Understanding the Challenges in Hiring & Retaining Senior CyberSecurity Executives

As my smartphone rings on my desk, I pick it up and find it's another recruiter who has a fantastic opportunity for the right candidate. Now I am sure many of my fellow peers have heard this story, it's the one where the Company seems to have a revolving door, and every 12 – 18 months, they are searching for a new CISO. I have always wondered about companies with that type of turnover. Do they fail to understand the market and just can't afford to keep good security talent? Is it due to the previous incumbent not being a good fit? Finally, could it be the Company is hiring the wrong type of CISO candidates?

These questions lead me to believe the process companies use to find and recruit CISOs or Senior Cybersecurity Professionals is suboptimal. I have previously written about challenges that impact the CISO community, and I know many of these issues influence organizations hiring processes. With that said, I honestly believe it is not one specific issue but a multitude of factors that have developed over time as the CISO role has grown in importance to companies' executive teams. My approach in discussing this problem with companies' HR departments is to first get them to accept the fact that retaining security talent will be competitive and this leads me to the following three points I feel have the most significant influence on businesses today.?

1.??????Understanding the Market, Make an Investment

As we begin, it’s a given today that there is a lack of cybersecurity talent. Now the cause of this shortage and how large of talent gap is still open to debate. In a 2022 Cyber Workforce Study conducted by ISC2 and published by Fortune in October 2022 , it is estimated that there is a global shortage of ~3.4 million cybersecurity workers. So, keeping that in mind, this year as companies face a challenging competitive environment plus an evolving threat landscape, they still must factor in competing for scarce, experienced, security talent. In fact, this scarcity is quite evident when many of the advertised security positions stay open for months at a time while companies compete with each other to fill their critical roles.?

I believe the current long wait times to fill these roles and the disjointed process of finding the right security executive is a wake-up call that the current process for recruiting the CISO role is not effective. The job itself continues to transform which skews the required skillsets and experience. Plus, the current market for senior leadership talent is very different than what companies have faced before. In a?Forbes article ?published in late 2020, the US Bureau of Labor Statistics predicts cybersecurity-related jobs will grow 31% through 2029. With those kinds of numbers, it's essential for companies to accept that when they recruit a security professional, especially a senior leader with years of experience and unique skillsets, they are competing for that talent so make an investment. Just as one would invest in taking the time and effort to put together an equitable package to hire an executive like a CFO, who is critical for the business, the CISO role is just as important and should be respected as such. Otherwise, you will find the CISO talent you worked so hard to recruit will eventually get pulled away from you by companies who are willing to invest. I believe that is my key learning point here for companies today. They need to understand they are in a very competitive market to acquire talent, so it's time for a new strategy. Don't think of short-term compensation to fill a checkbox; instead, think of long-term investment to break the revolving door cycle.?????

2.??????Why CISOs Leave (“Sellers Market”)

The second point I wanted to discuss is why CISOs or senior security professionals leave companies, and surprisingly most of the time, it's not due to an incident. In fact, in a 2021 research report conducted by?ESG and ISSA , they surveyed 489 senior cybersecurity professionals and noted several reasons why CISOs or senior security professionals are leaving for new opportunities.

• "38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations."?This answer ties back to my previous point about hiring security leadership; if you don't invest in them, someone else will.
• "71% of respondents say Cybersecurity job solicitation is frequent and increasing"?Senior Cybersecurity Executives are solicited by recruiters at least once per month. This “seller’s market” is gaining momentum.
• "36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity."?Business culture is a significant challenge for CISOs because change is a substantial part of being a security leader. If company leadership is unwilling to support the focused change CISOs and security teams bring to the business, then CISOs find themselves in a hostile environment and decide to move on. No one wants to work in that type of stressful environment with little to no support.?
• "34% of respondents say CISOs change jobs when they are not actively involved with their leadership team."?The role of CISO is that of a business executive tasked to use technology, people, and processes to manage risk. If the CISO is not included in meetings and lacks access to leadership personnel, this reduces their understanding of critical business operations and strategic initiatives. This inevitably leads to misaligned security programs and a security executive leaving for new opportunities to be treated as a partner, not a security administrator with a title.?
• Finally,?"31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization's size or industry."?The CISO and security team's job is challenging enough without having to deal with a lack of funding and personnel. CISOs and Company leadership must work to balance what resources they can fund. CISOs are business leaders and understand the needs of the company come first. With that said, if this is a continuous dilemma then it eventually leads to CISOs deciding they are not being adequately supported and they move on.?No one wants to work in a highly stressed job where they are accountable for an organization's risk and impact on operations and they lack the resources or support to be effective.

