Big companies - including JPMorgan, Pepsico - put cyber experts on boards

PUBLISHED : Wednesday, 04 June, 2014, 5:23am
UPDATED : Wednesday, 04 June, 2014, 5:55am

Some of the largest US companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats.

JPMorgan Chase, PepsiCo, Cardinal Health, John Deere and the United Services Automobile Association are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defences, according to people with knowledge of the matter.

While a CISO typically reported to a company's chief information officer (CIO), some of the hiring discussions now involved giving them a direct line to the chief executive and the board, consultants and executives said.

After high-profile data breaches such as last year's attack on US retailer Target, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.

"The trend that we are seeing is that organisations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit.

With many companies looking for security executives with military or defence backgrounds, people with the right expertise can command increasingly higher salaries.

Large corporations have recently hired CISOs for between US$500,000 and US$700,000 a year, according to Matt Comyns, global co-head of the cybersecurity practice at search firm Russell Reynolds Associates. Compensation for CISOs at some technology companies with generous equity grants had reached as high as US$2 million, he said.

In comparison, CISOs who had been with a company for five or more years were on US$200,000 to US$300,000 per year, Comyns said.

Security experts have often criticised corporate America for being too complacent about cyber risks and for not doing enough to protect their computer networks from hackers.

A recent PwC survey found the vast majority of cybersecurity programmes fell far short of guidelines drafted by the Commerce Department's National Institute of Standards and Technology. Only 28 per cent of more than 500 executives surveyed said their company had a CISO or chief security officer.

But high-profile data breaches, such as the one at Target, had injected a new sense of urgency, executives said. Target ousted CEO Gregg Steinhafel earlier this month and chief information officer Beth Jacobs resigned in February. Target is searching for a CISO, a newly created role.

"This is ringing bells at the C-suite," Charlie Croom, vice-president of cybersecurity solutions at US defence contractor Lockheed Martin, told the Reuters Cybersecurity Summit.

Recruiters and executives said companies were increasing both the size and budget of their security teams. By the end of this year, JPMorgan's annual cybersecurity budget would rise to US$250 million from US$200 million in 2012, CEO Jamie Dimon said in April, with about 1,000 people focused on information security.