In the era of the mega-breach, CEOs have increasingly been called on to account for the cyber readiness of their organizations. Ask any CEO and they’ll surely tell you that they consider cybersecurity to be of the utmost importance to their organization—in fact, one major survey of US CEOs this year had them rank cybersecurity as the number one external concern in 2019.
However, sometimes it seems a lot of that concern is still at the platitude and lip service stage.
Here’s a good example of how that kind of lip service plays out in a large organization. It’s a classic example of what longtime security pros would label as ‘security theater.’ The top levels of an organization publicly commit to building out stronger cybersecurity practices. As a sign of their good faith to regulatory auditors and shareholders, they green light the opening of dozens of new positions to fill out the cybersecurity team.
Sounds great on paper, right? Yes, with a big caveat. What wasn’t so publicly disclosed is that though the funds are opened up for salary and benefits, very little additional money is put into the recruiting or training elements of filling these slots. The security leaders are left out in the cold in an extremely competitive market to find scarce candidates. They’ve got to make do tapping into their own limited network of contacts and maybe leaning on a little internal help from HR, which rarely has valuable insights into the unique nature of the insular security world.
The result? Months and months go by and very few of those copious open positions are filled.
This is far from a hypothetical situation. We’ve seen it play out so many times, we’re almost willing to put on a tinfoil hat and posit a conspiracy theory that maybe CEOs just aren’t that serious about building security teams. They open the positions for show and then tell their CISOs that the positions need to be open a minimum of six months before they allow an outside agency to begin to work them. Unsurprisingly, almost one-in-three organizations today reports that it takes at least six months to fill their cybersecurity positions.
This is a particularly tough situation for new CISOs tasked to build out a team from scratch. Many of these people are sacrificial lambs being readied for slaughter in the event of a breach down the road. The leader is brought in and told they can hire a set amount of people and aren’t given the support to do so. They struggle to find candidates due to the extreme constraints of the market, and are turned down time and again by their executives for permission to use a specialized recruiter to help them out. Six months go by and no luck. A year goes by and they begin to feel really frustrated. A year-and-a-half passes and the writing is on the wall that they may never be able to build out a world-class team.
For security leaders jumping into a new position, we recommend that recruiting budget to use outside agencies is approved in writing before they start. When they’re brought on with the promise of building out a new team, try asking the organization to include details about recruiting support put directly into the offer letter. Make sure that the CEO and leadership are willing to put their money where their mouths are when it comes to the commitment to attracting first-rate security talent. Putting it in writing could save a lot of heartache and frustration in the long run. My very best advice: Do not go to work for a company that will not give you, in writing, the budget to use a staffing agency specializing in cybersecurity.