The cybersecurity talent shortage is well-analyzed but less discussed is the search for CISOs with the right expertise and skills to lead a company's cybersecurity programs and team.
It's not just finding and hiring CISOs but also retaining them that poses a challenge. Two-thirds of current CISOs were hired from outside the company, while a little more than half of them have been on the job for two years or less, according to research by Marlin Hawk.
The high turnover means that organizations are always on the lookout to bring in new cybersecurity leadership, but what exactly are companies looking for in a CISO?
Executives want a CISO who has leadership skills, technical skills and an aptitude in security, according to Stel Valavanis, founder and CEO for onShore Security. Their first option on this search is to look inside the company — within their own infosec team, if they have one, or from the IT department.
Those who have cybersecurity certifications, such as CISSP or CISM, or are on the path to earning them, will rise higher within the applicant pool, as these help to fill the security knowledge-base gaps that might otherwise be missing in those who have a stronger IT than security background, Valavanis said.
If there aren't any qualified applicants on the inside, then the search will go external.
Why is it so hard to find a CISO?
A CISO with the right technical skills is the most difficult to find. "They need a technical background in networks and systems which are already in high demand. Companies are often compromising on technical capabilities in favor of leadership skills," said Valavanis.
Weak technical skills make it more difficult for a CISO to do one of their most important duties — converting security threats to business risks. Security executives must be able to understand how those threats attack the organization, and then be able to translate that information across multiple departments and business functions.
Finding a candidate with this level of communication skills — to explain issues plainly to groups as diverse as IT, C-suite, and staff assistants — combined with technical skills can seem like a search for a unicorn.
Location is always a consideration when looking for new talent. Some organizations focus their CISO search in specific cities or companies, though some CISO candidates don't want to relocate.
"However, in today's new working environment, organizations are becoming more flexible and finding strong CISOs working remotely," said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.
Another concern is the organization's overall cybersecurity reputation, such as a company that experienced a major data breach and fired its CISO. Not every new CISO wants to be the one to clean up the mess, but there are CISO candidates who thrive in turbulent situations.
It is up to the organization to find that CISO who grows stronger in a post-breach scenario — or is otherwise the right person to keep business operations running smoothly in this cyber-tenuous world.
The CISO search
Large enterprises have an advantage in the CISO search.
"Bigger companies use recruiters to poach from others but hiring from within, even grooming over years, is just as common," said Valavanis.
Many organizations need to do more recruiting from the wider cybersecurity community, not just among people already in leadership roles. A lot of potentially great CISOs are left undiscovered.
"No one will admittedly say they're against diversity. Yet systemic racism, sexism, or just boys' clubism in general continues to exist," David Spark, producer, managing editor and co-host of the CISO Series, said in a CISO Series post.
An unwillingness to move outside the organization's comfort bubble limits the number of candidates — so will the pay.
"Salaries are going up for CISOs globally, however, not all CISOs are equal and you will find strong CISOs when you match the salary based on the quality of the skills and experience," said Carson.
The median cash compensation for CISOs rose from $473,000 in 2020 to $509,00 in 2021, according to a 2021 global CISO survey from Heidrick & Struggles. Pay and benefits packages are dependent on factors such as geographical region, IT skills and size of the cybersecurity team.
Each job is unique
Just like the mantra in cybersecurity is "there is no one-size-fits-all solution," the same can be said for the CISO. It isn't a cookie cutter position.
Not all CISOs are equal and not all businesses are the same. To find the right CISO, it is important to search for a CISO who understands the industry that the organizations operate in.
"CISOs are suffering, and we need them to be successful. In order for a CISO to succeed, we must change our path, and this means potentially rethinking our approach to cybersecurity," said Carson.
The CISO's role within cybersecurity is not to simply put technology in place for sake of security but to put technology in place that contributes to business success while ensuring cyber risks are either reduced or eliminated.