Cyber Security: What Boards Are Looking For To Handle Threats


Ahead of his appearance at the AESC’s Global Conference in April, Joe Nocera, Partner at PwC, describes what boards are looking for to meet their cyber security needs.

How well equipped are the world’s largest companies to handle the threat of cyber security breaches today?

I think if we’ve learned one thing over the last two years, it is not a matter of ‘if’, it is a matter of ‘when’. Even the most sophisticated companies are still subject to breaches. This is the reality that we live in. We have a very complex ecosystem of technology, of business partners, of customers and of employees. It is very easy for a sufficiently motivated individual to find a weakness somewhere in that chain. We’ve seen a real shift and a movement from trying to prevent something from happening to being prepared when it does so that you minimize the total damage.

How frequently are cyber security breaches happening?

They are literally happening all the time – there are hundreds of breaches that never make the news. The FBI reported that they were involved in over 3,000 cyber security breaches in the US last year. There are different degrees of magnitude obviously, but in our business we see, in any given day, probably have 10-15 large breaches that we’re helping clients deal through. Very large organizations are probably in a constant state of breach, where they’re managing an individual server or system that has been compromised. What the best firms are able to do is they’re able to contain the damage so that it doesn’t become widespread. 

How quickly have boards reacted to the threat of cyber security breaches?

We see them keenly interested in this. After the Target breach last year we saw more and more boards getting engaged in this discussion. If you’re a major Fortune Global 2000 technology company it is almost impossible that your board hasn’t asked a question around cyber security. If you’re a Financial Services regulated organization, the regulators have come out with guidance that mandates the board takes this on as a topic. Virtually every client we have, the board is taking this on as a topic and getting briefed on a regular basis.

What skills does it take for someone to thrive in a leadership role overseeing cyber security?

It is a very difficult role to fill right now. It requires a number of skills and experiences that are difficult to find in a single individual. You certainly need technical acumen that somebody who has grown up in the networking, internet, technology space has. They have to understand bits and bytes and fairly technical concepts.

cyber_security_search_magazine_issue_fourAt the same time it is really important that the person is able to communicate and engage with the business. This is fundamentally a risk management discussion. What are the types of bad things that can impact our competitive position? What is our tolerance for certain bad things to happen? Having those plain English business discussions is really critical and being able to frame the problem in a way that you can get your senior executives engaged in it is a really critical success factor.

The third factor the individual needs is the ability to consume and process intelligence – often somebody from the intelligence community, for instance someone who has come from the FBI, the CIA or GCHQ. Many of the same skills and techniques that our government uses to track down physical criminals can be used to track down criminals online.

Do you see cyber security becoming its own function in time?

We see it best integrated with the legal, risk and compliance function. We believe that the firms that do this best elevate it outside of IT and integrate it into their broader crisis management capabilities.

In your opinion, how well placed are executive search firms to handle the increased demand for executives with cyber security knowledge?

Executive search firms certainly have the access and there is the market opportunity there. There are far fewer qualified candidates than there are positions and needs. The challenge for the search firms is to really get knowledgeable in the space, to understand the character traits and experiences that clients are looking for in these types of roles, and to understand what the attributes are that make somebody successful.

To read the full feature in Search, The Global Executive Talent Quarterly from the AESC, click here.

The Ultimate Executive Career Guide: Connecting with Executive Search

As a senior-level executive, you can use this guide to:
- Learn about executive search and how it differs from other forms of recruiting
- Discover the best ways to connect with executive search professionals
- Understand how the search process works
- Implement strategies that will help you become visible to the search community
- And more!

Download Now!

About the author

BlueSteps's picture

About BlueSteps

BlueSteps empowers executives to reach their career goals with strategic career planning.


At BlueSteps, we thoughtfully create career management solutions that are designed to help leaders advance their careers, stay on track to build a long-term career playbook, and become a strong leader. Our tools and resources will help you:
  • Advance your career with tools to keep you on track. 
  • Access insider job market intelligence from the experts.
  • Identify and network with the right recruiters.
  • Discover executive jobs and board positions not found elsewhere.
  • Connect with world class career advisors for support when you need it.

Start Owning Your Career Journey >>

Other posts by this author

Share your thoughts


I'm happy to see this issue being talked about by the Search community.

I'm particularly glad the author suggested integrating the CISO into an 'umbrella' Risk function rather than suggesting the CISO report to the CEO (which creates all sorts of issues).

I think two important points need to be added:

1. Effective Board oversight of IT requires an IT-savvy Board member. It's good to hear that Boards are interested in hearing about cyber-risk, but if the Board can't ask the right questions or understand the answers, things will slip through the cracks (did Anthem's Board hear that their IT team had chosen NOT to encrypt client data? That statement would have scared me to death were I on that Board)

2. Although recent headlines have focused on data breaches there are many other IT risks that should be considered (e.g., what damage would a failed ERP implementation do to a firm?). Even more important than mitigating risks is seizing opportunities presented by disruptive SMAC-IT (Social, Mobile, Analytics, Cloud, Internet of Things) technologies. IT knowledge on the Board allows them to properly oversee the firm's investment in technology.

A question for the Search community: are Boards asking for IT-savvy candidates when filling openings, or even looking to expand the Board to handle the emerging threat/opportunity presented by the rapid evolution of technology?

Stay Connected