October 11, 2022 – The impact of a cybersecurity breach—be it from cyber criminals, business competitors, terrorist organizations, or foreign nations—is unsettling to say the least. In terms of dollars alone, the average data breach cost $4.35 million in 2022, an increase of 2.6 percent over last year and 12.7 percent since 2020, according to a new report by IBM. And for critical infrastructure organizations—like those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries—that number jumped to $4.82 million — $1 million more than the average cost for those in other areas. And let’s not forget the damage to reputation and trust, shutdowns, harm to the potential sale of a business, lawsuits, even legal penalties that can leave a company reeling.
All this has made finding top cybersecurity talent a growing imperative for organizations everywhere. And it’s not just the senior-most leadership roles like chief information security officers that are in demand. Search firms are being asked to build out teams, which in some cases can number in the hundreds of new hires. That’s good news for recruiters who specialize in the field. A growing challenge, however, is finding the people to fill the roles that are vital to keeping organizations safe. And because it’s a relatively new field, building pipelines continues to be a work in progress.
“It’s difficult in different ways, depending on the level of the role,” said James Shira, global and U.S. chief information and technology officer for professional services network PwC, speaking about the stresses of recruiting cybersecurity talent. “But it’s difficult across the board. For the executive-level type searches, it’s difficult because the skill-set for the role is not just technical. And those non-technical, more subjective type qualities in an executive role are much more important for a CISO now than they were a decade ago.”
The War for Talent
For the next level down, such as a director role, it’s a similar challenge. “But then the focus there also needs to be not just those executive-level qualities but also what is that person’s ability to lead and deliver change,” said Mr. Shira. “When you go to the more junior-level roles, it’s a little easier, although not easy. In that case, below the director level, there’s a broader population of available folks. But in that space, there is never enough. And there’s a lot of what I’ll call talent wars occurring between different organizations. So it’s not uncommon to find someone who’s a manager-level person, with like five or six years of experience, and that person calls you after you think that they’re going to join you, and they say, ‘Oh, well, my incumbent employer offered me your offer plus X.’ There’s a bit of that occurring more at that level.”
Matt Comyns, president and co-founder of Artico Search, a pioneer in the development of the cybersecurity recruitment industry, says the problem of finding cybersecurity talent is especially acute with large enterprises. “We’ve been having this really hockey stick, rapid growth in cybersecurity over the past six to eight years, “ he said. “And in that time, you’ve seen, for example, large financial services companies literally transforming their teams where they have doubled, tripled, quadrupled in size.”
Mr. Comyns cites one major financial services player he has worked with that five or six years ago had a cyber team of about 300 people. That number is now 600. “You also have banks that had teams in the hundreds; now it’s multiple thousands of people. Same with Google and all these other places. For these really large programs, there are thousands of people globally on their security teams. In fact, I’m talking today with a very large global bank, and I was just told that they have 500 open headcount—500, right now. So all of these companies are still ramping up. And at the same time, as you can imagine, when the whole market is ramping up everybody’s getting poached at the same time. So not only are you filling the open headcount that you’ve identified to round out your team, but you have to replace those who are leaving.”
Cybersecurity roles are largely recession-proof. While companies may be reducing headcount in these uncertain economic times, they are not including cybersecurity talent in their cutbacks. “I have one private equity client with 100 portfolio companies who told me recently that they have cut the technology budget by 20 percent,” said Mr. Comyns. “But they’re growing the cyber budget by 20 percent. This is just one of those things – you’ve got to take care of this problem of security. You might say, ‘Oh, can you do more with less?’ But no matter how you slice it, this is an expanding area, even in this market. We have yet to hear any chatter whatsoever that people are freezing hiring in cybersecurity.”
Even lower level hires are in demand, so much so that not long ago fast-growing Artico Search signed on three respected recruiters from information security boutique L.J. Kushner & Associates in the wake of its acquisition by BG Staffing. “They had a particular expertise and focus on this next level down hiring,” said Mr. Comyns. “And I said, Gosh, all of these Fortune 500 companies are coming to me more and more, saying, ‘Hey, can you do a handful of roles below the CISO? Can you do even more roles below that?’ I’m getting mandates now that I never did before. In the last six months, I’ve gotten mandates for five or six searches at a pop from one organization. This is definitely happening. It’s definitely a trend. And because a rising tide lifts all boats it’s not just the CISO who’s getting paid; everybody’s getting paid.”
Indeed, the competition to find—and keep—good cybersecurity talent can be fierce, and for candidates, lucrative. Mr. Comyns tells of one prospect who accepted a big-increase offer of $850,000 for a chief information security officer role, only to come back to say he had changed his mind. His employer, it turned out, made a counteroffer that was hard to refuse: “They put a special retention package in place over a three-year period to keep him, which when you annualized what they put in front of him, he went from making $600,000 to $1.6 million a year,” said Mr. Comyns. “They gave him a $1 million dollar a year raise to keep him in the seat. He called us up and said, ‘Guys, I am so sorry, I am not the type of person to back out of a commitment, but what would you expect me to do in this situation?’ And I said, ‘I would expect you to take that million-six a year and stay put.’”
In other instances, Mr. Comyns says, clients have been flabbergasted by even young stretch candidates in cybersecurity saying no to anything less than top dollar. “Lots of companies are willing to take a promising young talent and stretch them beyond where they are today or make a bet on them,” he said. “But they’re not getting a big discount for that. That’s the rub.”
