Spotlight: The Ins and Outs of Finding Cybersecurity Leaders

May 4, 2022 – Sophie De Ferranti joined ZRG Partners in 2021 as managing director, cyber, and member
of the financial services practice. She has served as a keynote speaker on the topic of the war for cyber talent at events in Singapore, Zurich, London, Hong Kong, and Jakarta and participated in TV interviews with the London Stock Exchange on regional compensation trends impacting senior executives within the global financial services industry.
Ms. De Ferranti has created a global footprint and highly entrepreneurial approach to executive search and human capital consulting. Her areas of expertise include global wealth management, cybersecurity and digital risk, and human capital management within the financial services/fintech industries. Ms. De Ferranti recently sat down with Hunt Scanlon Media to discuss the cybersecurity sector and the challenges of finding senior leaders for leading organizations.
Sophie, can you provide an overview of cybersecurity recruiting?
With almost 10 years of executive search and human capital management experience within global cybersecurity, I have witnessed an unprecedented shift during the last 18 months, not only in demand for stellar cyber talent, but also in compensation differentiators particularly in relation to the CISO and global CISO function. What is so fascinating about recruiting within cybersecurity is that it is truly industry agnostic and almost each and every sector, industry, company – irrespective of size, turnover, profitability, headcount, and geography – is exposed to the risks associated with cyber resilience and data security. Mitigating these risks, either through the deployment of advanced infosec technologies, cyber insurance, and, most importantly, human capital, will present the biggest challenge for the immediate to mid-term future as the world emerges from a global pandemic – a pandemic that has served to fuel cyber-crime/dark web activities and that has exposed weaknesses within a new dawn of hybrid and remote working practices. The world, and indeed we in our capacity as recruiters are facing what one may define as a full-on war for cyber talent. And, of greater concern, in the absence of any accelerated, strategic investment in specialized cybersecurity training academies to help stimulate next-generation education within cybersecurity, the talent gap is only set to widen.
How difficult is to recruit cybersecurity executives?
In short: complex. Cybersecurity recruitment in the current landscape lacks succession planning and to some extent stability – the latter which has been fueled by a significant uptick in COVID-related cyber breaches and the associated disruption for those who are assigned to managing an organization’s cybersecurity program. In the event of a cyber breach it is often the CISO who “carries the can” and thus a reactive event occurs; firing and knee-jerk hiring, compounded by a lack of available interim CISO talent solutions. Hence, the tenure of today’s traditional CISO (if there is “traditional” one) has been dramatically shortened from an optimal three to five years to just less than two to three. Harnessing top percentile talent should be a primary focus over the next three to five years if the talent deficit is to be realistically benchmarked, and the next generation of infosec/cyber executives identified. Further, one of the key challenges for recruiting senior cybersecurity executives in 2022 and beyond will most likely be:
- Inflated compensation (otherwise known as the “comp pain threshold”).
- Diversity (not only gender diversity, but ethnicity, disability, and cultural diversity).
- Increased cybercrime, cyber breaches and the resulting need for enhanced/evolving cybersecurity software solutions.
- An acceptance from C-suite / board members to acknowledge cybersecurity as risk and not purely technology. There is a need to elevate the CISO out of CTO/CIO/COO reporting lines into the realm of the CEO and board. CISOs need the autonomy, resources, and empowerment to act and make decisions accordingly.
- Geographical regulatory differentiators driving the need for enhanced/recognized specialist cybersecurity qualifications which, in turn, determine the credibility and suitability of a CISO.
What is the current demand for CISOs?
The current demand for CISOs (and to some extent senior infosec executives) is accelerating at a staggering 28 to 30 percent year on year. Global statistics suggest that this is set to increase and greater cross pollination across industry and sector specialism will occur (most likely we may see greater public-to-private sector migration) as the private sector lures away top performing public sector CISOs with massive salaries. Based on data captured across nearly 1,000 CISOs surveyed globally in 2020 and 2021 by Cyber-iSearch Solutions in the U.K., the following industries are seeing the greatest demand for new CISO talent: Financial services / fintech; healthcare, biotech, and life sciences; government, public sector, and not-for-profit; professional and technology services; hospitality and tourism; industry, manufacturing, and energy; consumer; and retail/marketing.
What value do CISOs bring to organizations?
The best CISOs not only bring a wealth of highly technical expertise to an organization, oftentimes having originated from within a previous high-tech and infosec orientated role, but the “modern” CISO also now brings a strong commercial acumen with their skill-sets. They are more risk and compliance astute, may play the role of an individual revenue contributor, and are seen to be strategic relationship builders within an organization. They require not only the depth, breadth, and specialism of a range of data security methodologies (e.g. network & cloud security, IoT, application security, identity and access management, security architecture, enterprise crisis management, penetration testing, and more), but are more commonly now empowered with greater governance, risk and compliance responsibilities – all of which elevate the CISOs standing within an organization – irrespective of geography, industry, and size. The CISO should, in today’s world of heightened cyber risk, sit firmly within the C-suite thus giving them credibility and the necessary remit to best protect their organization, employees, customers, data, and most of all, their reputation.
What do CISOs need to know moving forward as technology continues to evolve?
Having interviewed a significant number of CISOs globally – pre, mid and post pandemic — CISOs are calling for greater acknowledgement that cybersecurity really does sit firmly within risk and not just technology. Gone (or soon to go) are the days of the modern CISO reporting into a CIO, or perhaps a CRO or even CTO. There are multiple dotted and fixed lines of reporting that have since emerged which now define the stance and importance of a CISO within an organization – including board level reporting, enhanced autonomy, budget, team build, and an overall bird’s-eye view of the actual risk exposure of an organization to a potential cyber breach. A good CISO will build strategic relationships with key internal stakeholders and decision makers on the technology front and will adopt a top-down approach to best protecting the organization’s infrastructure, employees, data, and, of course, reputation – the latter of which is always the most difficult to mitigate (and repair).
ZRG’s Cybersecurity Practice
ZRG’s team of technology search professionals has delivered board and leadership projects for Fortune 500, mid-cap, and SMEs as well as private equity, pre-IPO, and venture-backed clients in the technology sector and for tech enabled businesses.
“Cybersecurity is a prevailing strategic priority for most/all of our clients, whether their domain is financial services or consumer/retail or private equity backed manufacturing,” said Larry Hartmann, CEO of ZRG. “We at ZRG are thrilled and emboldened to be positioned at the tip of the spear in advising corporate management teams and their boards on the right talent solutions to develop and enhance robust capabilities along the continuum of defensive and offensive cyber initiatives.
ZRG and a number of its rivals, reports Hunt Scanlon, are positioning themselves to take advantage of a rapidly maturing business need that is expected to come from clients in the U.S., Europe and Asia as the rush to build out global cyber leadership solutions quickens.