May 4, 2022 – Increasingly, organizations of all sizes are awakening to the perils posed by cyber attacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions can be. A recent report by Juniper Research, in fact, predicts that over the next five years, companies will suffer $8 trillion in damages because of data breaches. And that’s to say nothing of the intangibles, like harm to reputation, loss of customer trust, and more.
In recent years, cybersecurity recruiting has probably changed more than any other area of technology recruiting. It plays a key role in the success of every company and industry. Moreover, cybersecurity is critical to protecting the information of hundreds of millions of people all over the globe. So it is that the need for top-level cybersecurity talent is urgently needed, and should continue to be in demand for the foreseeable future.
“Cybersecurity recruiting is similar to recruiting for other IT related positions,” said Gary Erickson is managing partner of Executive Search Partners. “Because our senior partners are former CIOs, we fully understand what it takes to be a successful IT executive. We help our clients define the requirements for their cybersecurity positions and use these requirements in finding and screening candidates.”
Executive Search Partners recruits for a variety of senior-level IT positions. Recruiting for chief information security officers (CISO) is no more difficult than recruiting for other senior-level IT executives. The search firm has been in business for 19 years and has an extensive network of CISOs and directors of cybersecurity.
Protection from Cyber Criminals
“CISOs are critical in that they protect their company from the attacks of cyber criminals and to ensure that their company adheres to country by country customer data privacy laws,” said Mr. Erickson. “However, the demand for CISOs seems to be less than the demand for CIOs. We do not see the same level of turnover in CISO positions as we see in CIO positions.”
Chief information security officers protect companies from unauthorized access to their computer systems and their data, according to Mr. Erickson. “Cyber criminals attack a company’s computer systems to either steal data or to lock down company operating systems so they can collect fees to unlock them (ransomware),” he said. “CISOs put in place the technology and processes to prevent this unauthorized access. CISOs also ensure that their company adhere to country by country data privacy laws.”
“CISOs need to stay on top of the constantly evolving threats to their company systems – from new viruses to rogue employees,” Mr. Erickson said. “They need to be up to date on new technologies designed to technically protect the organization’s computer systems. And they need to be aware of changing country by country laws regarding customer data privacy and data access.”
Heightened Demand for Cybersecurity Leaders
“Given the geopolitical unrest, changing regulatory requirements, and increasing threat landscape, the demand for cybersecurity professionals has never been greater,” said Joyce Brocaglia, founder and CEO of Alta Associates (recently acquired by Diversified Search Group) and founder of the Executive Women’s Forum, a professional membership organization for women in cybersecurity, risk management and privacy. “Cybersecurity is now a topic in every boardroom discussion; consumers globally are more aware of digital theft, and corporations and governments alike are seeking to strengthen their cybersecurity programs,” she said.
In response to the escalating Russia-Ukraine conflict, President Joe Biden announced that corporations should be on high alert for cybersecurity attacks. “I believe we have never been closer to a cyberwar than we are today,” said Ms. Brocaglia. “That means the potential attacks against our nation’s infrastructure, financial systems, and the internet itself are all possibilities. The stakes are very high. In addition to all that, reports show nearly a half-million unfilled cybersecurity jobs across the nation. This dilemma is not just at the staff level,” she noted.
Alta Associates has seen an increased demand in companies hiring their first-ever CISO. “Many corporations also recognize that the cyber leader who got them where they are today isn’t the person who can lead them into the future,” said Ms. Brocaglia. “So we are placing CISOs who can elevate the function. We also see an uptick in requests for CISOs and cyber savvy executives in our board director searches. Boards recognize that having a cyber expert in the boardroom in today’s digital world provides a perspective that their traditional retired CEOs and CFOs can’t offer.”
“Forward-thinking companies are assessing the capabilities of their cybersecurity leadership teams to meet the myriad of challenges they are facing,” said Ms. Brocaglia. Gone are the days that this assessment is of the CISO’s technical skills. Today Alta Associates is working with companies of every size and in every industry to bring in a new breed of CISO who can build proactive security solutions, holistically evaluate the risks of the organization, and communicate those risks in a language that business stakeholders understand.
