Spotlight: A Look Inside the Competitive Market for Cyber Experts

January 13, 2023 – A pioneer in the development of the cybersecurity recruiting industry, Matt Comyns co-founded Artico Search with Mercedes Chatfield-Taylor to lead the team helping companies protect against cyberwarfare. He built the original cybersecurity search practices at two global firms – Russell Reynolds Associates and Caldwell – filling more than 300 executive level searches in a hyper-competitive market by serving as a trusted advisor for chief information security officers. He developed his vast network as founding CEO and sales executive at tech and media companies in New York, San Francisco, and Beijing.

Mr. Comyns recently sat down with Hunt Scanlon Media to share his thoughts on the competitive cybersecurity recruiting landscape.

Matt, since we last spoke can you tell me what you are seeing in cybersecurity recruiting?
Despite the market turbulence, many organizations of all sizes and funding levels are looking to hire security professionals at various levels. CISO recruiting remains important to funds that have invested significant capital in portfolio companies; many companies that are weathering the turbulence well continue to increase the size of their budgets and teams irrespective of the macro conditions. Candidates actively seeking a new role have options and many end up with multiple offers; this consequently leads to the continued upward pressure on compensation for high-caliber candidates – this is especially true of security professionals on the technical side of security (security engineering, security architecture, incident response, etc.)

How difficult is to recruit cybersecurity executives?
In a market this competitive it is always a challenge to recruit, so relationships are critical. Recruiting cyber executives is all about trust – does the candidate pool trust the recruiter, do they develop trust with a hiring manager and critical stakeholders? To stay ahead, we spend a lot of time in the trenches with the candidate pool so they know we have their best interests at heart and try to find them a position that works for all parties – it’s not about filling a role, it’s about finding a long-term match for the business and the candidate.

What is the current demand for CISOs?
Heading into 2023 we’re seeing demand down from where it was a year ago, but up from where it was two to three months
ago. Companies that are scaling remain in the market for CISOs, particularly if there’s a departure or there is external pressure from investors to formalize or mature a program.

What value do CISOs bring to organizations?
Mature CISOs have elevated themselves from tech executives to business risk executives, so the value a strong security leader can bring to an organization is significantly greater than it was 10 or even five years ago. At this point in the CISO journey, security leaders are not only conducting security due diligence, but many are identifying acquisition targets for complementary tech, something mostly unheard of in the not-too-distant past. CISOs serve as the quarterback during an incident, and likely have a playbook to manage responses; they are the face of security internally as well as with customers

What do CISOs need to know moving forward as technology continues to evolve?
CISOs need to keep a pulse on the latest vendor trends and technologies. They need to know what their own company development pipeline looks like, and how it compares from a security perspective, and if they’re at a security product company, from a product differentiation and end-user solutions perspective. The threat environment continues to get more complex, so understanding what industry peers are facing, and how they are mitigating these threats is essential to the success of their programs.

Can you share some search work you have done for cyber security executives?
CISO searches for technology portfolio companies of a16z and Vista as well as privately-held multi-billion Cox Automotive. Team build work for pre-IPO companies like Justworks, as well as team-build work for companies like Mandiant (acquired by Google this year), Chubb Insurance, Charles Schwab, JPMC, Clear Secure, among others.

What do you see for this sector in the next five to 10 years?
The security transformation is likely a 30-year journey and we are heading into year 10 since the Target breach of 2013 that brought security to the forefront of business risk. Our data (coming out of our Artico Search / IANS 2022 CISO survey) indicates that budgets and compensation continue to increase, we expect that trend to continue. Over the next five to 10 years, we’ll likely see a heavier push to automate tasks as companies continue to battle for talent.

Any other trends that you would like to share?
We’re also seeing many cloud-forward and cloud-native companies merging the CIO and CISO roles into one, we expect that trend to continue and be adopted in more places as more companies move away from traditional tech stacks and into the cloud. CISOs will continue to get more reps in front of boards and leadership teams, and we would expect that over the next decade they will likely be viewed as true business risk executives at even more companies than they are today.