June 3, 2022 – Increasingly, organizations of all sizes are awakening to the perils posed by cyberattacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions can be. A recent report by Juniper Research, in fact, predicts that over the next five years, companies will suffer $8 trillion in damages because of data breaches. And that’s to say nothing of the intangibles, like harm to reputation, loss of customer trust, and more.
In recent years, cybersecurity recruiting has probably changed more than any other area of technology recruiting. It plays a key role in the success of every company and industry. Moreover, cybersecurity is critical to protecting the information of hundreds of millions of people all over the globe. So it is that the need for top-level cybersecurity talent is urgently needed and should continue to be in demand for the foreseeable future.
“Cybersecurity recruiting is similar to recruiting for other IT related positions,” said Gary Erickson, managing partner of Executive Search Partners. “Because our senior partners are former CIOs, we fully understand what it takes to be a successful IT executive. We help our clients define the requirements for their cybersecurity positions and use these requirements in finding and screening candidates.”
Protection from Cyber Criminals
“CISOs are critical in that they protect their company from the attacks of cyber criminals and to ensure that their company adheres to country by country customer data privacy laws,” said Mr. Erickson. “However, the demand for CISOs seems to be less than the demand for CIOs. We do not see the same level of turnover in CISO positions as we see in CIO positions.”
Chief information security officers protect companies from unauthorized access to their computer systems and their data, according to Mr. Erickson. “Cyber criminals attack a company’s computer systems to either steal data or to lock down company operating systems so they can collect fees to unlock them (ransomware),” he said. “CISOs put in place the technology and processes to prevent this unauthorized access.”
“CISOs need to stay on top of the constantly evolving threats to their company systems – from new viruses to rogue employees,” Mr. Erickson said. “They need to be up to date on new technologies designed to technically protect the organization’s computer systems. And they need to be aware of changing country by country laws regarding customer data privacy and data access.”
Heightened Demand for Cybersecurity Leaders
“Given the geopolitical unrest, changing regulatory requirements, and increasing threat landscape, the demand for cybersecurity professionals has never been greater,” said Joyce Brocaglia, founder and CEO of Alta Associates (recently acquired by Diversified Search Group) and founder of the Executive Women’s Forum, a professional membership organization for women in cybersecurity, risk management and privacy. “Cybersecurity is now a topic in every boardroom discussion; consumers globally are more aware of digital theft, and corporations and governments alike are seeking to strengthen their cybersecurity programs,” she said.
In response to the escalating Russia-Ukraine conflict, President Joe Biden announced that corporations should be on high alert for cybersecurity attacks. “I believe we have never been closer to a cyberwar than we are today,” said Ms. Brocaglia. “That means the potential attacks against our nation’s infrastructure, financial systems, and the internet itself are all possibilities. The stakes are very high. In addition to all that, reports show nearly a half-million unfilled cybersecurity jobs across the nation. This dilemma is not just at the staff level,” she noted.
Alta Associates has seen an increased demand in companies hiring their first-ever CISO. “Many corporations also recognize that the cyber leader who got them where they are today isn’t the person who can lead them into the future,” said Ms. Brocaglia. “So, we are placing CISOs who can elevate the function. We also see an uptick in requests for CISOs and cyber-savvy executives in our board director searches. Boards recognize that having a cyber expert in the boardroom in today’s digital world provides a perspective that their traditional retired CEOs and CFOs can’t offer.”
“Forward-thinking companies are assessing the capabilities of their cybersecurity leadership teams to meet the myriad of challenges they are facing,” said Ms. Brocaglia. Gone are the days that this assessment is of the CISO’s technical skills. Today, Alta Associates is working with companies of every size and in every industry to bring in a new breed of CISO who can build proactive security solutions, holistically evaluate the risks of the organization, and communicate those risks in a language that business stakeholders understand.
Companies are Digitally Transforming
As companies are digitally transforming, they count on their CISOs to take an active role in ensuring that their organizations move securely into the cloud, according to Ms. Brocaglia. “This requires a new type of cybersecurity leader who is proactive, collaborative, agile, and can understand all regulatory, privacy, and risk implications and consequences,” she said. “Most importantly, they need to be capable of leveraging cybersecurity as a business enabler and differentiator for their organizations. Even if your CISO has the skills mentioned above, they need the C-suite’s support in funding headcount, upskilling staff, and providing leadership development programs to build and retain leaders. The time to evaluate and elevate your cybersecurity, risk, and data privacy leaders and the teams that support them is now and not after you’ve been breached,” she added.
In recent years, cybersecurity recruiting has probably changed more than any other area of technology recruiting. It plays a key role in the success of every company and industry. Moreover, cybersecurity is critical to protecting the information of hundreds of millions of people all over the globe. “Recruiting cybersecurity executives can be extremely challenging,” said Frank Scarpelli, managing partner and chief executive officer of technology-focused search firm HireWerx, in a recent interview with Hunt Scanlon Media.
“Even though cybersecurity has been formally acknowledged as a discipline since 1970 as threat to businesses and individuals, for decades it has been considered as something that could affect only selected organizations up to a certain extent,” said Raffaele Jacovelli, managing director at Hightech Partners.
Mr. Jacovelli notes that not only has the demand for experienced CISOs been growing dramatically, but at the same time, as more and more service providers are hiring at every level, the entire cybersecurity ecosystem is under pressure fighting for all sort of talent. (Those roles range from penetration testers up to practice leaders that often manage organizations of hundreds – if not thousands – of specialists generating significant revenues.) “The war for talent is hence getting fiercer in this domain due to the endemic shortage: There is simply not enough people that have the skills, the certifications, the approach, and the experience needed to cover the market requirements,” he said.
