Exclusive: U.S. companies seek cyber experts for top jobs, board seats

NEW YORK Fri May 30, 2014 1:15am EDT

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013.

Credit: Reuters/Kacper Pempel

Related Topics

NEW YORK (Reuters) - Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats.

JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter.

While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said.

After high-profile data breaches such as last year's attack on U.S. retailer Target Corp, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.

    "The trend that we are seeing is that organizations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit.

    With many companies looking for security executives with military or defense backgrounds, people with the right expertise can command increasingly higher salaries.

Large corporations have recently hired CISOs for between $500,000 and $700,000 a year, according to Matt Comyns, global co-head of the cybersecurity practice at search firm Russell Reynolds Associates. Compensation for CISOs at some technology companies with generous equity grants have reached as high as $2 million, he said.

In comparison, CISOs who have been with a company for five or more years are on $200,000 to $300,000 per year, Comyns said.

NEW URGENCY

Security experts have often criticized corporate America for being too complacent about cyber risks and for not doing enough to protect their computer networks from hackers.

A recent PwC survey found the vast majority of cybersecurity programs fell far short of guidelines drafted by the Commerce Department's National Institute of Standards and Technology (NIST). Only 28 percent of more than 500 executives surveyed said their company had a CISO or Chief Security Officer.

But high-profile data breaches, such as the one at Target, have injected a new sense of urgency, executives said. Target ousted its CEO, Gregg Steinhafel, earlier this month, and its chief information officer, Beth Jacobs, resigned in February. The retailer is now searching for a CISO, a newly created role.

    "This is ringing bells at the C-suite," Charlie Croom, vice president of cybersecurity solutions at U.S. defense contractor Lockheed Martin Corp told the Reuters Cybersecurity Summit.

Recruiters and executives said companies are increasing both the size and budget of their security teams. By the end of 2014, JPMorgan's annual cybersecurity budget will rise to $250 million from $200 million in 2012, CEO Jamie Dimon said in April. And the largest U.S. bank will have about 1,000 people focused on cybersecurity, compared with 600 people two years ago, he said.

A JPMorgan spokesman said the bank will continue to invest and expand its security team, but declined to confirm if the firm was looking for a CISO.

Cardinal Health CIO Patty Morrison said the healthcare services company was looking to hire a vice president of security to bring in "new talent and new ideas." USAA Chief Security Officer Gary McAlum confirmed the diversified financial services group was looking for a CISO.

Deere representatives were not available for comment, while a spokesman for PepsiCo declined to comment. The soft drink and snack maker lost its CISO, Zulfi Ahmed, to MetLife Inc earlier this year.

CHANGING FACE OF BOARDS

As companies look for CISOs, many boards are seeking directors with technology know-how so that they can better understand cyber risks. Matt Aiello, co-head of the cyber practice at Heidrick & Struggles, said he is seeing "unprecedented" demand for CIOs to serve on boards.

"Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it," said David DiBari, managing partner at the law firm Clifford Chance in Washington. 

Retired Accenture CIO Frank Modruson, former Department of Defense CIO Teresa Takai, Dell SecureWorks chief Mike Cote and AT&T Inc CISO Ed Amoroso have all been approached to serve as potential directors, according to people with knowledge of the situation.

Takai said she is "looking at a couple of things," including with a security technology company. Cote, through a Dell spokeswoman, confirmed he has been approached by several companies about serving on their boards. An AT&T spokesman declined to comment on behalf of Amoroso. Modruson was not available for comment.

Pamela Craig, who serves on the boards of Akamai Technologies Inc, Wal-Mart Stores Inc and software maker VMWare Inc, expects demand for CIOs to serve on public boards to increase. "You need people who have direct first-hand experience in the boardroom," she said.  

    Some boards are also considering moving responsibility for network security to risk committees from audit committees, as cybersecurity is increasingly viewed as a business risk more than a compliance issue, according to Mary Galligan, director of Cyber Risk Services at Deloitte & Touche LLP.

RSA Security Senior Vice President Amit Yoran said boards are looking for experts who can help them build security into products in development, rather than bolting it on at the last minute.

"CISOs are being brought to the business table more often," Yoran said. "This is a realization that in many cases a business's survival relies on the security of the technology."

(Reporting by Nadia Damouni in New York; Additional reporting by Jim Finkle in Boston; Editing by Paritosh Bansal and Tiffany Wu)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
Obsilutely wrote:
:)

May 30, 2014 9:10am EDT  --  Report as abuse
StigTW wrote:
I’m sure the NSA has ‘experts’ ready to fill the jobs on offer with freshly printed ID’s and all.

May 30, 2014 10:38am EDT  --  Report as abuse
Burns0011 wrote:
Imagine that. After decades of ignoring IT security and sweeping it under the rug and underfunding, companies are FINALLY starting to clue in to how much damage a breach can do.

Hacking is not a ‘harmless’ crime. It isn’t as directly damaging as physical theft of assets, but the indirect and intangible costs are massive. And theft of intellectual property leads to smaller markets and loss of revenue when competing firms suddenly have similar products for sale.

Mostly in China, but we all know the Chinese have been stealing other people’s ideas for the past century because their culture doesn’t respect copyrights and patents.

May 30, 2014 11:30am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

California state worker Albert Jagow (L) goes over his retirement options with Calpers Retirement Program Specialist JeanAnn Kirkpatrick at the Calpers regional office in Sacramento, California October 21, 2009. Calpers, the largest U.S. public pension fund, manages retirement benefits for more than 1.6 million people, with assets comparable in value to the entire GDP of Israel. The Calpers investment portfolio had a historic drop in value, going from a peak of $250 billion in the fall of 2007 to $167 billion in March 2009, a loss of about a third during that period. It is now around $200 billion. REUTERS/Max Whittaker   (UNITED STATES) - RTXPWOZ

How to get out of debt

Financial adviser Eric Brotman offers strategies for cutting debt from student loans and elder care -- and how to avoid money woes in the first place.  Video