So, in case you doubted the risks inherent in maintaining databases and all the other matters now handled by technology, this past weekend's cyber crisis around the world, including hospitals, is nothing for to let go lightly. Nonprofit boards should now consider themselves "on alert" for trying to ensure that their organization's technology is in-place and secure. Yes, this is a policy matter that any prudent owner, aka the nonprofit board, would want executed post-haste.
"Ah but" you say - how will our little or even medium-sized nonprofit be able to do what the big nonprofits do? My suggestion: partnerships. This is an excellent opportunity to join forces with other nonprofits in your sector to pool resources, form a plan and take action. I pose that this type of partnership can be secure, affordable and may in the long run, lead to other opportunities for shared work and costs and who knows what?
To start you off on what resources you need to achieve cyber-safety, check-out the following Wall Street Journal article.
For Many Companies, a Good Cyber Chief Is Hard to Find
Wanted: Chief information security officers with board-level management skills, tech knowledge and low blood pressure.
“They need to be senior enough, confident enough, able to handle both the strategy and tactical nature of the role so I can get out of their way,” she said. “I want someone who’s been in an attack and won’t freeze.”
Demand for chief information security officers is rising as cybersecurity problems attract the attention of corporate boards. About 65% of large U.S. companies now have a CISO position, up from 50% in 2016, according to the Information Systems Audit and Control Association, a nonprofit professional group.
Over the weekend, a so-called ransomware cyber attack hit more than 200,000 victims in at least 150 countries. Other recent cyberattacks on leading law firms, international banks and internet companies have compromised the personal data of millions. In December, Yahoo Inc.disclosed the theft of data related to more than one billion accounts
Meanwhile, cybersecurity talent is in short supply. Unfilled jobs are expected to number 1.8 million by 2022, up 20% from 1.5 million in 2015, according to a global survey of 19,000 cybersecurity workers by the nonprofit Center for Cyber Safety and Education.
New to the top ranks, CISOs must plan strategy with chief executives, collaborate with senior managers during a crisis, direct teams of technical engineers, and flash their own technology skills to hunt attackers in the computer infrastructure.
A seasoned CISO in financial services can earn $1.5 million, said Phil Schneidermeyer, a partner who specializes in CISO placement at search firm at Heidrick & Struggles International Inc. In other industries, $400,000 to $500,000 is typical, he said.
Temperament also matters, said Tim McKnight, CISO of Thomson Reuters Corp. Chief information security officers often work for weeks or months under sometimes crushing stress, including in the aftermath of a breach, he said.
“For some people, being that close to the sun is not the greatest job,” he said. “The top of the house wants someone battle-tested, with a low heart rate and low blood pressure.”
Mr. McKnight joined Thomson Reuters in October after leading information security at General Electric Co. , Fidelity Investments,Northrop Grumman Corp. , and BAE Systems.
Few CISOs can match Mr. McKnight’s 17 years in corporate security, and recruiters know exactly who they are, Mr. Schneidermeyer said. “They are getting multiple calls a week. It’s insane. It’s just insane.”
About 23% of CISOs, and those in a similar executive security positions, say they receive five or more solicitations from recruiters weekly, according to a 2016 survey of 437 cybersecurity professionals by Enterprise Strategy Group consultancy and the Information Systems Security Association professional group.
Varian Medical Systems Inc. is five months into the search for a CISO, a newly created title there. Jessica Denecour, the company’s chief information officer, said she doesn’t lack for applicants. More health-care companies are seeking chief information security officers, she said, in response to challenges posed by the emergence of increasingly sophisticated cyberattacks, companies shifting more computing outside their own firewalls to the cloud, and even medical devices with embedded sensors that could be accessed to reprogram or to expose patients’ personal information.
“The risk profile in our environment and our customer’s environments is changing and we are focused on this,” she said.
The world-wide shortage of cybersecurity professionals—not just at the CISO rank—can lead to weak succession planning in corporate IT positions, said Brad Maiorino, a former CISO at Target Corp. , General Motors Co.and General Electric Co.
He was Target’s first chief information security officer, hired in 2014, six months after the retailer discovered a data breach that compromised the personal information of up to 40 million customers. The well-publicized attack, which ultimately cost Target more than $202 million, helped awaken corporate boards to cybersecurity issues.
Mr. Maiorino said too few CISOs provide extensive training and personal mentoring, which are important for continuity when a cybersecurity leader leaves. “If you move on, you don’t want the program to be dependent on you and fall apart, nor do you want your company to have to search for outside talent that needs to be ramped up,” he said.
Three months after joining Target, he hired Rich Agostino, a colleague from GE. When Mr. Maiorino left in March to become an executive vice president with Booz Allen Hamilton Holding Corp. , Target promoted Mr. Agostino to CISO.
Appeared in the May. 16, 2017, print edition as 'Firms Vie In Hiring Of Cyber Experts.'