Why You Can't Find a Chief Information Security Officer

​Chief information security officer (CISO) is one of the hottest jobs in all of IT and C-level management, according to executive search firm Heidrick & Struggles. This position is vitally needed in light of a 500 percent increase in cybercrime over the last two years. In response, 69 percent of organizations are raising spending on cybersecurity this year. But technology solutions are not enough. Cybersecurity requires expert guidance to manage risk and plot a course toward a more secure future.

"Without someone holding CISO duties, technology purchases will be hit-or-miss and the organization's risk profile will increase," said Roy Azoulay, co-founder & COO of Cynomi, a network security firm based in London and Herzliya, Israel.  

The problem is that such leaders are in short supply. Skillsoft's IT Skills and Salary Report found that three-quarters of IT organizations face critical skills gaps. A survey from InfoSec IT and Security Pipeline noted that 92 percent of respondents have difficulty filling open cybersecurity positions. The general shortage of IT and security talent, therefore, has caused pay rates for C-level execs and cybersecurity personnel to skyrocket. The average CIO or CISO can command a salary of $170,000 and above. Bidding wars for top talent are common.

In some states, salaries are much higher. New York and a few other states have passed laws requiring every firm operating within certain regulated markets, such as financial services, to employ a CISO. The average salary of a CISO in the greater New York City area has soared well above $250,000, according to Heidrick & Struggles.

The supply/demand mismatch is such that CISOs, chief security officers and other high-ranking security executives are changing jobs faster than ever. According to a study by CyLumena, the average tenure is down to 18-26 months. With so few people highly skilled in both C-level and cybersecurity management, headhunters are constantly on the prowl with attractive offers.

"There is a big shortage of strategic cybersecurity expertise," Azoulay said.

CISOs Needed Now More Than Ever

Large organizations are where CISO jobs can usually be found, according to Matt Aiello, a partner at Heidrick & Struggles. But a spike in cyber risk is shifting the equation. Now midsize enterprises and even some smaller businesses see the need to hire a CISO. The position is there to coordinate the purchase of cybersecurity tools and software, devise the right tactics and strategies to lower risk, and institute processes and policies to ensure the organization is protected. While most cybersecurity and IT personnel are immersed in security logs, lists of potential vulnerabilities, detection of phishing e-mails, and watching for any signs of ransomware or exfiltration, the CISO stands aloft like a general on the battlefield. Instead of charging at individual problems, the CISO constantly assesses the risk profile of the organization; reviews summarized data from IT and cybersecurity personnel; and develops, implements and enforces measures to protect critical systems, identities and data. All of this is done in alignment with the overall goals of the business. 

The CISO, Azoulay said, is typically involved in functions such as developing and implementing processes and systems that prevent, detect and mitigate cyberattacks; monitoring, evaluating and managing cybersecurity risk; setting a cybersecurity strategy to guide investment in technology; overseeing cyber governance, risk and compliance processes; and reporting to top management and the board.

These functions have become even more critical in recent years due to so many people working remotely. In the current climate, CISOs must be constantly on the lookout for changes in the risk profile, adjusting plans and policies accordingly, and monitoring compliance. Holding this position necessitates knowledge of industry standards such as NIST, ISO, and PCi-E, and regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the General Data Protection Regulation.

Success as a CISO requires two relatively rare commodities: a great deal of experience in security and IT, and the right qualifications. According to David Foote, an analyst at Foote Partners, the qualifications typically include an MBA as well as advanced degrees in IT and cybersecurity, and certifications such as the Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC) or Certified Information Security Manager (CISM). 

What Is an HR Department to Do?

Faced with demands to hire a CISO now, what is HR to do? The options are relatively few:

• Compete on price and be prepared to outbid others in the fight over top talent.
• Promote someone from within who has both the experience and the qualifications.
• Train someone internally or recruit someone who can earn the qualifications needed to function as a CISO.
• Look to managed service providers that now offer virtual CISO services. The virtual CISO is contracted for a certain number of hours per week or month to fulfill this demanding role and provide the strategy and guidance necessary.

Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.