JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter.
a CISO typically reports to a company's chief information officer
(CIO), some of the hiring discussions now involve giving them a direct
line to the chief executive and the board, consultants and executives
high-profile data breaches such as last year's attack on U.S. retailer
Target Corp, there is now an expectation that CISOs understand not just
technology but also a company's business and risk management. "The
trend that we are seeing is that organizations are elevating the
position of the CISO to be a peer of the CIO and having equal voice
associated with resource priorities and risk decisions," said Barry
Hensley, executive director at Dell SecureWorks' Counter Threat Unit.
many companies looking for security executives with military or defense
backgrounds, people with the right expertise can command increasingly
corporations have recently hired CISOs for between $500,000 and $700,000
a year, according to Matt Comyns, global co-head of the cybersecurity
practice at search firm Russell Reynolds Associates. Compensation for
CISOs at some technology companies with generous equity grants have
reached as high as $2 million, he said.
In comparison, CISOs who have been with a company for five or more years are on $200,000 to $300,000 per year, Comyns said.
experts have often criticized corporate America for being too
complacent about cyber risks and for not doing enough to protect their
computer networks from hackers.
recent PwC survey found the vast majority of cybersecurity programs
fell far short of guidelines drafted by the Commerce Department's
National Institute of Standards and Technology (NIST). Only 28 percent
of more than 500 executives surveyed said their company had a CISO or
Chief Security Officer.
high-profile data breaches, such as the one at Target, have injected a
new sense of urgency, executives said. Target ousted its CEO, Gregg
Steinhafel, earlier this month, and its chief information officer, Beth
Jacobs, resigned in February. The retailer is now searching for a CISO, a
newly created role.
"This is ringing bells at the C-suite," Charlie Croom, vice president of cybersecurity solutions at U.S. defense contractor Lockheed Martin Corp told the Reuters Cybersecurity Summit.
and executives said companies are increasing both the size and budget
of their security teams. By the end of 2014, JPMorgan's annual
cybersecurity budget will rise to $250 million from $200 million in
2012, CEO Jamie Dimon said in April. And the largest U.S. bank will have
about 1,000 people focused on cybersecurity, compared with 600 people
two years ago, he said.
JPMorgan spokesman said the bank will continue to invest and expand its
security team, but declined to confirm if the firm was looking for a
Cardinal Health CIO Patty Morrison said the healthcare services
company was looking to hire a vice president of security to bring in
"new talent and new ideas." USAA Chief Security Officer Gary McAlum
confirmed the diversified financial services group was looking for a
representatives were not available for comment, while a spokesman for
PepsiCo declined to comment. The soft drink and snack maker lost its
CISO, Zulfi Ahmed, to MetLife Inc earlier this year.
CHANGING FACE OF BOARDS
companies look for CISOs, many boards are seeking directors with
technology know-how so that they can better understand cyber risks. Matt
Aiello, co-head of the cyber practice at Heidrick & Struggles, said
he is seeing "unprecedented" demand for CIOs to serve on boards.
don't feel they have the right expertise to draw upon. It is not that
they don't understand it is a risk; they don't want to blunder
uninformed into it," said David DiBari, managing partner at the law firm
Clifford Chance in Washington.
Accenture CIO Frank Modruson, former Department of Defense CIO Teresa
Takai, Dell SecureWorks chief Mike Cote and AT&T Inc CISO Ed Amoroso
have all been approached to serve as potential directors, according to
people with knowledge of the situation.
said she is "looking at a couple of things," including with a security
technology company. Cote, through a Dell spokeswoman, confirmed he has
been approached by several companies about serving on their boards. An
AT&T spokesman declined to comment on behalf of Amoroso. Modruson
was not available for comment.
Craig, who serves on the boards of Akamai Technologies Inc, Wal-Mart
Stores Inc and software maker VMWare Inc, expects demand for CIOs to
serve on public boards to increase. "You need people who have direct
first-hand experience in the boardroom," she said.
Some boards are also considering moving responsibility for network
security to risk committees from audit committees, as cybersecurity is
increasingly viewed as a business risk more than a compliance issue,
according to Mary Galligan, director of Cyber Risk Services at Deloitte
& Touche LLP.
Security Senior Vice President Amit Yoran said boards are looking for
experts who can help them build security into products in development,
rather than bolting it on at the last minute.
are being brought to the business table more often," Yoran said. "This
is a realization that in many cases a business's survival relies on the
security of the technology."