A Bigger Picture
Mr. Shira, however, stresses that compensation should only be part of the equation when it comes to hiring cybersecurity talent. Organizations, he says, must create a culture around security, along with the right compensation strategy and the right pipeline for recruiting attract and retain the right people.
Artico Search Launches to Help Companies Build, Scale and Protect
No one could argue that Mercedes Chatfield-Taylor and Matt Comyns, both of whom recently departed from Caldwell to co-found their own executive search firm, Artico Search, are anything less than ground-breaking search leaders. They are both among the very best in their respective specialties, recruiting some of the most sought after, and costliest, hires in the search industry and building successful practices and teams in their areas of specialty. In joining forces, they are looking to create a powerhouse search brand that reflects their experience, passion, and core values focused on delivering the people to drive change and transformation in the tech industry.
Ms. Chatfield-Taylor’s team focuses on executive-level search for scaleup venture capital and private equity-backed technology companies. The team has deep expertise in global enterprise software, data and consumer internet businesses. Ms. Chatfield-Taylor is deeply passionate about the importance of diversifying the industry, with a full 53 percent of her placements tracked since 2019 being underrepresented executives.
At the heart of that environment should be a focus on the team’s mission orientation. “Cybersecurity folks want to feel like the mission is valued and important as part of the culture,” said Mr. Shira. “We tend to get very passionate about that mission orientation, especially when it’s not there. And when it is there, it tends to contribute significantly to retention.”
Developing a culture around trust is also essential. At PwC “we’ve invested significantly in the leadership on down in how we develop and promote trust both within our organization and with our clients and helping our clients do that,” he said. “Security is very tightly associated with trust.”
Another key area, for any organization that wants to attract and keep cybersecurity talent is a strategy that helps people progress their careers. “When individuals make job changes, yes, sometimes it’s financially motivated,” said Mr. Shira. But good candidates care about more than just money. “I think you can create a culture within your team where people have an understanding about how they’re progressing their career path,” said Mr. Shira. “What are the steps, for example, that unlock the next level of progression? It also important to make sure people are working on the topics that they have a passion for, and making sure people get the opportunities to grow, whether that’s moving them internationally to get that experience and exposure, as well as letting them work on something different. All those things contribute. And they take a lot of management effort and energy. But I think the effort and energy speaks to the issue of retention, I think it speaks pretty directly.”
Maturity of Judgement
So, yes, money matters, Mr. Shira says, but it is not everything for prospects. “You can get a raise easier than you can get a boss who cares,” he said. “For me, people are my No. 1 asset. I view the people in the teams that I lead as one of my key stakeholders, if not the key stakeholder. I view my job as facilitation of their learning, growth, development, and success. And to be clear, sometimes that might mean facilitating a move outside of the team and outside of the firm. And that’s okay, too. Sometimes the best path for people might be to make a move. What I do worry about in our industry is the rapidity of moves that I see folks making.”
Finding good talent is tough enough as it is. It’s hardest, Mr. Shira says, to identify people with not only the technical skills but the maturity of judgement to know when to bring management in when problems arise. “It’s that combination of being keyboard oriented, technical-minded, but also having the maturity and experience and judgment to be more strategic,” he said. “That’s the most in-demand skill I would cite. And then if you get into specifics, obviously, we have the hunting type skill-sets, the defending type skill-sets. And I think also not to be overlooked are the program management and change management skill-sets.”
“Think about it: Cyber is a huge change issue,” said Mr. Shira. “Technology is another huge change issue. And folks in these roles sit at the apex of those two dynamics. And then you layer in the change the company might be going through. Most companies—all of us—are going through a level of maturing. COVID obviously helped promote the pace of that. Those are the hardest people to find, those that can help their organizations sit at the apex of that.”
Between the constantly growing demand for cybersecurity talent and that field being relatively new, Artico’s Mr. Comyns says it is only natural that pipelining is an obstacle. “Colleges have done a terrific job of adding programs and adding specialization around cybersecurity; you’ve seen tremendous growth there,” he said. “However, it takes a while. And then with the younger people it’s going to take 10 to 15 years to mature as executives and managers. So it’s just too new; it’s too new and the demand is too great.”
Mr. Shira says he doesn’t have the complete answer as to where the needed cybersecurity talent will come from in the years ahead. The response, he says, will be multi-pronged. “One part is working with the education system, the universities, and frankly, the trade schools, because not every role in these types of organizations necessarily requires a full college degree or a master’s degree,” he said. “Part of it is working with the other areas outside the United States that have really talented labor pools, and investing the time and energy to have the right footprint there. You can fill in the blanks on the usual suspects there, but basically the Philippines, India, Eastern Europe, and other places. And I think it’s also about working with our military, and making sure that we give our veterans the opportunity to learn a different skill-set. We’ve had success doing that here, and other companies have as well.”
“And then you’ve also got to work hard on developing the people you have,” said Mr. Shira. “It’s not uncommon in my organization for me to have people that started as interns, and now are director and above. We don’t have a hundred of those but we have several. Organizations have got to create their own pipeline. And then frankly, you’ve got to work with the right recruiters and others in the industry as well.”
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media