January 13, 2023 – Increasingly, organizations of all sizes are awakening to the perils posed by cyberattacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions could be and cyberattacks show no signs of abating.
A report last year from Accenture, in fact, said the threat is only growing, with an average of 270 attacks per company, up 31 percent from 2020. A report from McKinsey & Company, meanwhile, projects that damage from cyberattacks will amount to about $10.5 trillion annually by 2025, a 300 percent increase from 2015 levels. Globally, organizations spent close to $150 billion for cyber protection last year, a number that’s growing by 12.4 percent each year. The global cybersecurity total addressable market could eventually grow to as much as $2 trillion, said the management consulting firm.
Attacks from state supported operators, cybercriminals, business competitors, and even lone individuals have the potential to wreak havoc on businesses. Beyond the financial woes, there is the possibility of damage to reputation and trust, shutdowns, harm to the potential sale of a business, lawsuits, even legal penalties that can leave a company reeling. And when the U.S. government is the one under siege the concern only escalates. All of this has led to a dramatic rise in the demand for cybersecurity executives and search firms in this sector continuing to grow.
Globally, there is a severe talent shortage in the cybersecurity job market. The World Economic Forum (WEF) recently reported a shortage of 3 million cybersecurity professionals around the globe. The lack of cybersecurity experts has left many businesses in a tight spot, according to new report from TriSearch’s Travis Thomas. The National Center for Education Statistics (NCES) says that companies now see cybersecurity as a mission-critical task, so the demand for cybersecurity professionals is growing faster.
“The lack of cybersecurity professionals has led to various issues, such as an increase in malicious breaches and the theft of personal and financial information,” said Mr. Thomas. “The nation’s digital and cyberinfrastructure, including its economic, utility, and transportation networks, is under threat, and the situation appears to worsen by the day. Cloud security, application security, and security assessment/investigations are the top three technological domains most impacted by a cybersecurity skills shortage. When there aren’t enough people with these skills, employers must pay more for them.”
As technology becomes more digitally connected, the need for cybersecurity specialists will increase in the coming years, according to Mr. Thomas. “Security threats will grow in parallel with the Internet of Things and cloud computing,” he said. “As a result, the demand for expertise to tackle these issues will also surge. Managing cybersecurity is important, and employers need to look for people with experience and a good track record.”
Rapidly Growing Market
The need for cybersecurity professionals has been growing rapidly, even faster than companies can hire – and that demand is expected to continue. “With massive industry growth comes the need for more trained cybersecurity professionals,” said Jamie Javorsky regional president- technology search and staffing at StevenDouglas. “Organizations are challenged in hiring cybersecurity experts who are equipped with the skills to defend the complex attack surface, like the cloud, and can operate the new technologies that are being implemented daily.”
“Companies continue to hunt for cyber talent, but many of these jobs require credentials, certifications, or a master’s degree in the field,” Mr. Javorsky said. “There are simply not enough people in cybersecurity with the skills to handle the new threat landscape and lack of certified professionals that companies are seeking. Bottom line the demand remains high, and qualified talent pool low. And while cybersecurity professionals can potentially earn high salaries, the pay scale is all over the map and many companies haven’t positioned themselves correctly for recruiting and retaining the right talent.”
Cybersecurity is a crucial part of all businesses, particularly given the advancements of today’s payment platforms and ever-increasing cloud-based data storage, leaving them exposed to threats and cyber-attacks, according to Mr. Javorsky. “Additionally new technology innovation is in rapid deployment including the evolvement of mobile/artificial intelligence/machine learning tools/Web 3.0/Meta, thus resulting in companies’ enablement to keep up in this new era to protect the organizations exposure to data/financial attacks and breaches,” he said.
Mr. Javorsky also notes that as the technology security ecosystem evolves and becomes ever more advanced and intelligent, the demand for these top executives at this strategic level has never been higher. “Companies are unable to ensure that their internal systems will remain protected, meanwhile, turnover for these executives is unusually high due to the level of stress involved resulting in high burnout and short retention,” he said. In fact, a recent article in Cybercrime Magazine states that 24 percent of Fortune 500 CISOs are on the job for just one year.
Maturity of the Cybersecurity Market
Mr. Javorsky also says that the ever-increasing maturity of the cybersecurity market has naturally increased demand for people who can combat cybersecurity threats at a strategic and board level. “As this domain continues to grow, more and more organizations are now attracting virtual CISOs to meet the talent shortage and challenges presented,” he said. “As cybersecurity becomes more mainstream, I believe we are going to see many people with the right skills being elevated into these positions within most enterprise organizations.”
