April 4, 2019
Improving Security from Top to Bottom: Key Lessons from RSA 2019
The theme of the 2019 RSA Conference, “Better,” has several meanings: the goal of formulating better cybersecurity solutions, inspiring better ideas and helping create a better, safer world. These objectives seemed especially pressing because of the recent successful cyberattacks on everything from prestigious American colleges to multibillion-dollar software companies to car-alarm apps.
Spencer Stuart hosted our annual gathering of security industry leaders and chief information security officers (CISOs), and we heard a great deal about the value of instilling a robust security mindset from the bottom of the organization up to the C-suite. In our conversations with leaders and at the conference, which brought more than 50,000 people to San Francisco, popular leadership topics included: the importance of diversity, both as a way to improve security and to broaden a company’s culture; how to improve retention by creating connections between leadership and employees; and the wide-ranging skill set possessed by the CISO of tomorrow.
1. To retain talent, be “human”: As cybersecurity has become an increasingly critical part of the business world, higher demand and rising compensation have made it more difficult to attract and retain top talent in this discipline.
To reduce turnover and keep valuable talent, leaders must create a culture that prioritizes keeping employees satisfied and engaged. For starters, connecting on a “human” level may seem obvious, but ensuring that rising stars are properly acknowledged for their aspirations and creativity boosts morale and increases loyalty. Investing in employees’ futures helps, as well: Companies that create educational opportunities for employees often have a higher profit margin and increased rates of retention. Senior leadership teams and boards must play a key role in establishing an organizational culture where learning is prioritized and encouraged.
2. Diversity has become essential: As in previous years, the topic of diversity garnered much attention at the conference, and rightfully so: Women comprise only 24 percent of the cybersecurity workforce according to the latest (ISC)2 Women in Cybersecurity report.
What differentiated this year’s discussion at the RSA Conference was the focus on how diversity can help direct a change in culture, which is crucial given that security needs to become an integral part of companies’ organizational culture.
For many of the cybersecurity companies we work with, the desire for diversity in the boardroom and the C-level is there, but the supply of talent is not keeping up with the demand. Organizations need to step up their recruiting efforts and examine their assessment criteria to ensure they are casting a wide net to expand their diversity. Ways to do this include: creating partnerships with nonprofits, evaluating candidate assessment processes to uncover unconscious bias and establishing leadership development programs to build a pipeline of diverse, next-generation talent.
3. Tomorrow’s CISO must be operational and strategic: As cyberattacks continue, the role of the chief information security officer (CISO) grows in importance — and difficulty. Beyond the ever-growing threat of cyberattacks, CISOs must deal also with a constantly shifting legal and regulatory environment, as well as attackers who are growing more brazen and increasingly sophisticated in their abilities.
The CISO of the future must understand analytics, artificial intelligence (AI) and other automated, intelligent systems that can help guide security planning and response. The CISO must also have an overarching view of enterprise risk, but still have a strong command of operational and logistical issues. This is a widely varied skill set, and as we previously noted, the pool of security leaders with these skills is limited today.
Conclusion
With the shortage of cybersecurity talent only growing, RSA 2019 reinforced that leadership will be a critical differentiator in determining a company’s level of success. Beyond simply staying at the cutting edge of investing in defensive technologies, the most successful cybersecurity organizations will also strive to create a diverse workforce, instill a rewarding, “human” culture and find leaders who have a wide-ranging view of security — and can imbue it throughout all levels of the organization.
Michael Dickstein recruits senior-level executives for clients ranging from private equity-backed startups to multinational companies and leads many of Spencer Stuart’s searches in the cybersecurity space. He is a member of the Technology, Media & Telecommunications Practice and a leader of the Sales Officer Practice. Reach him via email and follow him on LinkedIn.
Bernhard Kickenweiz specializes in recruiting senior-level executives for technology and telecommunication services clients and leads many of Spencer Stuart’s searches in the cybersecurity space. He is a member of the Technology, Media & Telecommunications Practice. Reach him via email and follow him on LinkedIn.