An industry report estimates that there will be more than four million unfilled cybersecurity jobs globally by 2021, up from one million openings in 2014. Statistics suggest that although employment figures from the U.S. are high, currently there are 314,000 vacant positions that need to be filled immediately. The most alarming cybersecurity talent shortage, though, is seen in Europe, where 48 of hiring managers believe finding a perfect match for this role is a rare possibility. In India, meanwhile, cybersecurity job openings have surged in recent years. But with the high demands of a rapidly growing digital economy, one million such positions are set to remain void.
Cybersecurity Talent Salaries Soar
Cyber breaches at SolarWinds and Colonial Pipeline have only underscored the importance of putting the right CISO talent in place. That, in turn, has led to intense competition to recruit top cybersecurity leadership who have seen their market values and salaries soar, according to just-released compensation data from IANS Research and Artico Search. “This increase in demand has led to turbulent market conditions and CISOs’ eagerness to understand their market value and how their compensation compares to that of their peers,” said Matt Comyns, Artico co-founder and leader of the firm’s cybersecurity recruiting platform.
The firm’s CISO Compensation Benchmark report offers objective and comprehensive data from 458 CISOs. The distribution curve for total annual compensation shows a wide gap between top and bottom, with a $463,000 average and a $342,000 median. The broad range in the total compensation reflects diversity in the market. It includes CISOs at small companies in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly regulated sectors and an established cybersecurity program. “Business continuity has become front and center in the last 18 months,” said Artico partner Steve Martano. “COVID-19, combined with the vast increase in widely publicized cyber breaches and ransomware attacks, forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced existing programs that were lacking in visibility and resourcing,” he noted.
Prior to 2021, cybersecurity was increasingly a pressing topic in most board rooms, said Mr. Martano. “The advanced attacks and costly public breaches and ransomware events over the last 12 to 18 months have increased the frequency and depth of those discussions. COVID-19 and the work-from-home trend have accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became front and center due to the prevalence of remote work,” said Mr. Comyns. Amidst a challenging talent market where demand still far outweighs supply, companies have boosted incentives to attract top CISOs, according to recruiters, including massive counteroffers and retention packages to keep security leaders they trust. Nearly 75 percent of companies preparing CISO offers are contending against one or more competing offers and/ or strong counteroffers from candidates’ current employers.
Interestingly, female CISOs out earn their male peers by five percent for base compensation and seven percent for total compensation. What explains that difference? Males still dominate the security function. “This gender gap is not unique to CISOs, as there are fewer women across the entire tech leadership suite,” said Artico co-founder Mercedes Chatfield-Taylor. The gap is most apparent, she said, in some of the most transformative tech functions including security, product and engineering. “Female leaders who break through in these functions command a premium in compensation, as nearly every company requires diversity in their slate of candidates—CISO searches being no exception,” she said. This creates optionality and opportunity for female CISOs to increase their compensation by taking on new roles
The information security recruitment sector is more than 30 years old, but the first ever CISO appointment is widely believed to be that of Steve Katz in 1995 at Citicorp (now Citigroup) when the financial services corporate suffered a series of cyber-attacks by Russian hackers, according to Tim Cook, partner and practice lead, cyber at Acertitude. “Fast forward to today and most organizations will not only have a CISO, but they will also have been either directly or indirectly affected by a cyber-attack,” he said. “This has led to an explosion in demand for cybersecurity executives who are dealing with operational cyber requirements as well as responding to increasing levels of governance and compliance at state, federal, and international levels.”
“The good news for recruiters is that demand for cybersecurity professionals exceeds supply by some margin which should keep the recruitment sector buoyant. However, the bad news is that many CISOs use their own networks to find good talent as well as solving the in-house shortage of specialist cyber skills by using professional service suppliers,” said Mr. Cook. “One of the constant criticisms of recruiters in the cybersecurity space is an inability to understand what good looks like in cybersecurity leadership. In response to this we have developed a five-level model, combined with psychometrics and AI tools, which help our clients and candidates determine what they are looking for and where they are on the model.”
“CISOs reduce risk for their organizations by asking better questions around current and future vulnerability,” said Mr. Cook. “The impact a CISO has depends on where they sit on our five-level cyber leader maturity model. A level one CISO brings value by ensuring that process controls such as identity and access management, patching, and adherence to some frameworks such as NIST (National Institute of Standards and Technology) are in place. A level 5 CISO (the highest level on our model) is part of the DNA of an organization, a trusted advisor to the board and senior leadership team, and involved very early on in all crucial decisions ( e.g., M&A), the launch of new products and services, big hirings and firings, and anything else that is share price sensitive or has an impact on the reputation and trading ability of the company.”
Keeping on top of technology evolutions will not keep an organization safer. “CISOs need to focus on developing and retaining their teams, through advanced training and certification programs as well as soft skills such as communication and resilience training,” Mr. Cook said. “A cyber function in the middle of an ongoing cyber attack can be a highly stressful place, and therefore keeping an eye on the mental health of the cyber team is very important. These roles require more general IT and business skills which should be easier to recruit and train for. Another area to consider is incentivizing software engineers to develop code more securely. These kinds of initiatives will widen the talent pool and reduce vulnerabilities.”
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media