Chief Information Security Officer (CISO): IT Security Enters the C-suite

High-profile data breaches at well-known companies such as Home Depot, Staples and Sony have shined a bright spotlight on data security, or the lack of it. But these breaches have also raised an alarm within these public companies and other organizations. Many more companies, including big IT service providers, have elevated the job of IT security to the C-level, a highly visible response to what is now a highly visible issue.

“Security jobs are being moved to the C-suite 
because the billions lost to data breaches are a C-level problem,” said Arthur Zilberman, CEO, LaptopMD.com, a New York-based computer repair company.

Making IT security such a high level job sends a message to both customers and employees that it’s a top priority.

EarthLink promotes longtime security exec

For example, Atlanta-based managed service provider (MSP) and hosting provider EarthLink (ELNK) appointed Peter Chronis as its chief security officer (CSO) in June 2014. Chronis previously served as the top security executive within EarthLink. The new title reflects a shift in the company’s approach to IT security.

“[Having a C-level security executive] reflects the seriousness with which we take threats to our clients’ and our own corporate security,” CEO Joseph Eazor told MSPmentor. “Our current and prospective customers tell us they are overwhelmed by the changing regulatory and threat landscape and look to us as a trusted advisor to help them achieve their compliance objectives, keep their networks and data secure and have a safe online experience.”

That makes sense considering the financial and reputational costs of some recent high-profile data breaches. Consider the following examples:

• Target – The New York Times recently reported that last December’s Target data breach has cost the multinational retailer at least $148 million to date.
• The Home Depot – The Home Depot already has been hit with 44 lawsuits after a 2014 data breach.
• Staples – Krebs on Security in October 2014 said multiple banks had identified a pattern of credit and debit card activity that suggested fraud at various Staples locations.

Continuum’s CISO

Boston-based remote monitoring and management (RMM) platform provider Continuum added a C-level security executive in December 2013, hiring Nicholas Bruno. Rob Autor, Continuum’s senior vice president of global service delivery, said his company wanted a CISO with information security expertise across the major information security domains. This executive needed to be able to focus internally on Continuum’s own security and work with the company’s partners and product management team to develop new security offerings. “[Bruno] was a terrific match with all of these requirements,” Autor said.

Emerging technology landscape

For companies such as remote access software provider LogMeIn (LOGM), which recently began a search for a CISO, a C-level security executive is intended help it manage IT security issues in the wake of emerging technologies such as the cloud and Internet of Things (IoT), according to Sandor Palfy, CTO.

“[Companies] are increasingly beginning to IoT-enable their products. This creates security implications for these companies,” he said. “We believe that a dedicated role will be needed in more organizations in the future to own these complex responsibilities.”

Demand for CISOs grows (and so do their salaries)

Executive recruitment specialist Alta Associates has completed CISO searches for several companies, including a retail giant, a global payment processor, an insurance provider and a major auto manufacturer.

Alta Associates CEO Joyce Brocaglia said she believes the demand for C-level security executives is likely to continue in 2015 and beyond, especially as new technologies transform the IT security landscape.

“Fueled by increased data breaches and the complexity of securing the Internet of Things, corporations are increasing their information security budgets for technology solutions and professionals,” she said.

Shawn Banerji, managing director of the information officers practice at executive recruitment firm Russell Reynolds Associates, recently told The Wall Street Journal that high demand for CISOs is driving salaries up, with numbers ranging from $350,000 to $1 million per year.

“Salaries have absolutely gone up and are going to continue to go up,” added Chris Patrick of executive search and talent management firm Egon Zehnder International.

Who else is hiring?

A quick search of CISO jobs on CareerBuilder, Monster (MWW) and LinkedIn (LNKD) shows dozens of these positions open across the United States.  Some of the organizations currently searching for CISOs include the following:

• CoreLogic – CoreLogic specializes in business information, analytics and outsourcing services, and the company said its next CISO will be “responsible for establishing, implementing, monitoring and enforcing information security standards and policies globally … [and] oversees the creation, implementation and maintenance of information security strategy and policy, leads ongoing company-wide security risk assessment and status reporting efforts and is responsible for the creation and roll-out of security awareness and training programs.”
• LogMeIn – As mentioned above, LogMeIn is looking for a CISO who “will lead a global team of four” and be responsible for the security of its suite of security products.
• University of Michigan – University of Michigan’s CISO is expected to be “the highest-level executive dedicated to IT security, privacy, policy and business continuity.”

A look inside: CISOs within organizations today

To better understand the role of today’s CISO, let’s take a closer look at the results of the third annual IBM CISO study of 138 IT security leaders.

The study revealed 90 percent of IT security leaders said they strongly agree that they have significant influence in their organizations, and 71 percent said they strongly agree that they are receiving the organizational support they need to do their jobs effectively.

Nearly 90 percent of IT security leaders have adopted the cloud or are currently planning cloud initiatives. And of these respondents, 75 percent said they expect their cloud security budgets to increase or increase dramatically over the next three to five years.

CISOs “are finally getting a seat in the boardroom,” according to IBM Security (IBM) General Manager Brendan Hannigan.

Share your thoughts about this story in the Comments section below, via Twitter @dkobialka or email me at dan.kobialka@penton.com.