Finishing this point, I want to reiterate that cybersecurity is a vibrant job market with a high growth rate and very low unemployment. With an outlook like that, there is no having the upper hand in retaining talent. Because of this, I believe it's crucial for company leadership and their CISO to collaborate; there must be a partnership to manage the above challenges and incorporate the CISO as part of the leadership team with his/her peers. For leadership teams, it’s all about trust and investing in your security executive.??

3.??????Misaligned Hiring Processes

Finally, we come to my last point about how companies hire their security leadership staff and whether they are hiring what they really need. In the above-mentioned 2021 research report conducted by?ESG and ISSA , surveyed cybersecurity professionals had much to say about basic mistakes corporate HR departments were making when hiring senior security professionals.

• 38% of surveyed security professionals stated their organization didn’t offer competitive compensation. Again, you don’t have to pay the most, but you need to understand the market and be creative.
• 29% of surveyed security professionals said their HR department didn’t understand the skills needed for cybersecurity, let alone a senior security role that must interface with the executive leadership team and strategic stakeholders.
• Finally, 25% of the surveyed security professionals said that job postings at their organizations tended to be unrealistic. I know many of us have seen these CISO or senior security roles that had so many requirements in them that it’s a red flag indicating the company is “spraying and praying”, they have no idea what they actually need to hire. ??

From experience, I don’t believe organizations understand the CISO role very well which significantly adds to the revolving door talent issue. I developed the following diagram below based on?Rafeeq Rehman's ?work to help business leaders visualize senior security professional skillsets & responsibilities and how they cluster around two specific leadership types.

Technical CISOs?– are also called?Operational CISOs, and they are security leaders who like to build. Usually, CISOs in their first couple of roles are technical, and they are tasked to create an organization's first security program and develop its security infrastructure. I have known many peers who love being technical CISOs for startups and have very little interest in working as a Strategic CISO. With that said, typically, as security professionals mature, they tend to pick up more skillsets and experience listed on the “Strategic” part of this diagram. Eventually, after several technical roles, they may take their first Strategic CISO position.?

Strategic CISOs?- were traditionally more senior-level CISOs who moved beyond “Technical” and accepted roles involved with governance, legal, audit, and business enablement. These types of positions tend to be for larger companies and those with significant regulatory requirements. That doesn't mean CISOs at this level can't be technical, many of us transition back and forth between the two and are comfortable with this type of hybrid approach – I actually enjoy being a hybrid CISO. With that in mind, understand there are also Strategic CISOs who have never been technical. These professionals tend to transition from consulting organizations and slide right into roles that are focused on Governance, Business Enablement, or Compliance. I mention this because if you hire a Strategic CISO and you want them to also provide some technical "hands-on" operations to help peers within the business you may have a problem. You, as a hiring manager, need to understand not all CISOs are alike, in fact, we are an amazingly diverse group of professionals.?

In closing, as a CISO who is active in the cybersecurity community, I would really like to see this revolving door issue better managed by companies. I firmly believe that much of what we are experiencing is the growing pains of the security field expanding and senior roles within the community becoming more business aligned. I hope that companies get better at investing in their talent and that my peers and I can look forward to working with our executive teams as business partners, not just as part of the business.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners?Bill Bonney ?and?Matt Stamper ?on the CISO Desk Reference Guide Volumes 1 & 2, and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the?CISO Desk Reference website .?