By.Anders Melin
It took a $650,000 salary
for Matt Comyns to entice a seasoned cybersecurity expert to join one of
America’s largest companies as chief information security officer in 2012. At
the time, it was among the most lucrative offers out there.
This year, the company had
to pay $2.5 million to fill the same role.
“It’s a full-on war for
cyber talent,” said Comyns, a managing partner at executive search firm
Caldwell Partners who specializes in information security. “CEOs know that, so
they play hardball. Everyone’s throwing money at this.”
The threat of digital
breaches -- and the fines, lawsuits and occasional executive resignations that
sometimes follow -- has left companies scrambling to scoop up scarce security
experts. The growing compensation packages and broadened responsibilities are a
dramatic shift for a group of workers who once confined to obscure IT
departments, little more than an afterthought to senior management.
Unfilled
Jobs
In the 12 months ended
August 2018, there were more than 300,000 unfilled cybersecurity jobs in the
U.S., according to CyberSeek, a project supported by the National Initiative
for Cybersecurity Education. Globally, the shortage is estimated to exceed 1
million in coming years, studies have shown.
That’s coincided with
increased frequency and sophistication of digital attacks, which range from
disruption of computer systems to extortion and theft of sensitive personal
information.
In April, JPMorgan Chase
& Co. Chief Executive Officer Jamie Dimon told shareholders that
cybersecurity “may very well be the biggest threat to the U.S. financial
system.” His counterpart at Bank of America Corp., Brian Moynihan, said
previously that the lender’s cybersecurity unit operates with an unlimited
budget.
Just last week, Capital One
Financial Corp. disclosed that personal data of about 100 million customers and
card applicants had been illegally accessed by a Seattle woman, possibly one of
the largest breaches affecting a U.S. bank. The firm’s shares have fallen 8.9%
since the intrusion was revealed.
Equifax
Settlement
In late July, credit
reporting firm Equifax Inc. agreed to pay up to $700 million to settle federal
and state investigations into a 2017 hack that compromised sensitive
information of more than 140 million people and led to the resignation of the
firm’s long-time CEO Rick Smith.
Former Equifax CEO Richard
Smith Testifies Before The Senate Banking Committee
High-profile breaches aside,
myriad U.S. companies and employees are the subject of hacker attacks each day.
Industry insiders joke that there are two types of companies: Those that have
been hacked, and those that haven’t yet discovered that they’ve been hacked.
“If you’re not careful, you
can get numb to it,” said Andrew Howard, who leads the enterprise security
division of Kudelski Group.
Equifax paid Jamil Farshchi
$3.89 million in 2018 to take the job as chief information security officer. He
joined from Home Depot, which had hired him in the wake of a 2014 breach that
exposed credit-card information belonging to 56 million customers.
Directly
Involved
While most U.S. firms don’t
disclose compensation for top information-security executives, Comyns said big
tech firms on the West Coast can pay as much as $6.5 million, most of it in
stock. In some cases, direct reports can make around $1 million -- more than
their bosses typically would have made just a few years ago.
Aware of the challenges of
replacing a security chief, many companies take unprecedented measures to keep
them, with CEOs often getting involved in the negotiations. In one recent
instance, Comyns said, a CISO who considered leaving was told to go home and
write down 10 things that would change his decision. The list included a 50%
increase in salary and bonus, more than doubling his long-term incentive award,
a promotion and a new office. The CEO concurred, and the person stayed.
Hefty raises can pale in
comparison with the potential downside. The average cost of a breach for U.S.
companies was about $8 million, according to a study from IBM Corp. and the
Ponemon Institute. Equifax shows that the cost can be many multiples of that.
This week, Marriott International Inc. reported they took a $126 million charge
related to a 2018 breach of one of its reservations databases.
Bigger
Paychecks
Insurance can cover
financial expenses, but won’t help restore lost customer trust and a tarnished
reputation, said James Lam, a director at E*Trade Financial Corp. who also
advises companies on risk management, including cybersecurity.
CEOs may be inclined to
spend more because their own jobs and reputations could be on the line. Gregg
Steinhafel resigned as CEO of Target Corp. in 2014 after a hacker attack that
compromised 40 million credit card accounts rocked the already-struggling
retailer.
That episode “got everyone’s
attention,” said Kudelski Group’s Howard, and led to scores of companies
appointing people with cybersecurity expertise to their boards.
It’s also pushed many
companies to expand the responsibilities of information security staff,
ensuring that their work spans the entire organization. To Comyns, that means
their pay will continue to increase.
“CEOs don’t know what it’s
worth until it’s walking out the door,” Comyns said. “Then they stand in the
door and say, ‘You’re not going anywhere.
Tidak ada komentar:
Posting Komentar