Why the CISO is the hardest tech role to fill

CISOs are hard to hire because there are far too few business executives with the right mix of business and technical chops. Also, companies aren’t exactly sure how much they’re willing to pay a CISO.

Companies are under constant threat from cyberattacks and the situation is only getting worse with the rise of ransomware and whaling scams as a variant of phishing, according to recent cybersecurity reports. Yet the shortage of seasoned CISOs, inconsistent policies around compensation and a lack of proper metrics means some companies are under-investing in cybersecurity.

CIO.com recently spoke with several executive recruiters to get a handle on what companies are looking for in CISOs, as well as what obstacles they face hiring and retaining them.

If you've noticed a game of CISO musical chairs of late, it's because the market is rapidly evolving -- perhaps too rapidly for its own good. Unlike the CIO, who is often judged by KPIs, cost savings and other benchmarks, few metrics exist to evaluate CISO performance. Companies don't benchmark CISOs based on whether their companies haven't been breached (chances are, they have and don't know it). As a result, most companies haven't quite figured out how to fairly pay CISOs, whose salaries can range from $500,000 to $2 million.

Matt Aiello, partner at Heidrick & Struggles.

Matt Aiello, partner at Heidrick & Struggles.

[ Related: Why you need a CSO/CISO ]

Heidrick & Struggles partner Matt Aiello says some CISOs working for large enterprises who wield a great deal of responsibility are earning less than CISOs with less responsibility at smaller companies. Some of those CISOs leave because they get a better deal elsewhere.

Aiello says the best CISOs are devising strategies to embed cybersecurity defenses into the foundation of new initiatives, such as digital transformations. That means they'll have to partner with CIOs to make sure that innovation progresses, but with the proper security procedures in place. "The most progressive security officer searches that we see are not just friendly to the business, they are advancing business needs and they're helping them win in the marketplace," Aiello says.

However, he says this isn't happening just yet. "We're still locking things down and we're still in a primarily defensive posture."

Most companies still under-invest in cybersecurity

Companies may talk a good game about addressing cybersecurity threats but many continue to underinvest in it, citing a challenging global economy battered by political unrest and volatile oil prices, says Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.

Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.

Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.

"Companies tighten budgets and look at ways to save money," Comyns says. "They want to innovate and do all of these wonderful things, but they're trying to do more with less, which is not good for investing in cybersecurity. I see companies continue to shrug their shoulders, and say 'I care more about it, we're much more aware about it than we used to be. Our boards are talking about it, our executives are talking about it but we're going to take baby steps and inch our way to that over time. My feedbacks is, 'I'm not sure that's a good idea because the threat environment has gotten worse.' “

[ Related: How to become a CISO ]

And there's little question of that. The number of phishing email messages that were opened hit 30 percent in this year, up from 23 percent last year, according to Verizon's 2016 breach report. Moreover, the gap between the time to compromise and the time to discovery rose from 62 percent in last year's report to 84 percent this year.

But most companies are tightening their purse strings and hedging their bets that they won't be breached. Comyns says a typical hiring search goes like this: Some executives will say they need CISO who satisfy 10 requirements. They'll ask what the market value is, and when they hear the $1 million-plus salary range, they'll say, "Don't bring in someone too high-powered, we're playing with bows and arrows not bazookas. I don't want to frustrate someone who won't be satisfied with our pace of change." When Comyns hears that, it gives him pause, "My concern is that in more difficult economic times, the progress is being stunted."

Chris Patrick, head of Egon Zehnder’s global CIO practice.

Chris Patrick, head of Egon Zehnder’s global CIO practice.

What you want in a CISO

Companies should hire CISOs who strike the right balance of business leader and risk assessor, says Chris Patrick, head of Egon Zehnder’s global CIO practice. You want someone who can architect a comprehensive security architecture and explain it clearly to the board when called to do so. And you want someone who can coordinate communications among the C-suite, general counsel, media relations and other necessary parties to respond to a cyber incident, Patrick says.

Egon Zhender consultant Kal Bittianda says a CISO must understand issues and know what data is important to protect but they needn’t be the most tech-savvy leader on staff – that is familiar with all of the latest detection analytics and other emerging technologies. Bittianda says it is better to hire a strong executive who has the ability to influence key strategic leaders in the business, and surround him or her with technical whizzes who know what tools to apply and how.

Choosing the right CISO is a matter of culture fit. Bittianda says there are two CISO archetypes: Those who run to the fires and those who run from the fires. Some CISOs prefer to build a cybersecurity program from scratch and then move on. Others prefer to come in after a breach because they will be more likely to enjoy an increased appetite for cybersecurity investment, as well as influence.

Patrick says that with such high demand for security leadership roles, price tags are going up and folks are moving fairly regularly. As a result, it’s also imperative for companies to help themselves by grooming cybersecurity leaders in house. “It’s an arm’s race and you’ve got to build capabilities internally as well,” Patrick says. “You can't hire your way out of this problem.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOEgon ZehnderHeidrick & StrugglesRussell Reynolds AssociatesVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place