US Companies are looking to hire cybersecurity experts:-

Some of the largest US companies are looking to hire cybersecurity experts in newly elevated positions.

 

Dextermind: Some of the largest US companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats.

JPMorgan Chase & Co, PepsiCo, Cardinal Health, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter.

While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said.

After high-profile data breaches such as last year's attack on US retailer Target, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.

"The trend that we are seeing is that organizations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit.

With many companies looking for security executives with military or defense backgrounds, people with the right expertise can command increasingly higher salaries.

Large corporations have recently hired CISOs for between $500,000 and $700,000 a year, according to Matt Comyns, global co-head of the cybersecurity practice at search firm Russell Reynolds Associates. Compensation for CISOs at some technology companies with generous equity grants have reached as high as $2 million, he said.

In comparison, CISOs who have been with a company for five or more years are on $200,000 to $300,000 per year, Comyns said.

New urgency
Security experts have often criticized corporate America for being too complacent about cyber risks and for not doing enough to protect their computer networks from hackers.

A recent PwC survey found the vast majority of cybersecurity programs fell far short of guidelines drafted by the Commerce Department's National Institute of Standards and Technology (NIST). Only 28% of more than 500 executives surveyed said their company had a CISO or chief security officer.

But high-profile data breaches, such as the one at Target, have injected a new sense of urgency, executives said. Target ousted its CEO, Gregg Steinhafel, earlier this month, and its chief information officer, Beth Jacobs, resigned in February. The retailer is now searching for a CISO, a newly created role.

"This is ringing bells at the C-suite," Charlie Croom, vice president of cybersecurity solutions at US defense contractor Lockheed Martin Corp told the Reuters Cybersecurity Summit.

Recruiters and executives said companies are increasing both the size and budget of their security teams. By the end of 2014, JPMorgan's annual cybersecurity budget will rise to $250 million from $200 million in 2012, CEO Jamie Dimon said in April. And the largest U.S. bank will have about 1,000 people focused on cybersecurity, compared with 600 people two years ago, he said.

A JPMorgan spokesman said the bank will continue to invest and expand its security team, but declined to confirm if the firm was looking for a CISO.

Cardinal Health CIO Patty Morrison said the healthcare services company was looking to hire a vice president of security to bring in "new talent and new ideas." USAA Chief Security Officer Gary McAlum confirmed the diversified financial services group was looking for a CISO.

Deere representatives were not available for comment, while a spokesman for PepsiCo declined to comment. The soft drink and snack maker lost its CISO, Zulfi Ahmed, to MetLife Inc earlier this year.

Changing face of boards
As companies look for CISOs, many boards are seeking directors with technology know-how so that they can better understand cyber risks. Matt Aiello, co-head of the cyber practice at Heidrick & Struggles, said he is seeing "unprecedented" demand for CIOs to serve on boards.

"Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it," said David DiBari, managing partner at the law firm Clifford Chance in Washington.

Retired Accenture CIO Frank Modruson, former Department of Defense CIO Teresa Takai, Dell SecureWorks chief Mike Cote and AT&T Inc CISO Ed Amoroso have all been approached to serve as potential directors, according to people with knowledge of the situation.

Takai said she is "looking at a couple of things," including with a security technology company. Cote, through a Dell spokeswoman, confirmed he has been approached by several companies about serving on their boards. An AT&T spokesman declined to comment on behalf of Amoroso. Modruson was not available for comment.

Pamela Craig, who serves on the boards of Akamai Technologies, Wal-Mart Stores and software maker VMWare, expects demand for CIOs to serve on public boards to increase. "You need people who have direct first-hand experience in the boardroom," she said.

Some boards are also considering moving responsibility for network security to risk committees from audit committees, as cybersecurity is increasingly viewed as a business risk more than a compliance issue, according to Mary Galligan, director of Cyber Risk Services at Deloitte & Touche LLP.

