The cybersecurity career field is on fire. While this isn’t actually news to anyone currently working in cybersecurity, the rapid growth of the field is making its way into mainstream consciousness. The threat of election hacking has certainly helped push cybersecurity to the front of Americans’ minds, but past high-profile breaches like those of Equifax or Target are remembered.
Talent Shortage
The shortage cybersecurity professionals is well documented and reportedly getting worse. Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity positions by 2021. The demand is great for cyber professionals, but problematic for the companies trying to build and mature their information security programs. One thing that you don’t hear people talk nearly as much about is the Chief Information Security Officer (CISO). It seems natural to presume that there will consistently be a steady pipeline cybersecurity professionals for the top seat, but is that really true?
The Wall Street Journal has reported about the challenges of recruiting CISOs as companies seek a mix of board-level management skills and technical knowledge. Gail Evans the Chief Information Officer (CIO) of the consulting firm Mercer, LLC commented to the WSJ about the difficulty of finding someone “senior enough, confident enough, able to handle both the strategy and tactical nature of the role.”
The largest of companies do not appear to simply promote the next information security professional in line. According to the research and advisory firm Forrester, attaining the CISO role by climbing the ranks internally is a challenging task as 59% of CISOs are external hires. It gets even worse at the largest of companies. Fortune 100 companies hired 64% of CISOs externally and are reluctant to hire a rookie CISO.
It’s widely stated that a CISO needs to have business acumen in addition to technical knowledge. It makes sense then that 45% of CISOs in Fortune 500 companies have an MBA. The degree can facilitate learning how to speak to business leaders in their language. Considering that the is a shortage of cyber professionals in general, it stands to reason that executives possessing a blend of technical knowledge, business acumen and cybersecurity skills would be in even shorter supply.
Increased Demand
Demand for CISOs has clearly increased in light of the increased cyber threats that organizations face in the public and private sector alike. A 2017 survey ISACA showed a 15% increase from 2016 in the number of companies that had CISOs. I expect that in the next 5 to 10 years, we will see even more companies seeking CISOs.
One driving factor may be, if cybersecurity regulation is coming? The future of federal cybersecurity regulation is debatable at the moment, but if federal regulation looks anything like New York State DFS Cybersecurity Requirements for Financial Services Companies, then we’ll almost certainly see a free-for-all of companies trying to fill newly created CISO roles. New York State DFS requires that covered entities have a CISO, who must communicate to the Board of Directors at least once a year in writing. The requirements from New York State DFS likely can’t be completed simply by giving your senior IT manager a CISO title.
Filling Tomorrow’s Roles
Even without federal regulation the demand for CISOs will continue to grow along with the threat of cyber attacks. In 2018, the World Economic Forum ranked cyber attacks #3 among the top five risks to global stability over the next five years—behind only natural disasters and extreme weather. So it’s a safe bet that the demand for CISOs isn’t going anywhere.
There’s no shortage of cybersecurity vendors offering to help organizations alleviate their cybersecurity skills shortage through automation. However, you can’t automate the need for a C-suite executive away. So how will companies fill their growing CISO needs? In the near-term I expect they’ll keep poaching cybersecurity executives from other organizations. After all, not only are executives less likely to be promoted to CISO within their own firms, but those positions don’t open up very frequently either. Fortune 500 CISOs have an average tenure of four years.
However, cybersecurity executive already represent a limited talent pool. In the medium-term I suspect that smaller companies will expand their CISO search beyond other company’s executives and starting recruiting middle management from organizations with more mature cyber teams. At least those middle management cybersecurity professionals will be familiar with what right looks like. That’s decent place to start, when building a cybersecurity program from scratch.
The challenge of finding the CISOs of tomorrow will likely get worse before it gets better. It feels cliche to say that it will take time for enough talent to make it through the pipeline. In the near-term though it will undoubtedly remain a seller’s market for cybersecurity managers with business experience. Maybe we’ll see increased stature given to certifications like the EC-Council’s C|CISO. At the moment, if a CISO job listing even mentions certifications, it’s likely (ISC)2’s CISSP or ISACA’s CISM. Both are great certifications, but neither is geared towards executive engagement with the board of directors or business leaders.
Finding the CISOs of tomorrow will likely be continue to be a challenge for companies in the near- to medium-term. Limited talent supply and the growing cost of cybercrime will probably continue to drive up CISO salaries. Therefore while a lack of well-defined career path is a challenge for cybersecurity professionals, there seems to be ample opportunity for those who desire to make their way to a CISO role.