The headlines blare with disturbing frequency: Retailers, health care providers, financial services companies, and even the federal government report with distressing regularity that they have fallen prey to hackers. These security breaches dismay users and customers, disrupt important business practices and plans, and cost the economy billions of dollars. As Korn Ferry research has shown, safeguarding against persistent, pervasive, and pernicious attacks through effective cybersecurity has become a significant talent challenge for 21st century organizations. Enterprises that fail to lock in the right people, roles, practices, and procedures to respond robustly to cybersecurity issues expose themselves to exponentially increasing risk.
Cyberattacks have increased exponentially over the past five years, with a global economic cost of between $375 billion and $575 billion annually. The annual average cost per company of a successful cyberattack increased to $12.7 million in financial services and 78% overall in the last four years. The total number of security incidents detected by businesses responding to a recent survey climbed to 42.8 million in 2014, an increase of 48% from 2013. The number of detected security incidents has increased at a 66% compound annual growth rate since 2009. And though malicious and criminal hackers have attacked many kinds of businesses, the financial services sector experiences the second-highest annualized cost from cybercrime, behind only the energy and utilities sector.
Financial services companies, by the very nature of their business, find themselves with vulnerabilities that demand heightened anticipation and defense. A client breach, for example, can create huge problems for banking and credit providers, as occurred when several major retailers were hacked in 2014. Meanwhile, taking advantage of financial institutions’ tight linkages with one another, more than 100 banks across 30 countries reportedly have lost as much as $1 billion over two years in an elaborate cyberattack by multinational criminals who launched their assaults by gulling institutional employees with “spear phishing,” or maliciously infected emails. Banks also have been subjected to direct assaults, losing $7 million in one reported incident involving flawed automatic teller machines and $10 million in a rip-off aimed at an online banking platform.
As global computing markets move faster and faster toward device-based mobile services, cloud applications, and Internet-interconnected machines, financial services companies will struggle with new security challenges. More than 55% of the total cost of cybercrime can be attributed to malicious insiders, denial of services, and Web-based attacks, meaning, among other things, that companies need to consider security threats posed by systems access they grant to their staff remotely or from personal devices. John Hinshaw, executive vice president of technology and operations at Hewlett-Packard, has said that HP has grappled with the security implications of the more than 160,000 devices owned by the company, staff, and others with access to corporate systems. How then will financial services organizations respond when new breaches occur because of a smart flat-screen television or interconnected refrigerator listening to conversations in the employee lunch room? What will the response be when a thermostat in the IT department betrays confidential corporate information? And when executives go to the cloud to view photos of the company softball team championship, will they be opening an inadvertent backdoor to hackers seeking critical financial data and customer identity information?
The big need for talent.
Korn Ferry research, expertise, and talent market knowledge indicate that to address cybersecurity threats, financial services and other companies must, at a minimum, adopt a corporate security strategy, adequate security policies and budgets, dedicated security leadership, a comprehensive incident response plan, ongoing assessment of security capabilities, and internal education and communication. They should also emphasize the critical roles people play in responding to cybersecurity challenges. Corporate boards and C-suite executives must make cybersecurity a priority and help craft corporate strategies, then ensure that their organizations, top to bottom, embrace these and execute them with appropriate tactics, constant laser focus, and unstinting commitment. Directors and executives not only must provide leadership on and communication about cybersecurity issues, they must also ensure alignment in the C-suite on roles and responsibilities and the appropriate provision of critical talent and resources. Organizational discord can erupt if, for cybersecurity reasons for example, the internal developers of a new product find they must ask customers to go through multiple steps to access financial services; or those in a group may respond negatively if they learn that favorite work-around accounting-related software carries too much risk to be allowed on corporate systems; executives who travel extensively may demand more and greater remote systems access on a wider arrays of devices, no matter the security concern; or, when budget season rolls around, financial services companies might balk at paying for cybersecurity talent.
