Chief Information Security Officers (CISOs) are vital to the success of an organization, yet the turnover rate is alarmingly high, which puts companies in a bind: how do you not only attract this type of talent but, perhaps more importantly, how do you retain them?
It all started with the added stress Covid-19 created as companies around the globe were forced to accommodate and secure remote workforces. In turn, this shift increased vulnerabilities and risk as workers were connecting to unsecured Wi-Fi networks, for instance, which forced companies to try to balance the need for speed with security. For perspective, the swift adoption of remote and hybrid workforces fast-tracked three-year timelines for security initiatives and digital transformation to a matter of weeks, if not days. That’s an incredibly tall order but there was simply no way to sacrifice one for the other—securing the business, ensuring operational efficiency and generating revenue all had to be addressed simultaneously. This was also compounded by the surge in e-commerce, virtual meetings and other digital-only activities that some companies weren’t prepared for.
Given these interdependent complexities, the role of the CISO was catapulted to being a key driver for securing the network and connected devices, for example, while also overseeing vital digital transformation initiatives. With increased responsibilities, the pandemic thrust these security leaders into the spotlight where they had to manage and collaborate across the business, getting involved in everything from compliance, cybersecurity, fraud management, incident response, investigations, legal and physical security, and even real estate investments. Strategic planning that secured an entire security ecosystem became the top priority that it is today.
What’s Driving the Security Exodus?
The one matter that is not up for debate is that qualified CISOs are in high demand. Studies attribute a high turnover rate to competitive compensation with higher pay and incredible perks. Poor work cultures and a lack of resources has also led to increased attrition, as work-life balance, diversity and inclusion (D&I), mental health and overall employee satisfaction are now no longer nice to haves, they’re must haves.
It’s also evident that CISO retention and succession planning requires companies to build cybersecurity initiatives into every part of the company’s infrastructure and operations, with the budget to match. While each industry is different, analysis finds that many data breach issues have occurred where these security budgets are less than 5% of a company’s total IT spend. So, is it really that surprising that CISOs without the resources to do what is needed are seeking employment elsewhere?
How the Pandemic Completely Changed the Game
With 53% of CISOs assuming their positions during the Covid-19 pandemic, it is important to realize that 67% did so by joining a different organization. Reports also show that only 27% stay in their role at a company for three to five years. Reduced tenures and growing cybersecurity needs make maintaining a healthy pipeline of CISOs a primary risk facing companies today.
Succession-planning analysis shows a wide gap with 64% of large global companies hiring CISOs externally, which can have the knock-on effect of losing members of the CISO’s team, thus losing institutional knowledge. CISOs and other company leaders need to put more focus on internal talent development and succession planning regarding leadership readiness.
Another way to address the need for talent is by expanding the net of potential cybersecurity talent internally by bringing in those with already high competency regarding the softer skills of influence, negotiation and people leadership, and developing their technical acumen. This will both increase the already small supply of accessible cyber talent, as well as help increase diversity and inclusion in an underrepresented field.
Do This to Keep Talent Onboard
From all the recent data amassed there are several takeaways companies should consider when finding and retaining CISO talent, such as:
- Fostering growth by expanding the role and diversifying the skill set of potential candidates
- Being open to candidates with different technical accreditations, broader career experience, internal training and management rotations to increase their cyber talent pool
- Reassessing the internal reporting structure with increased management responsibilities and other enterprise-wide responsibilities (outside of pure information security) can be a great retention strategy for the CISO and their team
If these things aren’t built into a company’s approach from the very beginning, the CISO turnover rate will continue to be high, along with a short supply of qualified and diverse candidates. Since CISO longevity has a direct impact on the integrity and effectiveness of a company’s cybersecurity initiatives, it is critical for organizations to take steps that will retain this talent while also proactively having a succession plan in place for any planned—or sudden—departure.