Companies are Digitally Transforming
As companies are digitally transforming, they count on their CISOs to take an active role in ensuring that their organizations move securely into the cloud, according to Ms. Brocaglia. “This requires a new type of cybersecurity leader who is proactive, collaborative, agile, and can understand all regulatory, privacy, and risk implications and consequences,” she said. “Most importantly, they need to be capable of leveraging cybersecurity as a business enabler and differentiator for their organizations. Even if your CISO has the skills mentioned above, they need the C-suite’s support in funding headcount, upskilling staff, and providing leadership development programs to build and retain leaders. The time to evaluate and elevate your cybersecurity, risk, and data privacy leaders and the teams that support them is now and not after you’ve been breached,” she added.
“Even though cybersecurity has been formally acknowledged as a discipline since 1970 as threat to businesses and individuals, for decades it has been considered as something that could affect only selected organizations up to a certain extent,” said Raffaele Jacovelli, managing director at Hightech Partners.
Mr. Jacovelli notes that not only has the demand for experienced CISOs been growing dramatically, but at the same time, as more and more service providers are hiring at every level, the entire cybersecurity ecosystem is under pressure fighting for all sort of talent. (Those roles range from penetration testers up to practice leaders that often manage organizations of hundreds – if not thousands – of specialists generating significant revenues.) “The war for talent is hence getting fiercer in this domain due to the endemic shortage: There is simply not enough people that have the skills, the certifications, the approach, and the experience needed to cover the market requirements,” he said.
An industry report estimates that there will be more than four million unfilled cybersecurity jobs globally by 2021, up from one million openings in 2014. Statistics suggest that although employment figures from the U.S. are high, currently there are 314,000 vacant positions that need to be filled immediately. The most alarming cybersecurity talent shortage, though, is seen in Europe, where 48 of hiring managers believe finding a perfect match for this role is a rare possibility. In India, meanwhile, cybersecurity job openings have surged in recent years. But with the high demands of a rapidly growing digital economy, one million such positions are set to remain void.
Cybersecurity Talent Salaries Soar
Cyber breaches at SolarWinds and Colonial Pipeline have only underscored the importance of putting the right CISO talent in place. That, in turn, has led to intense competition to recruit top cybersecurity leadership who have seen their market values and salaries soar, according to just-released compensation data from IANS Research and Artico Search. “This increase in demand has led to turbulent market conditions and CISOs’ eagerness to understand their market value and how their compensation compares to that of their peers,” said Matt Comyns, Artico co-founder and leader of the firm’s cybersecurity recruiting platform.
The firm’s CISO Compensation Benchmark report offers objective and comprehensive data from 458 CISOs. The distribution curve for total annual compensation shows a wide gap between top and bottom, with a $463,000 average and a $342,000 median. The broad range in the total compensation reflects diversity in the market. It includes CISOs at small companies in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly regulated sectors and an established cybersecurity program.
“Business continuity has become front and center in the last 18 months,” said Artico partner Steve Martano. “COVID-19, combined with the vast increase in widely publicized cyber breaches and ransomware attacks, forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced existing programs that were lacking in visibility and resourcing,” he noted.
Prior to 2021, cybersecurity was increasingly a pressing topic in most board rooms, said Mr. Martano. “The advanced attacks and costly public breaches and ransomware events over the last 12 to 18 months have increased the frequency and depth of those discussions. COVID-19 and the work-from-home trend have accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became front and
center due to the prevalence of remote work,” said Mr. Comyns. Amidst a challenging talent market where demand still far outweighs supply, companies have boosted incentives to attract top CISOs, according to recruiters, including massive counteroffers and retention packages to keep security leaders they trust. Nearly 75 percent of companies preparing CISO offers are contending against one or more competing offers and/ or strong counteroffers from candidates’ current employers.
Interestingly, female CISOs out earn their male peers by five percent for base compensation and seven percent for total compensation. What explains that difference? Males still dominate the security function. “This gender gap is not unique to CISOs, as there are fewer women across the entire tech leadership suite,” said Artico co-founder Mercedes Chatfield-Taylor. The gap is most apparent, she said, in some of the most transformative tech functions including security, product and engineering. “Female leaders who break through in these functions command a premium in compensation, as nearly every company requires diversity in their slate of candidates—CISO searches being no exception,” she said. This creates optionality and opportunity for female CISOs to increase their compensation by taking on new roles.
