The cybersecurity talent pool is becoming increasingly shallow. Not only is it difficult to attract quality cybersecurity professionals, it is just as hard to keep them. With cyber attacks and regulatory requirements on the rise, we are entering the age of outsourced cybersecurity. Forward-thinking companies are leveraging the cybersecurity capabilities of virtual CISOs (Chief Information Security Officers) to gain the upper hand against cyber criminals.
There is a shortage of experienced cybersecurity leadership. Generally speaking, companies find themselves in one of two categories: 1) Larger companies that can locate and pay an in-house CISO. 2) Small and mid-sized companies that are getting priced out of the market, can't find, or don't have the budget for an in-house CISO. The amount of available, qualified individuals coming through the cybersecurity leadership pipeline is significantly lower than the number of leadership roles that need to be filled in virtually all types of businesses. We estimate that this shortage will remain a talent gap for the next ten+ years.
Companies in the first of two categories mentioned above (organizations that employ a full time CISO) run into problems retaining their CISO who will stay for a while, build their resume, and then move on to somewhere else. For small and medium-sized companies in the second category, they most often use a recruiter to find their CISO. On top of the costs of salary and benefits, the companies pay a 20% placement fee to the recruiter for their new CISO employee. The salt on the wound is that, after all this initial outlay, there is a high probability that the CISO will leave after a year for a better opportunity. This is a financial investment on which they will never see a return.
As you can clearly see, the CISOs are in a strong position. Probably half of today's quality CISOs are solicited to consider a new cybersecurity job opportunity every week. From their perspective, this is a gold rush and they have the advantage. From the perspective of companies, they may not have the budget or they may have to pay significant hiring costs without realizing long-term value.
Welcome to the age of the virtual cybersecurity professionals. We're seeing the rise of the virtual CISO because the conditions are just right. The rapidly increasing need for robust cybersecurity combined with increasing litigation, regulation, and a shortage of cybersecurity leaders are culminating into a perfect storm. The current recruitment model is not working, nor will it work in the foreseeable future. Previous ways of sourcing cybersecurity leadership are becoming ineffective and obsolete. As for Cyber SC, we're not going anywhere. Although in-house CISOs might move on to other organizations, we're not going to leave you after six months, a year, or two years.
The trend of establishing cybersecurity leadership is rapidly moving toward the virtual CISO and companies must embrace this reality. What companies need to focus on are cybersecurity capabilities and acquiring them in the most economical way possible. This is the way they are going to achieve their desired cybersecurity outcomes. Tapping in to the capabilities of experienced cyber leaders that can see across the spectrum of companies and industries is higher leverage than hiring someone in house. Investing in an outsourced CISO is also, by far, the most economical way to access these high-level cybersecurity capabilities. Increased capabilities + lower cost = ongoing cybersecurity ROI.
If you would like to watch a video about The Rise of the Outsourced Cyber Security Leader, click HERE.
To learn more about building and enhancing your own leadership skills, attend the CISO Leadership Summit at InfoSec World 2018 in Orlando, Florida on March 18, 2018.