“Twenty years ago, cybersecurity was not in the broader echosystem as we see it today,” said Mr. Javorsky. “The advancements started to emerge at the start of the social platforms era and has rapidly scaled in the last decade. This then resulted in more and more data through cross platforms, leading to the rise of ransomware attacks and beginning of multi-factor authentication. Given the current data driven environment we have emerged, and the use of mobile devices allowing access anytime and anywhere, and new generation of users combined with technological advancements within the AI, ML and data domains; this will only intensify as we evolve and enter the next gen of Web 3.0 and metaverse, which will present further unique challenges for organizations within the security landscape.”
Cybersecurity remains a domain that is top of mind in the board room, by consumers and business leaders alike, according to Joyce Brocaglia, founder and CEO of Alta Associates (recently acquired by Diversified Search Group) and founder of the Executive Women’s Forum, a professional membership organization for women in cybersecurity, risk management, and privacy. “There is a groundswell of demand in the market for qualified and diverse cybersecurity talent, and we don’t anticipate that evaporating as the economy softens,” she said. “This year Alta Associates | Diversified Search Group has seen an increase in executive and C-suite cybersecurity and IT risk searches with companies seeking unique skill sets that include technical competencies, leadership capabilities and business acumen. Corporate boards are becoming more aware of the importance of their role to ensure the appropriate management of cyber risk. With cyber threats increasing and regulators considering new requirements for disclosure of their cybersecurity governance capabilities, companies will continue to bolster their investment in cybersecurity and those cyber executives who are leading the charge.”
“Cybersecurity is extremely important because it is ubiquitous,” said Ms. Brocaglia. “With most companies experiencing digital transformation, remote and hybrid workforces and increased threats, cybersecurity is fundamental to protecting a company’s assets, stock price and market reputation. Forward thinking companies are utilizing cybersecurity as a competitive advantage and market differentiator. Having the right cybersecurity and IT risk leaders in place enables businesses to grow faster, partner effectively and innovate and deliver products securely.”
Every CISO or cyber leadership role we fill requires a combination of technical skills, business acumen, and leadership capabilities; and each role’s exact requirements are unique to that particular organization, according to Ms. Brocaglia. “The CISO role is not a one-size fits all, it varies by reporting structure, staff size, scope, and maturity of the program,” she said. “As such, it takes a three-pronged approach to ensure that you are finding the best possible candidate and not just the best available candidate on the market. That’s why Alta Associates | Diversified Search Group does our research and identifies new talent; we utilize our known relationships for outreach to potential candidates and we connect with great leaders for referrals of people they highly recommend.”
“Because we understand the different archetypes of CISOs we can identify which background fits best with the requirements of that particular role and then only present candidates that are highly matched to the competencies they are seeking,” Ms. Brocaglia said. “The reason why companies have a hard time hiring CISOs by using their internal recruiting departments, is that their recruiters are often not sophisticated enough in their understanding of cybersecurity and lack the relationships and networks to identify, attract, and hire exceptional passive candidates in this highly competitive market.”
One of the most recurring challenges companies hiring cyber executives are facing is the increased salary expectations of qualified candidates. Ms. Brocaglia says the quandary is that hiring managers must either recalibrate their compensation ranges or reduce their expectations of what skills are possible to attract. In addition to compensation, candidates are also giving weighty consideration to companies that provide flexible or remote work environments.
The demand for CISOs is extremely high, especially in regulated and high transaction processing companies, according to Ms. Brocaglia. “Many companies are recognizing the need to hire their first ever CISO due to pressure from their board, regulators, or increasing threats,” she said. “A great number of Alta Associates | Diversified Search Group’s CISO searches in 2022 were for companies that realized the cyber executive that got them here is not the leader they need to take them to the future. They are elevating the role and looking for human-centric leaders who are able to collaborate and drive results. We are placing executives that not only have the technical competencies to understand how best to secure their corporation and its digital transformation efforts, but ones who can also understand the financial/risk exposures and communicate them in a language that business stakeholders can understand.”
“Recruiting cybersecurity executives can be extremely challenging,” said Frank Scarpelli, managing partner and CEO of technology-focused search firm HireWerx. “The top performers are certain to be fully engaged, so posting a job advertisement on LinkedIn unfortunately isn’t likely going to yield the best results. That said, there are many factors that can motivate cybersecurity executives to make a move. For example, a lack of buy-in by the board or the C-suite, a toxic company culture, inadequate budget, or insufficient recruiting and training capabilities that hinder building high-performing teams.”
