Spotlight: Finding Cyber Talent in a Hyper Competitive Market

May 4, 2022 – A pioneer in the development of the cybersecurity recruiting industry, Matt Comyns co-founded Artico Search with Mercedes Chatfield-Taylor to lead the team helping companies protect against cyberwarfare. He built the original cybersecurity search practices at two global firms – Russell Reynolds Associates and Caldwell – filling more than 300 executive level searches in a hyper-competitive market by serving as a trusted advisor for chief information security officers. He developed his vast network as founding CEO and sales executive at tech and media companies in New York, San Francisco, and Beijing.

Mr. Comyns recently sat down with Hunt Scanlon to share his thoughts on the competitive cybersecurity recruiting landscape.

Matt, what are you currently seeing in the cybersecurity executive search market?
The cyber market for talent is fierce across the board with demand for security talent far outweighing supply. Practically every organization has open security regulations at various levels, and the market pressure is pushing compensation higher at all levels. At most levels and for most hires, organizations are up against competing offers, counter-offers, and a talent pool that is more attuned with what the market is paying, which is raising salaries upwards.

What are some challenges you are seeing in the market for these top executives?
CISOs know they have a myriad of options and in some cases can name their own price; this pressure makes it more difficult to land and retain strong cyber talent. Based on the findings in our CISO survey, two-thirds of CISOs are open to new roles, but last year only 17 percent actually changed jobs – CISOs will have conversations, but won’t necessarily make the move. Lastly, in this environment where two-thirds of CISOs report they are satisfied in their current role, it makes more candidates susceptible to accepting counter-offers from their current employers, something that was an outlier event two to three years ago, but we see on a regular basis today.

Has this led to a higher demand from clients?
There is continued pressure both from a regulatory perspective and market-driven to have an internal subject-matter expert in security who can not only protect the organization but can manage in crisis. CISO requirements depend on an organization’s understanding (or misunderstanding) of the threat environment and their position in an ecosystem. A seat at the executive table, and ability to interface with the board, and be viewed on-par with other C-suite leaders in the organization. Teams and budgets aligned with organizational goals – CISOs can sniff out when a company is trying to do too much in cyber with too little support, and they will withdraw from a process if they get that sense.

Why are CISOs essential for today’s companies?
Strong CISOs give organizations line-of-sight into tech risk, putting technical and cyber risk into business terms to enable better educated risk-based decisions. CISOs can also work in a commercial capacity, serving as a customer trust leader in front of customers. Typically more mature CISOs bring relationships with law enforcement and an incident response plan.

What are clients asking for in CISOs?
Clients are asking for more depth in cloud security and cloud transformation / migration. Additionally, in an increasing crowded cyber-vendor environment, the best CISOs have a pulse on the most impactful technology.

How active were companies 20 years ago in this functional discipline (cybersecurity) and at what point did you see an uptick begin?
Twenty years ago the cyber function was a buried IT function, with a focus on network administrator and firewalls / perimeter security rather than tech risk. The Target breach of 2013 kicked off leaders asking questions about security, this was cemented by the Sony breach in 2014, Anthem in 2015, and Edward Snowden’s intelligence leaks in the same timeframe. Regulated industries were fastest to adopt newer-age cyber programming, though companies in the aforementioned affected industries also started to ask different questions than they had previously. Financial services started building their own cyber defense and offensive cyber programs to rival those of government intelligence agencies, and often pulling hires from those organizations.

Who’s most in demand at the moment?
At a high-level, most companies are hiring at all levels, from security leadership to hands-on-keyboard engineers; the more in-demand talent is on the technical side of security. Organizations are continuing to scale, and we’ve heard clients and HR leaders, CISOs, etc. telling us they need to hire 10-20-50-100-300 people in their security organization as soon as possible.

There seems to be a pervasive shortage of experienced senior leadership talent who can address the range and complexity of risk management. Why?
We have to remember that until recently, security leaders were rarely formally trained in risk management, business management, or finance. CISOs who ascended to the top job a decade ago had previously spent a 15 to 20-plus year career entirely buried in the back office of a tech function. They never presented to senior leaders or the board, and everything which they solved from a security perspective came with a tech lens only. This is changing today, as companies provide mentoring to their security leaders, and CISOs spend more time with cross-functional leaders. Still, CISOs are not typically viewed as business partners on par with GCs, CFOs, and GMs…this will likely change over time.