As my smartphone rings on my desk, I pick it up and find it’s another recruiter who has a story to tell me. They have this client who has a fantastic opportunity for the right candidate. Now I am sure many of my fellow peers have heard this story, it’s the one where the Company seems to have a revolving door, and every 12–18 months, they are hiring a new CISO. I have always wondered about companies with that type of turnover. Are they facing market forces and can’t afford good security talent? Is it due to the previous incumbent not being a good fit or they just leave the company? Finally, could it possibly be how the Company itself is hiring?
These questions lead me to believe how companies recruit CISOs is broken. I have written about some of the problems that impact the CISO community, and I am sure these problems influence the hiring process. With that said, I honestly believe it is not one specific issue but a multitude of factors that have developed over time as the CISO role has grown in importance to companies’ executive teams. My approach to looking at this challenge is accepting that we have multiple issues impacting our community now that make hiring and retaining security talent competitive. Obviously, I can’t write about all of these issues. Still, there are three points I want to focus on; I feel they have the most significant influence on businesses today.
1. Market Forces
As we begin, it’s a given today that there is a lack of cybersecurity talent for all of the currently open positions. Now the cause and how large of talent gap is still open to debate. In an article published by the World Economic Forum in August of 2017, it is estimated that by 2021 there will be 3.5 million unfilled cyber jobs. That’s this year, as we recover from the pandemic, companies will be planning their recovery strategies and must factor in competing for scarce, experienced, security talent. In fact, in an article by Cybercrime Magazine, this shortage is described in more detail as a competition where positions could be open for up to six months while companies compete with each other for the same talent.
Now how does this information apply to organizations seeking to fill their open security leadership role? I believe it is a wake-up call that the current process for recruiting that role is no longer effective. The job itself continues to transform which skews the required skillsets and experience. Plus, the current market for senior leadership talent is very different than what companies have faced before. In a Forbes article published last year, the US Bureau of Labor Statistics predicts cybersecurity-related jobs will grow 31% through 2029. With those kinds of numbers, it’s essential for companies to accept that when they recruit a security professional, especially a senior leader with years of talent and experience, they are competing for that talent so I recommend they make an investment. Just as one would invest in taking the time and effort to put together an equitable package to hire an executive like a CFO, who is critical for the business, the CISO role is quickly gaining importance and should be respected as such. Otherwise, you will find the CISO talent you worked so hard to recruit will eventually get pulled away from you by companies who are willing to invest. I believe that is my key learning point here for companies today. They need to understand they are in a very competitive market to acquire talent, so it’s time for a new strategy. Don’t think short-term pay to fill a check-box; instead, think long-term investment to break the revolving door cycle.
2. Why CISOs Leave (Incompatibility)
The second point I wanted to discuss is why CISOs or senior security professionals leave companies, and surprisingly most of the time, it’s not due to an incident. In fact, in a 2017 research report conducted by ESG and ISSA, they surveyed 343 senior cybersecurity professionals and noted four top reasons CISOs left organizations.
· “38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations.” This answer ties back to my previous point about hiring security leadership; if you don’t invest in them, someone else will.
· “36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity.” Business culture is a significant challenge for CISOs because change is a substantial part of being a security leader. If company leadership is unwilling to support the focused change CISOs and security teams bring to the business, then CISO’s find themselves in a hostile environment and decide to move on. No one wants to work in that type of stressful environment with little to no support.
· “34% of respondents say CISOs change jobs when they are not actively involved with their leadership team.” The role of CISO is that of a business executive tasked to use technology, people, and processes to manage risk. If the CISO is included in meetings and lacks access to leadership personnel this reduces their understanding of critical business operations and strategic initiatives. This inevitably leads to misaligned security programs and a security executive leaving for new opportunities to be treated as a partner, not a security administrator with a title.
· Finally, “31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry.” The CISO and security team’s job is challenging enough without having to deal with a lack of funding and personnel. CISOs and Company leadership must work to balance what resources they can fund. CISOs are business leaders and understand the needs of the company come first. With that said, if this is a continuous dilemma then it eventually leads to CISOs deciding they are not being adequately supported and they move on.
Finishing this point, I want to reiterate that cybersecurity is a vibrant job market with a predicted 31% growth and basically 0% unemployment. With numbers like that, there is no having the upper hand in retaining talent. Because of this, I believe it’s crucial for company leadership and the CISO to collaborate; there must be a partnership to manage the above challenges and incorporate the CISO as part of the leadership team with their peers. For leadership teams, it’s all about trust and investing in your security executive.
3. Misaligned hiring processes
Finally, we come to my last point about how companies hire their security leadership staff. This process has been fascinating for me because I have found when looking at CISO job descriptions 70% of the requirements tend to be similar but the resultant 30% are amazingly varied. This diversity brings up the questions of do companies understand what skills CISOs typically have and do they understand the type of CISO they are hiring?
From experience, I don’t believe organizations understand the CISO role very well which significantly adds to the revolving door talent issue. I developed the following diagram based on Rafeeq Rehman’s work to help business leaders visualize senior security professional skillsets & responsibilities and how they cluster around two specific leadership types.
· Technical CISOs — are also called Operational CISOs, and they are security leadership who like to build. Usually, CISOs in their first couple of roles are technical, and they are tasked to create an organization’s first security program and develop its security infrastructure. I have known many peers who love being technical CISOs for startups and have very little interest in working as a Strategic CISO. With that said, typically, as a security professional matures, they tend to pick up more skillsets and experience listed on the “Strategic” part of this diagram. Eventually, after several technical roles, they may take their first Strategic CISO position.
· Strategic CISOs — were traditionally more senior-level CISOs who moved beyond “Technical” and accepted roles involved with governance, legal, audit, and business enablement. These types of positions tend to be for larger companies and those with significant regulatory requirements. That doesn’t mean CISOs at this level can’t be technical, many of us transition back and forth between the two and are comfortable with this type of hybrid approach — I actually enjoy it. With that in mind, understand there are also Strategic CISOs who have never been technical. These professionals tend to transition from consulting organizations and slide right into roles that are focused on Governance, Business Enablement, or Compliance. I mention this because if you hire a Strategic CISO and you want them to also provide some technical/operations help to peers within the business you may have a problem. You as a hiring manager better ask some questions, again not all CISOs are alike, in fact, we are an amazingly diverse group of professionals.
I describe both of these roles because I believe one of the contributing factors businesses have with retaining talent is they hire what they think they “want” and don’t understand what they actually “need”. A good example is a business that needs a Strategic CISO to prepare for fundraising their next round and eventually a possible IPO, but because the business culture is engineers, they hire a Technical CISO. After a specific amount of time, the business concludes that their Technical CISO just doesn’t fit their culture, and the revolving door speaks again. Of course, as many of us have seen this scenario play out, this can be prevented or at least managed. To do this, companies need to recognize the skill sets they are hiring for in the above diagram may be different than what they had originally planned to hire. That’s ok; what is important is hiring a better fit for the company that should provide more long-term value and stability to current operations.
In closing, thank you for reading this article. I hope the three points we discussed have provided insight and possible paths to managing these issues within your organization. As a CISO who is active in the cybersecurity community, I would really like to see this revolving door issue better managed by companies. I firmly believe that much of what we are experiencing is the growing pains of the security field expanding and senior roles within the community becoming more business aligned. I hope that companies get better at investing in their talent and that my peers and I can look forward to working with your executive teams as business partners, not just a part of the business.
***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2, The Essential Guide to Cybersecurity for SMBs, and my new book Developing Your Cybersecurity Career-Path. For those of you that have asked, all four are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the CISO Desk Reference website.