RSA Security Senior Vice President Amit Yoran said boards are looking for experts who can help them build security into products in development, rather than bolting it on at the last minute.

How to make your passwords more secure:-

If the Heartbleed security threat teaches us anything, it's that passwords don't offer total protection.

Dextermind: Browsers are supposed to keep passwords and other sensitive data safe, but a technical flaw in a widely used padlock security technology allows hackers to grab the information anyway. Even without this latest discovery, there have been countless disclosures of hackers breaking in to grab usernames and passwords, plus credit card numbers and more. That's why many security experts recommend a second layer of authentication: typically in the form of a numeric code sent as a text message. If you're logging in to a website from your laptop, for example, you enter your password first. Then you type in the code you receive via text to verify that it's really you and not a hacker.
I've been using what's known as two-factor authentication or two-step verification on most of my accounts for more than a year, after seeing too many mysterious attempts to reset my Facebook password by someone who isn't me. The main exception was Gmail, but I enabled that recently after the discovery of Heartbleed. I was afraid the second authentication would be a pain to use, but things are going more smoothly than I expected after the initial setup.
The idea behind these double-layer passwords is to make it harder to use a password that's compromised or guessed. You're asked for a second piece of information that only you are supposed to know.
To balance security and convenience, you can typically bypass this check the next time you use the same Web browser or device. It won't help if someone steals your laptop, but it'll prevent others from using your password on their machines. If you're logging in at a library or other public computer, remember to reject the option to bypass that check next time.
The second piece of authentication could be your fingerprint or retina scan, though such biometric IDs are rarely used for consumer services. Financial services typically ask for a security question, such as the name of your childhood pet, the first time you use a particular Web browser or device. That's better than nothing, though answers can sometimes be guessed or looked up. Some banks offer verification codes by text messaging, too.
I like that approach and use it for a variety of email and social networking services. To me, email accounts are the most sensitive because email can be used to reset passwords elsewhere. That includes my banks and shopping sites.
The two-step requirement is fairly simple to turn on. With Google, for instance, it's under the Security tab in your account settings. On Facebook, look for Login Approvals under Security in the settings. With Apple IDs, visit appleid.apple.com rather than the account settings on iTunes.
After you enable it, you'll typically have to sign in to your account again on various Web browsers and devices. After entering your username and password, a code will get set to your phone. You'll have to enter that to finish signing in. This has occasionally meant getting off my couch to grab my phone from the charger, but that's a small price for security.
What if you're somewhere without cellular access and can't receive texts?
Most services have backup mechanisms. Google, Facebook and Microsoft have apps that will let you receive verification codes even when you're offline. Google and Facebook also let you generate 10 backup codes that you can download or print to keep in your wallet. Each can be used only once.
You can also turn off the two-step requirement temporarily if you'll be traveling without cellular access, though I don't recommend it. The reason I turned it on last year was because I was leaving the country and wouldn't be able to deal with further mysterious reset attempts.
Occasionally, you'll run into an app that won't accept the text code. Apple's Mail app on iPhones, iPads and Mac computers is one. Microsoft's Outlook software is another. If that happens, you'll have to go to your service's settings to generate a temporary password for that particular app. It's a pain, but I've rarely needed to do this.
There are several other challenges to making this work smoothly. For example, if you have a shared Twitter account, such as for your company or organization, two-step verification isn't very practical unless you also share your phone. There's a 12-character, hard-to-guess backup code you can use instead. But it's no security if you jot it down next to your main password.
The biggest problem, though, is losing your phone. Some services will let you provide a backup number, including a friend's cellphone or a landline phone. With Google, the code can be sent as a voice message instead of a text. Others offer a complex recovery code, which you'll have to jot down and keep in a safe place.
I know two-layer security is inconvenient. The first password is difficult enough to deal with. But think of the inconvenience involved should someone break into your account and shut you out. Consider the use of verification texts to be insurance.