Cybersecurity Leadership Outlook
The market for cybersecurity talent has been and continues to be highly competitive. Cybersecurity risks for companies of all sizes and in all industries and sectors are only increasing, which in turn increases pressure on the talent pool. Bad actors in cybersecurity have a low cost of entry, the ability to work globally, and the ability to be perpetually active. With the success of countless ransomware attacks, they are incentivized to continue to enhance their pursuits. According to FBI data, victims suffered over $10 billion in losses due to attacks last year. This has put continued pressure on CISOs both with their management teams and with their boards of directors.
The responsibility for cyber is evolving. Once seen as the exclusive province of the technology function, many are pivoting to having cyber knowledge and presence on the board. Other companies are morphing physical, cyber and information security into one function or person’s remit under a Chief Security Officer. These are all current themes, which naturally vary by industry.
Many firms have gone through iterations of hiring more expensive and better qualified CISOs to combat the attacks which persist. They are finding different ways to manage cyber risk with more sophisticated technology, support from third parties, and deeper engagement with peers and government agencies.
One of the most important considerations for how effective a CISO can be is where they are positioned in the organization. Their position will affect the influence they can have on the executive leadership team, the board, and the wider firm. Many report to the top technology leader and the board of directors, while some report into a corporate Risk function, if one exists, and some CISOs report directly to the CEO.
The Importance of Cybersecurity Roles
Cybersecurity attacks are endless, from heavily funded and sophisticated rogue nation states to an internal employee having their credentials compromised to someone with a computer in their basement. Cybersecurity incidents continue to present one of the greatest risks to a firm’s reputation and performance by exposing sensitive information, maliciously stopping critical operations, and reducing share price or company value.
We are at a point in time where almost every company has been breached or will be. It is commonly known that if you have been breached, you are a bigger target for subsequent breaches. Attack rates increased last year, averaging 1,168 attacks per week per organization. In the United States, the rate of attacks increased by 57% over the prior year. The UK was even harder hit with a 77% increase in attack volume.
The Rise of CISO Demand
20 years ago, companies were significantly less active in Cybersecurity. Many didn’t even use that term, referring to the discipline as “network security” or “information security”. We began to see a significant uptick in hiring relevant security leadership roughly 8 years ago. As the internet and corporate use of the internet exploded and as companies have become more digital, the external access (breach) to what were once relatively isolated systems has increased exponentially. For an example, think about your medical records, not that long ago your doctor had information which was largely maintained in a physical format in an office and literally in a file folder with actual paper. Today you may have access to your personal medical records through an app on your mobile device, which is incredibly convenient and powerful as a consumer and patient, yet that same convenience potentially exposes your immutable medical records to a hacker on the other side of the globe.
Current CISO Demand
The demand for CISO talent remains high, although perhaps less so than we saw 3-5 years ago when it felt like every company was trying to increase the level of their cybersecurity capability and CISO tenure was shorter. Remote and hybrid work have each been an opportunity and a challenge. There are firms who pre-pandemic would not consider a remote CISO that have since fully embraced remote work or that as an organization have adopted or are adopting a hybrid work strategy. This additional flexibility has increased the number of viable candidates, which in turn has also led to other CISOs who cannot relocate, typically for family reasons, now considering a remote position which has enhanced the domino effect of departures creating openings and the filling of one opening leads to another departure.
Perhaps the main challenge in this market is that there is not enough talent to fill the number of open opportunities available. In many companies, there is not a true successor to the CISO. When a CISO leaves a company without a successor, there is often an external search, because the potential successors aren’t developed enough to step into the top role. Recent surveys indicate that up to 92% of firms are experiencing difficulty in filling the CISO role.
Firms should avoid over-hiring candidates, especially if they provide no mandate to affect change. It is not all about the cybersecurity budget; there may be necessary culture changes among employees or changes to the way an organization deploys and maintains technology which can have a dramatic impact on the overall security of an organization. While some CISOs are reluctant to join a company that’s just experienced a notable attack, many savvy CISOs realize that a breach is a catalyst for change, and both management and individual contributors are more likely to accept change and inconvenience of additional controls after they have experienced the pain of a breach.
The most experienced and credible CISOs demand significantly higher compensation than the average CISO, and the demand at the top has pulled the average compensation up along with it. The CISO role is different than many other C-Level roles, in that the CISO is dealing with very technical and complex topics and doesn’t have control over what risks an organization will accept or mitigate. She or he is dealing with a highly skilled global and anonymous enemy and needs to be able to present effectively to the Board of Directors; that is a challenging confluence of factors.