Share

Cybersecurity pros name their price as hacker attacks spike

It took a $650 000 (R9.7m) salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.

This year, the company had to pay $2.5m (R37m) to fill the same role.

“It’s a full-on war for cyber talent,” said Comyns, a managing partner at executive search firm Caldwell Partners who specialises in information security. “CEOs know that, so they play hardball. Everyone’s throwing money at this.”

The threat of digital breaches - and the fines, lawsuits and occasional executive resignations that sometimes follow - has left companies scrambling to scoop up scarce security experts. The growing compensation packages and broadened responsibilities are a dramatic shift for a group of workers who once confined to obscure IT departments, little more than an afterthought to senior management.

Unfilled jobs

In the 12 months ended August 2018, there were more than 300 000 unfilled cybersecurity jobs in the US, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education. Globally, the shortage is estimated to exceed 1 million in coming years, studies have shown.

That’s coincided with increased frequency and sophistication of digital attacks, which range from disruption of computer systems to extortion and theft of sensitive personal information.

In April, JPMorgan Chase & Co. Chief Executive Officer Jamie Dimon told shareholders that cybersecurity “may very well be the biggest threat to the US financial system.” His counterpart at Bank of America Corp., Brian Moynihan, said previously that the lender’s cybersecurity unit operates with an unlimited budget.

Just last week, Capital One Financial Corp. disclosed that personal data of about 100 million customers had been illegally accessed by a Seattle woman, possibly one of the largest breaches affecting a US bank. The firm’s shares have fallen 8.9% since the intrusion was revealed.

Equifax settlement

In late July, credit reporting firm Equifax Inc. agreed to pay up to $700m to settle federal and state investigations into a 2017 hack that compromised sensitive information of more than 140 million people and led to the resignation of the firm’s long-time CEO Rick Smith.

High-profile breaches aside, myriad U.S. companies and employees are the subject of hacker attacks each day. Industry insiders joke that there are two types of companies: Those that have been hacked, and those that haven’t yet discovered that they’ve been hacked.

“If you’re not careful, you can get numb to it,” said Andrew Howard, who leads the enterprise security division of Kudelski Group.

Equifax paid Jamil Farshchi $3.89m in 2018 to take the job as chief information security officer. He joined from Home Depot, which had hired him in the wake of a 2014 breach that exposed credit-card information belonging to 56 million customers.

Directly involved

While most US firms don’t disclose compensation for top information-security executives, Comyns said big tech firms on the West Coast can pay as much as $6.5 million, most of it in stock. In some cases, direct reports can make around $1m - more than their bosses typically would have made just a few years ago.

Aware of the challenges of replacing a security chief, many companies take unprecedented measures to keep them, with CEOs often getting involved in the negotiations. In one recent instance, Comyns said, a CISO who considered leaving was told to go home and write down 10 things that would change his decision. The list included a 50% increase in salary and bonus, more than doubling his long-term incentive award, a promotion and a new office. The CEO concurred, and the person stayed.

Hefty raises can pale in comparison with the potential downside. The average cost of a breach for US companies was about $8m, according to a study from IBM Corp. and the Ponemon Institute. Equifax shows that the cost can be many multiples of that. This week, Marriott International Inc. reported they took a $126m charge related to a 2018 breach of one of its reservations databases.

Bigger paychecks

Insurance can cover financial expenses, but won’t help restore lost customer trust and a tarnished reputation, said James Lam, a director at E*Trade Financial Corp. who also advises companies on risk management, including cybersecurity.

CEOs may be inclined to spend more because their own jobs and reputations could be on the line. Gregg Steinhafel resigned as CEO of Target Corp. in 2014 after a hacker attack that compromised 40 million credit card accounts rocked the already-struggling retailer.

That episode “got everyone’s attention,” said Kudelski Group’s Howard, and led to scores of companies appointing people with cybersecurity expertise to their boards.

It’s also pushed many companies to expand the responsibilities of information security staff, ensuring that their work spans the entire organization. To Comyns, that means their pay will continue to increase.

“CEOs don’t know what it’s worth until it’s walking out the door,” Comyns said. “Then they stand in the door and say, ‘You’re not going anywhere.’”

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
18.98
-0.4%
Rand - Pound
24.00
-0.4%
Rand - Euro
20.51
-0.2%
Rand - Aus dollar
12.35
+0.0%
Rand - Yen
0.13
-0.4%
Platinum
903.65
+0.8%
Palladium
1,016.75
+1.5%
Gold
2,207.48
+0.6%
Silver
24.59
-0.2%
Brent Crude
86.09
-0.2%
Top 40
68,260
+0.9%
All Share
74,450
+0.7%
Resource 10
57,117
+2.6%
Industrial 25
103,835
+0.6%
Financial 15
16,488
-0.2%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders