In Hunt Scanlon’s Executive Search Review: Cyber Technology Recruiting special issue, Matt Comyns, managing partner of Caldwell’s Cyber Security Practice, shares his first-hand experiences on cyber recruiting for the private equity industry with a focus on the rise of the chief information security officer role.
Matt, give us a 30,000-foot overview of cybersecurity recruiting.
It has been nearly seven years since the Target breach—the catalyst for the meteoric rise of the chief information security officer. In the spring of 2013, cybersecurity was a relatively new space. Most companies, private equity or otherwise, were not investing in this function unless they were an early mover. I had placed a handful of CISOs, but most of the CEOs I spoke to were thinking about hiring a head of security but just were not there yet. When news of Edward Snowden’s colossal disclosure of classified information hit that summer, I was sure it would be the start of something, but the consensus amongst those CEOs was that Snowden was just a rogue weirdo and not really a concern. Boardrooms across America started to buzz about cybersecurity. But it was not until the Sony Pictures hack one year later that security became the No.1 topic in boardrooms. The risk exposure and publicity made the cyber market for talent beyond noisy. It was almost impossible as a recruiter to make sense of the madness. The demand was outrageous; everyone was hiring, but no one knew what to spend. They just knew they needed someone in the role immediately. As it was a relatively new space, there was, and frankly still is, a shortage of qualified candidates and almost every senior cyber executive gets a counteroffer when they go to change companies. This has led to a fast rise in compensation packages.
How has comp evolved?
To put it in perspective, six months after the breach Target hired their first CISO at a total compensation package at $1 million. It was an unheard of comp package for a security leader at that time. Since then, those numbers have increased three-fold, with a few tier-one CISOs in 2020 commanding a package north of $3 million. Additionally, there are several next-level-down cybersecurity executives at major tech firms making between $1.5 million and $2 million. Despite the skyrocketing compensation packages writ large,
not everybody pays for a tier-one CISO. That has certainly been the case for most of private equity, which has lagged the market by a considerable degree. It makes sense given the business model – PE firms pay up for a CEO but will likely be more balance-sheet-sensitive for other C-level executives. Compensation packages for private equity CISOs after the Target breach were in the $300,000 range, if not lower. Fast forward to today: PE firms have doubled their budget for security leaders, paying in the neighborhood of $500,000. But they clearly have not tripled the packages as we have seen in the private sector, and they’ve certainly not kept pace with the top of the market.
What is the current demand for CISOs?
The CISO function is seen as a good Moneyball category – a place to get value for a reasonable price if you recruit in the right way. The market’s tough, and if companies plan to thread the needle to find the best player at the best cost, they will recognize they’re not the only ones trying to do that. The market is still red hot, and candidates have choices. They’re also often not terribly polished executives, so the recruitment process gets that much more tricky. I heard a story the other day about a candidate who accepted a
role with a well-funded PE-backed cyber risk company, and strung them along, pushing his start date back to wrap things up at the cybersecurity firm he was leaving. When his start date finally came around, he was a no-show on day-one, having used the extra time to ink the deal on his counteroffer. A recruiter who really knows the space would have known that candidate was ‘Mission: Impossible’ because the PE fund that had acquired that cybersecurity firm would never let him walk out the door without throwing huge money at him. If you are trying to play Moneyball, you need to work with a recruiter who really knows the space.
What value do CISOs bring to private equity outfits?
CISOs will know where you can get value, and they will have a much better sense for the utter madness that is the current market for security talent. PE firms, particularly, need to find the right talent partner to keep-pace with an evolving security market. In the last 12 to 24 months, increased regulatory requirements, pressure from customers via RFPs related to security, and a rise in cyber incidents at the company level have driven private equity firms to invest more in security and, in some cases, pay top dollar. The recent TikTok news is a great example of a situation where a strategic CISO, in this case, Roland Cloutier, can play an oversized role in a company’s future. We worked on a similar type of search with a fast-growing tech company started by non-Americans, where we hired a seasoned veteran who had both U.S. government and commercial market experience to bring credibility and stability to the platform. Strategic hires like this come at a high price, but when there is a calculated need, they will make an exception and pay for the most valuable CISOs. Some PE funds have taken a shared services approach, hiring high-level CISO executives to help with the PE company itself, but also to strategically advise portfolio companies and vet potential investments, M&A and otherwise. This allows them to centralize resources, leverage buying power, share best practices and build a community among their CISOs. It also means that within their portfolio companies, they can take a chance on decent athletes at a much better value, without having to break the bank on every investment. It is a great model, and it is surprising to me that it has not caught on faster with more firms. We expect it will continue to gain traction due to the modeled success.
Learn more industry insights and get the newsletter here.