CISOs globally remain pessimistic about cyber-security talent said a study by executive search firm Marlin Hawk. More than 60 percent of the cyber-security leaders surveyed said talent shortage will get worse over the next five years, said the report titled Global Snapshot: The CISO in 2020.
The rapidly evolving demands of cyber-security roles result in situations where senior candidates end up lacking the right level of technical knowledge (34 percent), don’t have the right experience (30 percent) or simply are not the right cultural fit (10 percent), said the report.
The focus is on fresh recruits, but the formal education sector often falls short of providing the talent necessary for the sector, observes cyber-security leaders. Tom Van de Wiele, principal security consultant at F-Secure, attributes the talent shortage in cyber-security to the lack of structured, university-level education in the domain.
The research shows a slow shift away from "traditional" routes into the CISO role, such as studying computer science, said Phillip Young, client partner at Marlin Hawk.
“In the UK, we're seeing an emergence of CISOs with degrees in practices such as design and architecture; something that would come in use when administering complex network environments. The industry is keen to promote cross-sector hires, so it makes sense to encourage educational diversity too,” he told SC Media UK.
Industry leaders have recognised the fact that come of the most potent talent in cyber-security has been continuously spotted outside academia. The UK government last year sanctioned £18.5 million to boost diversity in artificial intelligence technology roles and innovation in online training for adults, as part of its efforts to spot and train young technologists and deter them from breaking the law.
“While the NCSC’s report does a great job of informing us about how it protects UK citizens and SMEs, information for larger organisations feels lacking. Most noticeable is that we still don’t seem to have a recognised professional body that accredits CISOs and other senior cyber security professionals, despite the NCSC saying that they were working on it. This makes hiring a tough task for boards, who may all have their own opinions on what a good cyber-hire looks like,” said Young.
“With the private sector - including the growing cyber-startup scene - continually innovating, the NCSC should look to collaborate with these businesses in order to ensure they are offering best-in-class training to cyber professionals, while setting a high bar for cyber security accreditation.”
Companies pitch in with bug bounties. However, a major change is yet to come, Young said.
“This is something I believe we will see change in time. Presently, more experienced CISOs come from a computer science background, and are likely to hire in their own image. However, as younger security professionals move through the ranks who don't come from such a traditional background, this will shift,” he told SC Media UK.
A major issue that existing security workforce face is the lack of sync between the management and CISO, with the board often setting unrealistic goals for the company's security programme, Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media UK earlier.
"As a result of management’s lack of understanding about cyber-security, they tend to think it is one issue or just one big challenge, rather than many. Consequently, they will hire one person whose task is to solve all of those cyber-security challenges, which means the executive team consistently underestimates the complexities of cyber-security. The result is that they also consistently set unrealistic goals, without adequate budget."
This attitude is often visible in the hiring pattern too, said Young.
“Due to the dynamic nature of cyber-security threats and needs, boards often appoint CISOs for the here and now; focusing on somebody who can get the job done in the current climate, rather than looking for somebody with a more strategic, long-term vision. Whenever this cyber-body appears, it must educate boards on the benefits of a strategic CISO, rather than somebody who’s job is solely reactive,” he suggested.
In this situation, where CISOs are often brought in to deal with present threats rather than as a strategic hire that is expected to help build the business for the future, senior security hires are often misunderstood, Young noted.
“Their role is intrinsically linked to data protection, and given the sheer number of breaches we're seeing globally, it's easy to understand why business leaders are unable to look beyond this. However, with the amount of CISOs who believe innovation will be stifled due to security concerns, it won't be long until business leaders sit up and take notice, and recognise the strategic long term impact CISOs can have on their business' bottom line.”
This has resulted in higher employee turnover at the CISO level, noted the report. The global average tenure for a CISO is four years. Although a third of CISOs surveyed wanted the position because it’s at the forefront of one of the biggest business growth area, 85 percent said they would love to find a new role.
“A recent report from the (ISC)2 claims a 145 percent increase in global workforce is needed to alleviate cybersecurity hiring concerns, as the threat landscape grows exponentially,” commented Corin Imai, senior security advisor at DomainTools.
“The security industry needs to continue to think creatively about drawing talent into cyber-security, and governments need to recognise the importance of properly funding training schemes for cyber-security. As data surpassed oil in 2019 as the most valuable commodity on earth, keeping this data safe and out of the hands of criminals should be a top priority."