, access and identity management. And then, as is often the case, our success led to another search opportunity: the CIO retained us to fill positions outside of information security including the global head of infrastructure and operations and a couple of others. Therefore, not only do we conduct search assignments in information security, often times they lead to assignments that are outside of security but are still technology related. We are also often retained by companies who already have a CISO but want to bring an executive on board who has either a stronger leadership presence or stronger strategic ability. As an example, a major financial services company retained us last year because they wanted to elevate their CISO role with someone who could also be accountable for IT risk and who really had the ability to manage key relationships with regulators. We have vast experience in the financial services industry and that allowed us to fill that role with someone who really elevated the status of the role within that financial services company. A number of our financial services clients ask us to perform searches for security and risk executives that also have experience in managing relationships with key regulators as compliance is becoming an increasingly more important and complex part of their jobs. We are also working with two clients now who are looking to bring in their first-ever CISO. One is a software company that has a very strong technical team and recognizes that they need to hire someone to develop a formal overarching security strategy. The other is a healthcare company that understands that they have data and legal obligations and they want to make IT security a competitive advantage. Up to this point security has been a less important subset of their culture. But since they are a healthcare technology company they wanted to find somebody who was immediately credible to the existing team but could also help them on this vision that they have of being stewards of personal information.
Where do you see the future of security and IT risk in the next five to 10 years? How much will it expand? And how will companies approach talent in this area? Brocaglia: Well, our theme for the Executive Women’s Forum National Conference this year is ‘Big Data, Big Risks, Big Opportunities.’ I think that really highlights the future of security as well. There is currently what I would describe as negative unemployment in our field, which reflects the current demand for cybersecurity professionals. The estimates are about 1.4 million information security jobs will be in existence by 2020, and there are statistics that show the demand for information security is growing 12 times faster than the overall market demand. This year alone there was a 46 percent increase in the number of breaches and 43 percent of companies were hit by an attack. And 60 percent of those companies were hit twice or more. There is a saying that there are two types of companies: Those that have been attacked and those that don’t yet know they’ve been attacked. I don’t see that as changing but only increasing. As I mentioned earlier, with the Internet and the connectivity of the world today, the complexity of the role of the information security officers and their teams is only going to continue to expand and grow. So I’m glad that my firm is helping to be part of the solution.
Information security is a male dominated field. I understand that you are passionate about advancing women in your industry. Why? Brocaglia: As a leader in information security I have had the pleasure of working with so many exceptional women in our field. Although I knew most of these women they really didn’t know each other. My idea of hosting a cocktail party for amazing women I knew turned into a three day conference in Florida for over 100 women. From that base the Executive Women’s Forum on Information Security, IT Risk Management and Privacy was born. That was 13 years ago and we are now the largest member organization in our field for prominent influential leaders as well as those with high potential. We host a conference each year that gathers over 300 of our female thought leaders. And aside from the conference our members also participate in an online community and in many programs throughout the year. Today we have over 25 Fortune 500 companies that serve as corporate benefactors and who are active partners in helping us achieve our mission: advancing women through education, leadership development, and creating trusted relationships. There is something magical that happens when we get these women together. We are also involved in two philanthropic initiatives. We have just given our tenth full master of science degree scholarship to Carnegie Mellon for a young woman, and the second is the ‘Cyber Security School Challenge’ which I created. We have now educated over 100,000 kids on how to be safe online. So I believe that’s my legacy. What led you to launch a leadership development program? How is the leadership journey helping companies throughout the U.S. to advance and retain women and minorities in all fields? I decided to develop this because so many women had expressed to me that they were really dissatisfied with their leadership training that they were being offered where they worked. They would attend a workshop and perhaps even an inspirational speaker would come in to address them. But at the end of the day went back to their desks with a binder full of information and, even if it included a really great speaker, they still had no practical information of how to get things done. At the same time my clients were telling me that women, especially in technology, were opting out. They were really good at starting things and they had plenty of programs for women and minorities, but nothing that had the pull-through and stickiness that they wanted. So we met with about 30 women over the course of a few months and we asked them ‘if you had no limits what would you create as an ideal program?’ And basically they told us they wanted a program that mirrored a lot of what they valued the most about the Executive Women’s Forum. Being part of the community was important to them. They liked interacting with their peers. They wanted it to involve action learning. They wanted a program that was interactive and not just be lectured to like many of the speakers who came to their companies. At our conference, I often get on stage and I tell these women that I love them, and I do, because I care not only about achieving their professional goals but their personal dreams. So they wanted this program to be holistic and address their personal and professional needs which they wanted to expand over a period of time. So we put all that together and developed the Leadership Journey, which is really a comprehensive virtual leadership program that equips women with the skills and competency to lead at a senior level and focuses on self-awareness, personal capacity and the resilience to flourish in critical roles. Our inside-out approach to leadership is based on positive psychology. This model is focused on improving on the person’s strength and it’s also aligned with current research that highlights the importance of a leaders self-awareness, emotional intelligence and ability to connect and engage. Companies all over the U.S. are launching the Leadership Journey program for high potential women. Participants are led by an executive coach over a 12-month program that increases their personal leadership capabilities. And, companies are benefiting by developing a bench of readily promotable leaders and an internal network of alumni. This fosters a much more positive culture that is aligned with their corporate goals. We are seeing a transformation and it’s very, very exciting. Not only are companies utilizing the Leadership Journey for women, but they are utilizing it for their employee resource groups. They are taking the leaders of these groups and putting them into cross cultural cohorts who share best practices along the way. We have a client right now that has 15 employee resource groups that represents about 10,400 employees in their company. So we are taking the leaders of these employee resource groups and putting them through a Leadership Journey together. Part of their class project will be to see how they can create a more cross functional minority/ diverse organization. It’s got a far reaching impact.
This excerpt is from Hunt Scanlon’s Executive Search State of the Industry report.