For the past 16 years, I have had the pleasure of watching the risk and compliance professions evolve, stumble, steady, and become a critical mainstream function in financial service firms, as well as multi-nationals and healthcare firms. We have had the great fortune to fill senior risk and compliance roles at top firms including BlackRock, Blue Mountain Capital, Fidelity, Bank of Montreal, Goldman Sachs, GE, Wells Fargo, BP, Protiviti, Blue Shield of California, and Duke Health. It seems to be no coincidence that Risk Talent Associates never received a request for risk or compliance search assistance from Enron, Lehman, Bear Stearns, and certainly not from Bernie Madoff.
What are the biggest risks facing our clients in 2017? Tough question, because particularly in healthcare, where the risks often can involve loss of life, there is a vast shortage of clinically trained risk professionals. But, even with that challenge, the single greatest risk facing firms, our markets, and our way of life is CyberSecurity. Our research shows that most of the Fortune 100 firms appear to be working diligently on this, but then it drops off significantly. The number of posted Chief of Information Security openings far exceed the supply.
Here is what our new SEC Chairman Jay Clayton said in a recent speech on July 12, 2017 at the Economic Club in NYC:
“Speaking more generally, cybersecurity is also an area where coordination is critical. Information sharing and coordination are essential for regulators to address potential cyber threats and respond to a major cyberattack, should one arise. The SEC is therefore working closely with fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats…. As a final comment on enforcement, I want to go back to cybersecurity. Public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously. I also recognize that the cyber space has many bad actors, including nation states that have resources far beyond anything a single company can muster. Being a victim of a cyber penetration is not, in itself, an excuse. But, I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations. Said another way, the SEC needs to have a broad perspective and bring proportionality to this area that affects not only investors, companies, and our markets, but our national security and our future.”
Basically, Clayton is saying CyberSecurity is a critical area, and that the SEC needs to support, rather than punish, companies who are diligently working to eliminate and minimize cybersecurity threats. As a board member, you realize that much of your role is ensuring that stakeholders are protected from risks, and that the firm is doing its best to understand and mitigate risks. Where does your firm stand on CyberSecurity? If you don’t know the answer to this, that, in itself, is a risk.
The answer to the question is – CyberSecurity is the most significant risk that most people, and businesses, face. Specifically, CyberSecurity is an operational risk, and until this function becomes more mainstream, and mature, the role should either report to the Chief Risk Officer or to someone else in the CSuite.
Regardless of the reporting structure, frankly, the challenge isn’t simply finding smart IT guys to build systems to outwit the hackers. Hackers, by their nature, will find ways around the systems, or will prey on the weaker systems. Sure, firms need the best and the brightest technical resources. But, the challenge is finding the right people who can can interface between the business and tech – to make sure that customers, employees and shareholders are protected. Even the largest financial services firms in the world are dealing with this same issue.
Do you have senior risk and business people, who are thinking strategically about CyberSecurity risk?
Risk Talent has partnered with leaders in the CyberSecurity consulting industry. If we can make a connection for you, feel free to reach out. And, due to the nature of this beast, our CyberSecurity recruitment services include a pre-search discussion between industry-leading CyberSecurity experts and your management team, to ensure that both the short term CyberSecurity strategy, as well as the search/hiring plan, makes sense.