In World War I, the space between the most-forward trenches in a battle was called No Man’s Land – a place you didn’t want to be.
I learned it as a tennis term. In tennis, you want to play at the net or behind the baseline. The middle of the court is where the ball bounces. You can’t play from there because it’s hard to hit balls that are bouncing at your feet, thus No Man’s Land.
I see a lot of companies trying to play from the middle of the court when going through the process of selecting a security leader. It doesn’t have to be this way. A good dose of honest evaluation in a few key areas makes for a positive foundation to hire the right person to secure your company, employees and clients.
Arm yourself with consensus and understanding in the three following areas to avoid falling into No Man’s Land.
1. Determine your real risk tolerance.
At its root, hiring a security leader is a philosophical exercise. You start at 10,000 feet and work your way down to the details. On a scale of 1-10, how secure do you want your company to be? There’s not a right or wrong answer. Where companies get into trouble is when they’re at a 5 and try to hire a security leader whose expectation is an 8, or vice versa.
Some key questions to ask are: What do you want your security leader to oversee? Is it just operations, or does it include risk management, governance, legal, and identity access management? Does your budget allow you to succeed in achieving your goals for security? How much do you want in-house versus working with a Managed Security Services Provider?
2. Confront the immovable wall of the executive payment structure.
Sometimes I sit in a room with company executives while going over qualifications for a security leader when the question everybody wants to ask is finally broached. “What’s a person like this gonna cost?” I give the answer, and everybody stares at their shoes. Silence. I know that I just blew up the entire executive compensation model of that company.
Folks, I know hackers that make more than most COOs of small and mid-size companies. Cybersecurity is a seller’s market, and the good leaders get PAID. A company has two choices; 1) Dial back the expectations and requirements to make the job in line with the compensation, or 2) Get ready to write a check…and hope the COO doesn’t find out the number.
3. The “it won’t happen to us” philosophy.
The ultimate risk tolerance gamble is being confronted with the idea of a breach. I could type for half a day, listing statistics on breaches, estimated costs to companies based on industry, and hidden costs of reputation damage. The reality is not so simple.
Is Equifax really going to take a hit for their egregious breach of massive customer data? Industry knowledge and history suggest that Equifax will be fine. But you aren’t as big as Equifax. You probably have real customers that can easily take their business elsewhere. Plus, let’s be honest: it’s usually the smaller companies that take the hit on outsized fines for breaches.
The comment at this point is, “I can spend a bunch of money on a security leader and his/her budget, but that doesn’t guarantee me that I won’t get breached.” True. In fact, you probably will. But a good leader and team drive this possibility way down.
And they can help to do two invaluable things, 1) Build a security culture within your company, which is important because, statistically, the biggest threats you face are inside your company, and 2) They can create the proper structure in dealing with a breach if it happens. It’s not always the breach that gets companies in trouble; it’s what they do about it and how quickly.
Don’t get caught in No Man’s Land. Determine your risk tolerance and match it with a budget that’s in lockstep with your goals. Once you’re there, you can confidently hire the security leader and team to execute.
About the Author: Chance Hoag owns Talon Placement, a nationwide recruiting firm headquartered in Nashville, TN which is focused exclusively on cybersecurity, risk, privacy, and compliance. You can follow him on LinkedIn and Twitter.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.