Some of the key areas of cybersecurity recruiting include threat intelligence, network and endpoint security, mobile security, cloud security, IoT/IIoT security, behavioral detection, deception security, risk remediation, continuous network visibility, quantum encryption, and website security. “Recruiters look for education, certifications, and other credentials to help validate the skills and capabilities of candidates,” said Mr. Scarpelli. “That said, it is more important than ever to be able to assess experience and applied skills, especially those that may be transferable or provide a foundation upon which a company can build upon through training.”
High Demand for CISOs
As technology evolves and becomes ever more sophisticated, the demand for experienced chief information security officers has never been higher. “No longer can companies trust that their algorithms, code, or other intellectual property will remain protected,” said Mr. Scarpelli. “Turnover for this technology leadership position is unusually high due to the level of stress involved. Let’s face it, the consequences of any breach will likely fall directly at the feet of the CISO. The average tenure of a CISO is 18 to 26 months according to multiple sources. Cybercrime Magazine states that 24 percent of Fortune 500 CISOs are on the job for just one year.”
It is critical that today’s CISO bring a combination of technical and business acumen to the table, said Mr. Scarpelli. Equally important, the individual must be able to communicate effectively at the executive and organizational levels. Some of the direct impacts of the role may include risk mitigation, building a strong cybersecurity culture, establishing processes to meet and anticipate current trends of threats, and positively impacting the quality of data across the organization.
“The CISO is in a unique position to view data across the enterprise, which allows the business to identify opportunities for competitive advantage,” said Mr. Scarpelli. “Building a strong security process can oftentimes be a unique selling proposition for the company that offers a distinct competitive advantage.”
Moving forward as technology continues to evolve, it is imperative for CISOs to operationalize security rather than merely focus on compliance and oversight,” said Mr. Scarpelli. What’s more, depending on your structure, ensuring alignment with the business as well as more traditional IT infrastructure areas is critically important. Mr. Scarpelli said that some key areas to consider as the cyber landscape evolves would be: how enterprise API ecosystems will reveal new vulnerabilities, the increasing sophistication of phishing attacks, new risks that 5G will bring particularly in the area of IoT, and the potential vulnerabilities that can compromise smart devices in order to illustrate network infrastructures.
With a staggering $334 billion global cybersecurity revenue expected by 2026 – vs. $ 220 billion in 2021, the emerging of the cybersecurity topic as top priority on the agenda of the company boards – is not a surprise that the recruiting in cybersecurity is and will continue to boom for the next years, also driven by a significant growth in the consumer market, according to Raffaele Jacovelli, managing director at Hightech Partners.’
“The rapid emergence of interconnected industrial or consumer devices and associated security risks with scare security upgrades could favor the sector growth as it poses relevant vulnerability risks and issues,” said Mr. Jacovelli. “In addition to the rising frequency of attacks, the emergence of zero days, ransomware is also gaining prominence, and has been used in several high-profile attacks. It is the most concerning type of cyberattack for business leaders.”
As already indicated, the demand for CISOs is very strong – and will remain as such in the near future. Mr. Jacovelli points to two different reasons: “On one side, the increase in digital transformation initiatives, penetration of Internet connectivity, and susceptibility stemming from IoT connectivity is likely to increase the need to adopt of cybersecurity solutions. At the same time, the general structural shortage of skills in the digital domain has increased the gap between demand and offer: The pace at which people are educated is not fast enough in comparison with the acceleration driven by the digital transformation.”
“The executive search industry should act certainly on the side of the individuals creating a pool of CISOs to be provided on demand – we are looking at this option currently – or partner with companies that can provide CISO-as-a-service leveraging multiple wide competences,” Mr. Jacovelli said. “In this case the role is not covered by a single individual but by several professionals that obviously have operated in an orchestrated but flexible manner. We have already invested in this area acquiring a relevant stake in a company, Ataya & Partner, that is recognized as a leader and a subject matter expert in the domain in continental Europe.”
Cybersecurity has become a relevant area of attention since the rise of the internet era, over 25 years ago, says Mr. Jacovelli. At the time the Trojan horses were introduced mainly by email, hence the growth of the ‘antivirus’ business. With the explosion of broadband, IoT and 4G about 10 years ago the need to create a cybersecurity practice or unit has emerged strongly: we have started running systematically CISOs searches in 2015 and since there has been a constant flow, further accelerated in 2017 by the decision to embrace digital transformation by several leading companies.”