Clearly, the challenges are many, persistent, and constantly evolving for those in the C-suite with cybersecurity as the chief part of their portfolios. Demand for talented cyber- and information security talent is soaring at all organizational levels and across every industry. Korn Ferry finds that the need for people with traditional skillsets is outpaced by the need for people who can work at the strategic level, communicate well, and possess a mastery of technology, intelligence, business/customer requirements, and regulatory mandates and guidance, especially those encompassed in rules and regulations from the United States Securities and Exchange Commission and under the Dodd-Frank law. Cybersecurity, risk management, and security experience remain somewhat rare among directors of the KFMC100, the 100 largest companies by market cap as of May 31, 2015, Korn Ferry research shows. Of the 102 directors who joined the KFMC100 class of 2014, 6% had experience in cybersecurity, while 12% had experience in risk management, and 4% had security experience. In the previous year, just 1% of directors added to KFMC100 boards had cybersecurity experience, while 22% had risk management experience, and 3% had security experience.
As financial services organizations tackle cybersecurity issues, they may find that they need outside expertise, particularly to develop comprehensive solutions to recruit, develop, and retain elite cyber talent. Korn Ferry, especially through its Cybersecurity Center of Expertise, brings together market leadership and deep industry knowledge on a global scale to help financial services companies design and execute a talent strategy and organizational alignment. The firm can apply state-of-the-art people analytics, through Big Data and validated research, to help measure and to assess talent at various organizational levels, not solely in the C-suite, and to enable data-driven talent decision making. Korn Ferry tools and insights can provide busy CEOs, chief human resources officers, board members, and other hiring managers with experience, metrics, reliable measures, and other data so they need not rely solely on intuition and hunches in hiring, no matter the level of position or the volume of staff needed.
Korn Ferry research, for example, has established the value of assessing for the trait or key leadership characteristic among high potential talent of learning agility, which the firm’s data identifies as a valid predictor of long-term leadership potential. Korn Ferry research suggests that only 15% of the global workforce is learning-agile. When these individuals can be identified and developed, the payoff for the company is significant. Korn Ferry found that companies with highly learning-agile executives have 25% higher profit margins than the other companies in the study. They also are promoted at double the rate of individuals with lower learning agility. Learning agility appears to enhance enterprise competitiveness and is associated with significantly higher profit margins.
Korn Ferry’s four dimensions of leadership and talent.
Four dimensions govern human performance in the workplace: competencies, experiences, traits, and drivers (Figure 1, KF4D). Korn Ferry research shows these four areas to be highly predictive of performance differences and correlated with key talent variables, including engagement, retention, productivity, leadership effectiveness, and leadership potential.
Korn Ferry’s executive search framework can help hiring teams clarify their understanding of how well a candidate fits with their organization Underpinning this framework is Korn Ferry talent intelligence, which includes more than 2.5 million assessments and profiles of seven million candidates.
The Four Dimensional Executive Assessment is an innovative tool built into the Korn Ferry search process, providing the most holistic perspective on the market today covering candidates’ competencies, personality traits, motivations, and experiences aligned to the role. The assessment captures, synthesizes, and visualizes unparalleled insight and delivers it to the hiring team in real time on any computer or tablet. By partnering with Korn Ferry and using people analytics, organizations have the ability to predict how well talent will fit in and perform.
For financial services firms, this kind of insight about cybersecurity candidates may prove especially decisive because of the demands they will encounter and the potential differences they may have in background. Because the field is evolving so rapidly, candidates may not, for example, possess the years of corporate grounding of many C-suite aspirants, directors, CEOs, and C-suite executives in other sectors with comparable needs and experiences, clients tell Korn Ferry. Some aspirants may come from the military, government, research institutions, the tech sector, or law enforcement; they need to be comfortable dealing with contacts in those constituencies at the same time they work fluidly in a new organizational environment with board members, the CEO, and fellow C-suite members. If breaches occur, they must be able to lead teams coolly and effectively and communicate well with colleagues. Whatever their exact titles in a financial services company, the executives with heavy roles and responsibilities in cybersecurity also need to be savvy about navigating a new organization’s people, practices, policies, and procedures, not the least of which would be those dealing with budgets and allocation of resources. Reading a resume and even multiple interviews with seasoned executive talent evaluators in a financial services organization may not offer hiring teams sufficient grasp of candidates’ potential. Evaluators need to be assisted by talent frameworks, assessments, experience, and expertise, as Korn Ferry provides.