January 13, 2023 – The impact of a cybersecurity breach – be it from cyber criminals, business competitors, terrorist organizations, or foreign nations – is unsettling to say the least. In terms of dollars alone, the average data breach cost $4.35 million in 2022, an increase of 2.6 percent over last year and 12.7 percent since 2020, according to a new report by IBM. And for critical infrastructure organizations – like those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries – that number jumped to $4.82 million — $1 million more than the average cost for those in other areas. And let’s not forget the damage to reputation and trust, shutdowns, harm to the potential sale of a business, lawsuits, even legal penalties that can leave a company reeling.
All this has made finding top cybersecurity talent a growing imperative for organizations everywhere. And it’s not just the senior-most leadership roles like chief information security officers that are in demand. Search firms are being asked to build out teams, which in some cases can number in the hundreds of new hires. That’s good news for recruiters who specialize in the field. A growing challenge, however, is finding the people to fill the roles that are vital to keeping organizations safe. And because it’s a relatively new field, building pipelines continues to be a work in progress.
“It’s difficult in different ways, depending on the level of the role,” said James Shira, global and U.S. chief information and technology officer for professional services network PwC, speaking about the stresses of recruiting cybersecurity talent. “But it’s difficult across the board. For the executive-level type searches, it’s difficult because the skill-set for the role is not just technical. And those non-technical, more subjective type qualities in an executive role are much more important for a CISO now than they were a decade ago.”
The War for Talent
For the next level down, such as a director role, it’s a similar challenge. “But then the focus there also needs to be not just those executive-level qualities but also what is that person’s ability to lead and deliver change,” said Mr. Shira. “When you go to the more junior-level roles, it’s a little easier, although not easy. In that case, below the director level, there’s a broader population of available folks. But in that space, there is never enough. And there’s a lot of what I’ll call talent wars occurring between different organizations. So it’s not uncommon to find someone who’s a manager-level person, with like five or six years of experience, and that person calls you after you think that they’re going to join you, and they say, ‘Oh, well, my incumbent employer offered me your offer plus X.’ There’s a bit of that occurring more at that level.”
Matt Comyns, president and co-founder of Artico Search, a pioneer in the development of the cybersecurity recruitment industry, says the problem of finding cybersecurity talent is especially acute with large enterprises. “We’ve been having this really hockey stick, rapid growth in cybersecurity over the past six to eight years, “ he said. “And in that time, you’ve seen, for example, large financial services companies literally transforming their teams where they have doubled, tripled, quadrupled in size.”
Mr. Comyns cites one major financial services player he has worked with that five or six years ago had a cyber team of about 300 people. That number is now 600. “You also have banks that had teams in the hundreds; now it’s multiple thousands of people. Same with Google and all these other places. For these really large programs, there are thousands of people globally on their security teams. In fact, I’m talking today with a very large global bank, and I was just told that they have 500 open headcount – 500, right now. So all of these companies are still ramping up. And at the same time, as you can imagine, when the whole market is ramping up everybody’s getting poached at the same time. So not only are you filling the open headcount that you’ve identified to round out your team, but you have to replace those who are leaving.”
Cybersecurity roles are largely recession-proof. While companies may be reducing headcount in these uncertain economic times,
they are not including cybersecurity talent in their cutbacks. “I have one private equity client with 100 portfolio companies who told me recently that they have cut the technology budget by 20 percent,” said Mr. Comyns. “But they’re growing the cyber budget by 20 percent. This is just one of those things – you’ve got to take care of this problem of security. You might say, ‘Oh, can you do more with less?’ But no matter how you slice it, this is an expanding area, even in this market. We have yet to hear any chatter whatsoever that people are freezing hiring in cybersecurity.”
Even lower level hires are in demand, so much so that not long ago fast-growing Artico Search signed on three respected recruiters from information security boutique L.J. Kushner & Associates in the wake of its acquisition by BG Staffing. “They had a particular expertise and focus on this next level down hiring,” said Mr. Comyns. “And I said, Gosh, all of these Fortune 500 companies are coming to me more and more, saying, ‘Hey, can you do a handful of roles below the CISO? Can you do even more roles below that?’ I’m getting mandates now that I never did before. In the last six months, I’ve gotten mandates for five or six searches at a pop from one organization. This is definitely happening. It’s definitely a trend. And because a rising tide lifts all boats it’s not just the CISO who’s getting paid; everybody’s getting paid.”