Recruiting in the cybersecurity space is very specific based on the needs of a client, according to Sal DiFranco, managing partner of the global advanced technology and CIO/CTO practices at DHR Global. “Security as a general topic impacts and is a priority for all organizations,” he said. “There are nuances to the functional talent needed for different industries. Recruiting for cybersecurity professionals within financial services is much different than looking for those professionals for a manufacturing company, or a software vendor. There are different skill-sets as well as business priorities that are important to take into account when recruiting for these professionals. Factors outside of industry differences that impact recruiting include how global/international the business is, the size, the customer base, as well as the maturity of the current cybersecurity organization.”
Recruiting cybersecurity executives is a different breed of recruiting, Mr. DiFranco says. “While there is much publication on CISO levels many of their direct reports as well as the technical experts in the cybersecurity are not easily found,” he said. “They have more tendencies to be private with their information as well as less responsive to typical recruiters reaching to them. This is why it is important to have networks in the space from the CISO level’s down to VPs, directors, and even the leading security architects across the industry. Building the network is difficult but it’s where the value of a search firm comes in because these relationships across levels not only lead to candidates but to very strong referrals in the cybersecurity community.”
The demand for CISOs continues to increase with more and more security threats and advanced hacking capabilities. CISOs are in demand to build a security organization from scratch, mature an existing organization, or drive innovation for an organization for proactive threat prevention, according to Mr. DiFranco. “The CISO role is becoming increasingly visible at the board level, not only for the Fortune 500 but down to middle market and SMB organizations as well to appropriately protect their assets from unknown threats,” he said. “CISOs bring value through a variety of ways. They are leading the technology teams to keep assets safe and protect the company and their employees to threats in the digital age.”
Mr. DiFranco notes that the CISO role is not a back-office function. “It is a more forward thinking and business facing role than ever before, and CISOs need to be able to touch all areas of the business and be able to communicate effectively with the business,” he said. “The role continues to evolve but we will see more CISOs moving into CIO and CTO roles as well as CISOs sitting on boards in the future as security is a function and topic that is critical to the safety and success of any business.”
The information security recruitment sector is more than 30 years old, but the first ever CISO appointment is widely believed to be that of Steve Katz in 1995 at Citicorp (now Citigroup) when the financial services corporate suffered a series of cyber-attacks by Russian hackers, according to Tim Cook, partner and practice lead, cyber at Acertitude. “Fast forward to today and most organizations will not only have a CISO, but they will also have been either directly or indirectly affected by a cyber-attack,” he said. “This has led to an explosion in demand for cybersecurity executives who are dealing with operational cyber requirements as well as responding to increasing levels of governance and compliance at state, federal, and international levels.”
According to statistics published by Statista this year, the number of cybersecurity professionals globally is 4.1 million with over one million in the U.S. alone. However, there is a forecast gap of a further 3.5 million jobs worldwide. “The good news for recruiters is that demand for cybersecurity professionals exceeds supply by some margin which should keep the recruitment sector buoyant. However, the bad news is that many CISOs use their own networks to find good talent as well as solving the in-house shortage of specialist cyber skills by using professional service suppliers,” said Mr. Cook. “One of the constant criticisms of recruiters in the cybersecurity space is an inability to understand what good looks like in cybersecurity leadership. In response to this we have developed a five-level model, combined with psychometrics and AI tools, which help our clients and candidates determine what they are looking for and where they are on the model.”
“CISOs reduce risk for their organizations by asking better questions around current and future vulnerability,” said Mr. Cook. “The impact a CISO has depends on where they sit on our five-level cyber leader maturity model. A level one CISO brings value by ensuring that process controls such as identity and access management, patching, and adherence to some frameworks such as NIST (National Institute of Standards and Technology) are in place. A level 5 CISO (the highest level on our model) is part of the DNA of an organization, a trusted advisor to the board and senior leadership team, and involved very early on in all crucial decisions ( e.g., M&A), the launch of new products and services, big hirings and firings, and anything else that is share price sensitive or has an impact on the reputation and trading ability of the company.”
Keeping on top of technology evolutions will not keep an organization safer. “CISOs need to focus on developing and retaining their teams, through advanced training and certification programs as well as soft skills such as communication and resilience training,” Mr. Cook said. “A cyber function in the middle of an ongoing cyber attack can be a highly stressful place, and therefore keeping an eye on the mental health of the cyber team is very important. These roles require more general IT and business skills which should be easier to recruit and train for. Another area to consider is incentivizing software engineers to develop code more securely. These kinds of initiatives will widen the talent pool and reduce vulnerabilities.”