Do you have a cyber A-team?

Only experienced executives can create and improve a risk management, threat mitigation and cyber defense plan. And only people can implement and execute that plan. In a people-process-technology equation, without top talent nothing improves. The stakes are too high, especially for public companies, not to have a true cyber A-team.

Companies of all sizes should ask themselves: do we have a real cyber A-team of executives and outside experts?

Companies should strongly consider re-evaluating their approach to risk management and cyber defense and be more vigilant in making cyber a priority. In short, the cumulative risk equation – the combination of threat, vulnerability and impact – arguably is growing in magnitude, but most certainly in complexity. Today, virtually everyone is playing a high-stakes catch-up game.

A survey from Ponemon Institute and Fidelis shows a lack of trust, limited visibility and knowledge gaps between boards, C-Suite and IT security professionals. The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance. Among their findings: 59 percent of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18 percent of IT security professionals believe the same. This underscores the gap in understanding, communicating and acknowledging the threat landscape.

Public and private organizations alike face a clear imperative: decisively improve internal risk management assets, leadership and performance……or suffer at your company’s or shareholders’ peril.

“Every organization that relies on IT alone to secure their heart/lungs against an adversary has failed or will fail…what is needed is a dynamic security team that has the expertise to understand, think, and act defensively to the ever-changing risk landscape. An A-Team that understands the attacker and defenders mindset, that is equipped, organized and trained to operationally defend their highest risk with a holistic policy and procedures in place throughout the organization.” James Cummings, former Chief Security Officer at JPMorgan Chase and retired Colonel USAF

Acquiring and retaining cyber talent to protect a corporation’s assets is on the minds of most boards and senior executives. Cyber A-team talent, truly the best of the best, are in the catbird seat as every company wants them. Let’s break this demand for talent into three buckets:

1. C-suite and VP senior executives who create cyber and risk management strategy
2. Managers and individual contributors who implement the strategy
3. Outside service providers and consultants who offer expert advice and guidance

Example roles, skills and services in demand (internal talent or external resources):

• CISOs, CROs, CSOs, CDOs and board members with cyber/risk expertise
• Red team hackers who find vulnerabilities in your defenses
• Insider threat experts who map out risky behavior of your employees
• Legal and governance experts who provide a playbook and framework to implement
• Tier-1 consulting firms who offer cybersecurity as a service 
• Executive protection experts
• Proven trainers who offer a comprehensive guide and experts to teach your team to create a “culture of security”
• Incident response experts who do breach analysis and remediation 
• Crisis management pros who prepare the Board/C-level with a communications strategy when the inevitable breach or ransomware hack happens
• Threat intelligence experts who can evaluate your threat landscape 
• Independent advisers who can navigate the complex landscape of products and recommend tailored cybersecurity solutions
• Critical infrastructure protection experts
• Security experts who can help design and manage security operations centers

What do A-players make?

Retained executive search firms are busy matching executive cyber A-players to support their forward-thinking clients. The largest companies and biggest brands can offer the seven-figure comp packages to the very best talent. Although there are only so many of these elite jobs, there are senior roles where comp packages range from $500,000 to $1 million. Smaller public companies typically pay in the $250,000 to $500,000 range for their senior cyber and risk executives. Smaller private companies find it difficult to compete for top talent in this elite pool. What these companies can’t offer in cash comp, they can make up in pre-IPO equity.

Why act now?

Close to 90% of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. Rapid technological advances are changing the game and your company’s crown jewels are too often accessible to the bad guys. Cybersecurity has fast become a top priority management challenge and finding best-in-class leaders to be part of your A-team to assess, manage and mitigate threats must be a key element of your company strategy. Previously siloed risk-management functions today must be reinvented, strengthened, and funded more aggressively.

The need for top cyber talent will continue trending upward, especially in light of world events, from terrorism to cyber-attacks on corporate infrastructure. Retired Army Gen. Keith Alexander, the CEO of IronNet Cybersecurity and former Director of the NSA, and Commander, U.S. Cyber Command, told me that, “the value of theft of intellectual property from American industry represents the single greatest transfer of wealth in history and the probability of significantly disruptive and destructive attacks is rapidly increasing.”