Ahead of his appearance at the AESC’s Global Conference in April, Joe Nocera, Partner at PwC, describes what boards are looking for to meet their cyber security needs.

How well equipped are the world’s largest companies to handle the threat of cyber security breaches today?

I think if we’ve learned one thing over the last two years, it is not a matter of ‘if’, it is a matter of ‘when’. Even the most sophisticated companies are still subject to breaches. This is the reality that we live in. We have a very complex ecosystem of technology, of business partners, of customers and of employees. It is very easy for a sufficiently motivated individual to find a weakness somewhere in that chain. We’ve seen a real shift and a movement from trying to prevent something from happening to being prepared when it does so that you minimize the total damage.

How frequently are cyber security breaches happening?

They are literally happening all the time – there are hundreds of breaches that never make the news. The FBI reported that they were involved in over 3,000 cyber security breaches in the US last year. There are different degrees of magnitude obviously, but in our business we see, in any given day, probably have 10-15 large breaches that we’re helping clients deal through. Very large organizations are probably in a constant state of breach, where they’re managing an individual server or system that has been compromised. What the best firms are able to do is they’re able to contain the damage so that it doesn’t become widespread. 

How quickly have boards reacted to the threat of cyber security breaches?

We see them keenly interested in this. After the Target breach last year we saw more and more boards getting engaged in this discussion. If you’re a major Fortune Global 2000 technology company it is almost impossible that your board hasn’t asked a question around cyber security. If you’re a Financial Services regulated organization, the regulators have come out with guidance that mandates the board takes this on as a topic. Virtually every client we have, the board is taking this on as a topic and getting briefed on a regular basis.

What skills does it take for someone to thrive in a leadership role overseeing cyber security?

It is a very difficult role to fill right now. It requires a number of skills and experiences that are difficult to find in a single individual. You certainly need technical acumen that somebody who has grown up in the networking, internet, technology space has. They have to understand bits and bytes and fairly technical concepts.

At the same time it is really important that the person is able to communicate and engage with the business. This is fundamentally a risk management discussion. What are the types of bad things that can impact our competitive position? What is our tolerance for certain bad things to happen? Having those plain English business discussions is really critical and being able to frame the problem in a way that you can get your senior executives engaged in it is a really critical success factor.

The third factor the individual needs is the ability to consume and process intelligence – often somebody from the intelligence community, for instance someone who has come from the FBI, the CIA or GCHQ. Many of the same skills and techniques that our government uses to track down physical criminals can be used to track down criminals online.

Do you see cyber security becoming its own function in time?

We see it best integrated with the legal, risk and compliance function. We believe that the firms that do this best elevate it outside of IT and integrate it into their broader crisis management capabilities.

In your opinion, how well placed are executive search firms to handle the increased demand for executives with cyber security knowledge?

Executive search firms certainly have the access and there is the market opportunity there. There are far fewer qualified candidates than there are positions and needs. The challenge for the search firms is to really get knowledgeable in the space, to understand the character traits and experiences that clients are looking for in these types of roles, and to understand what the attributes are that make somebody successful.