Having recently spoken to dozens of Chief Security Officers (CSO) and Chief Information Security Officers (CISO), I’ve yet to find a single one who does not agree with the following quote from Senator Coats.

“Cyber threats have moved to the No. 1 spot as the most direct threat to America.”
Dan Coats, Director of National Intelligence 

This sobering truth comes as no surprise to those of us within the IT industry.  What might surprise many, however, is the degree of resignation that I found amongst those charged with having our cyber backs.  To the person, they all seem to believe that the United States will inevitably experience a catastrophic cyber attack in the not too distant future resulting in unimaginable losses of human life and precious resources.

I take no joy in writing the preceding words.  Nor did those who spoke them.  But write and speak them we must if we are to have any hope of thwarting the worst of these attacks.  I took some solace in hearing that we can do better, perhaps much better, if we allocate the required resources and give cyber security its rightful place atop the org charts of both public and private sector organizations.    Regarding resources, part of the answer to that huge and growing problem lies in companies selling the security features of their products and services at the premium prices consumers will increasingly be willing to pay.  The companies who stop thinking of security as a necessary evil and begin selling it as a competitive advantage stand to prosper greatly.

Corporate Grow vs. Security

Security is slowly but surely climbing the corporate ladder.  Yet today, in most organizations the CISO reports to the CIO.  That makes about as much sense as legal reporting to sales in a commercial enterprise.  Currently, sales (growth) holds the trump card over security (preservation) in most corporate board rooms.  With each painful and expensive breach, it will become increasingly obvious that the deck needs to be shuffled and stacked in favor of preserving the house money.  Write it on a rock…security will soon trump growth in corporate America.  Michael Oberlaender summed it up well in his book,C(I)SO – And Now What?”:

“Failures at the organizational (org chart) level, or the process level, cannot be solved at the technical /procedural level.”
– Michael Oberlaender: C(I)SO – And Now What?

Public vs. Private Sector

Another common thread I’ve found amongst the silent heroes of the cyber wars is a desire to move from the public to the private sector.  Pretty easy to understand this one:  More money + Less hassle = More fun.  Yet, if this public to private sector migration picks up serious momentum, it could leave our nation’s cyber underbelly seriously exposed.  One public sector CISO told me that the federal government is already at least ten years behind the private sector when it comes to cyber security.  Just a small number of top ranked CSOs and CISOs fleeing the public sector for high paying, high profile private sector jobs could set the country back even further.  So, what’s a digitally vulnerable nation to do?

To ensure that we have the best possible leaders overseeing our national cyber security, our federal government should:

  1. Close the pay gap between private and public sector cyber security executive positions
  2. Create a special recruiting program (Attract…Retain…Empower) to attract cyber security executives from the private to the public sector.  There is a very strong “patriotic duty” story to be told here.  One that I believe many would be willing to listen to if properly told.  A natural by-product of attracting the right leaders will be the attraction of the their more technical followers who may have already worked for them or would jump at the chance to.
  3. Identify the leaders to be pursued and aggressively go after them, while being willing to engage the Executive Recruiters who have access to them.  Yes I know, this sounds like a very self serving statement, since we happen to offer such services.  However, anyone familiar with executive recruiting (be it internal or external), knows that you don’t simply post such jobs and wait to see what the cyber cat drags in.  Top executive talent is almost always found on a relationship basis.  Employers should fully leverage their existing relationships to identify as many qualified candidates as possible.  But, when it comes to finding top executive talent, many also choose to leverage the relationships of an Executive Recruiter.  At our firm, we offer a nice discount for public sector executive searches.

Our Future Heroes

The Real Heroes

During the early years of our firm, we coined a rather silly sounding recruiting mantra —We Hire Heroes!  Since it was a bit corny (as I’m prone to be), it long ago fell into disuse.  But, the more time I spend with CSOs and CISOs, the more inclined I am to revive our We Hire Heroes! mantra.  I truly believe that some of the greatest war heroes of the future will come from the ranks of the public sector cyber security professionals who forsook the trappings of commercial success to silently serve their country during our time of greatest need.  Believing this, I’m devoting a great deal of my personal time and energy to cultivate relationships with and earn the trust of these future heroes.

Given the nature of what our cyber war heroes do, their defeats will be broadcast around the world, while their victories will be known to only a chosen few.  If you be one of them, please know that you are a hero to me.  And, I humbly join a grateful nation in saluting and thanking you for your service.