Companies are under constant threat from cyberattacks and the situation is only getting worse with the rise of ransomware and whaling scams as a variant of phishing, according to recent cybersecurity reports. Yet the shortage of seasoned CISOs, inconsistent policies around compensation and a lack of proper metrics means some companies are under-investing in cybersecurity.
CIO.com recently spoke with several executive recruiters to get a handle on what companies are looking for in CISOs, as well as what obstacles they face hiring and retaining them.
If you've noticed a game of CISO musical chairs of late, it's because the market is rapidly evolving -- perhaps too rapidly for its own good. Unlike the CIO, who is often judged by KPIs, cost savings and other benchmarks, few metrics exist to evaluate CISO performance. Companies don't benchmark CISOs based on whether their companies haven't been breached (chances are, they have and don't know it). As a result, most companies haven't quite figured out how to fairly pay CISOs, whose salaries can range from $500,000 to $2 million.
[ Related: Why you need a CSO/CISO ]
Heidrick & Struggles partner Matt Aiello says some CISOs working for large enterprises who wield a great deal of responsibility are earning less than CISOs with less responsibility at smaller companies. Some of those CISOs leave because they get a better deal elsewhere.
Aiello says the best CISOs are devising strategies to embed cybersecurity defenses into the foundation of new initiatives, such as digital transformations. That means they'll have to partner with CIOs to make sure that innovation progresses, but with the proper security procedures in place. "The most progressive security officer searches that we see are not just friendly to the business, they are advancing business needs and they're helping them win in the marketplace," Aiello says.
However, he says this isn't happening just yet. "We're still locking things down and we're still in a primarily defensive posture."
Most companies still under-invest in cybersecurity
Companies may talk a good game about addressing cybersecurity threats but many continue to underinvest in it, citing a challenging global economy battered by political unrest and volatile oil prices, says Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.
"Companies tighten budgets and look at ways to save money," Comyns says. "They want to innovate and do all of these wonderful things, but they're trying to do more with less, which is not good for investing in cybersecurity. I see companies continue to shrug their shoulders, and say 'I care more about it, we're much more aware about it than we used to be. Our boards are talking about it, our executives are talking about it but we're going to take baby steps and inch our way to that over time. My feedbacks is, 'I'm not sure that's a good idea because the threat environment has gotten worse.' “
[ Related: How to become a CISO ]
And there's little question of that. The number of phishing email messages that were opened hit 30 percent in this year, up from 23 percent last year, according to Verizon's 2016 breach report. Moreover, the gap between the time to compromise and the time to discovery rose from 62 percent in last year's report to 84 percent this year.
But most companies are tightening their purse strings and hedging their bets that they won't be breached. Comyns says a typical hiring search goes like this: Some executives will say they need CISO who satisfy 10 requirements. They'll ask what the market value is, and when they hear the $1 million-plus salary range, they'll say, "Don't bring in someone too high-powered, we're playing with bows and arrows not bazookas. I don't want to frustrate someone who won't be satisfied with our pace of change." When Comyns hears that, it gives him pause, "My concern is that in more difficult economic times, the progress is being stunted."
What you want in a CISO
Companies should hire CISOs who strike the right balance of business leader and risk assessor, says Chris Patrick, head of Egon Zehnder’s global CIO practice. You want someone who can architect a comprehensive security architecture and explain it clearly to the board when called to do so. And you want someone who can coordinate communications among the C-suite, general counsel, media relations and other necessary parties to respond to a cyber incident, Patrick says.
Egon Zhender consultant Kal Bittianda says a CISO must understand issues and know what data is important to protect but they needn’t be the most tech-savvy leader on staff – that is familiar with all of the latest detection analytics and other emerging technologies. Bittianda says it is better to hire a strong executive who has the ability to influence key strategic leaders in the business, and surround him or her with technical whizzes who know what tools to apply and how.
Choosing the right CISO is a matter of culture fit. Bittianda says there are two CISO archetypes: Those who run to the fires and those who run from the fires. Some CISOs prefer to build a cybersecurity program from scratch and then move on. Others prefer to come in after a breach because they will be more likely to enjoy an increased appetite for cybersecurity investment, as well as influence.
Patrick says that with such high demand for security leadership roles, price tags are going up and folks are moving fairly regularly. As a result, it’s also imperative for companies to help themselves by grooming cybersecurity leaders in house. “It’s an arm’s race and you’ve got to build capabilities internally as well,” Patrick says. “You can't hire your way out of this problem.”