Why Data Breaches Are Still Happening

Cyberattacks have quietly picked up in the post-pandemic era, but experts say chief security officers are struggling to be heard.

Ret. Lt. Gen. William Mayville Jr.,

Senior Client Partner, Cybersecurity

The chief security officer was trying to protect the company from security breaches. But when he offered information sessions on new training initiatives and data-access measures, few employees attended. Later, he found out that most of them didn’t understand the purpose of the meetings.

Though largely overlooked during the pandemic, data breaches—in which hackers access private corporate and customer data—have become all too common. In one alarming recent case, hackers accessed data from more than 30 million customers from just one US firm. Nearly half of US companies experienced a data breach last year, and 15 million data records were exposed in Q3 of 2022, up by 37% from the prior quarter. The uptick is partially driven by AI, which enables hackers to more swiftly write code and exploit systems. “This is singularly the most important strategic issue right after the business plan,” says Lieutenant General (ret) Bill Mayville, senior client partner in the Cybersecurity practice at Korn Ferry. “People who aren’t aware of the consequences are in for a world of hurt.”

In response, deep-pocketed firms are scouting hard for security leaders. Most are chasing the same few hundred candidates, creating an intensely competitive hiring market. Yet after being hired, many CSOs—as in the hypothetical case above—find that it’s no easy task to navigate an increasingly complex and risky environment while simultaneously trying to communicate urgency to mostly non-technical rank-and-file employees. An ideal candidate mixes technical expertise with business experience, and will likely command flexible and hybrid work arrangements that differ from companywide office mandates.

In some cities, the CSO job market pays much less than the national market does—like Chicago, where any company insisting on in-office arrangements will likely attract second- and third-tier talent. “I see a lot of organizations fail on that,” says Max Kershner, a principal in the Cybersecurity and Technology practice at Korn Ferry.

The key to avoiding a crisis, says Mayville, is for board directors and others to evaluate the organization’s security measures, beginning with a review of regulatory standards and responsibilities. “That can be eye-opening,” says Mayville. Next, ask security specialists to evaluate restrictions on access to data. What other security measures are in place—firewalls? routine password changes? employee trainings?

If new security staffers are needed, experts advise taking the time to be selective about hiring a CSO. An incoming CSOs should bring their own network of people from day one, and should excel at retaining talent, says Kershner. Diversity is important, he says, because diverse department management results in more people organically queuing up to work there. “If you make the wrong move, you can set yourself back years, from both a cost and talent perspective,” says Kershner.

For more information, please contact the Korn Ferry Cybersecurity practice .