Are We Running Out of CISOs?

Not a day goes by where someone doesn’t ask me if I know a good CISO they can hire. Not as unusual is interviewing four CISO candidates and each one is snatched up before an offer can be made. Are there too few CISOs?

Who Wants to be a CISO?

With the plethora of security breaches over the past 18 months, I see less people wanting the top security job. Recently, a CISO said he had 9 former CISOs working for him. His theory is that they’d rather be deputies then have the top job. Their fear of a security breach holds them back. I often ask CISOs what would happen to their own personal brand should their employer be breached. Most acknowledge that they think the job market would be tough for them. Some have even said “I’ll be unemployable.”

I Want Breach Experience

I just completed a reference check for a former colleague who is finishing a round of interviews for a CISO job. The person conducting the reference check wanted to know what this person was like during the breach the CISO experienced. It’s important to us that they can handle themselves well under pressure. Having been through a breach is one of our job requirements.

While I don’t subscribe to the FUD on security breaches — ranging from *you’ve already been breached, you just don’t know it *to it’s just a matter of time — I do believe that security breaches are reaching a frequency point where the CISO doesn’t have to take the blame. In 12 to 18 months, I believe many companies will value the experience. They will want to understand not that you got breached, but how you handled the process.

I often recommend tabletop exercises to walk through incident response and breach plans. But there is nothing like experiencing the real thing.

Creating More CISOs

So is fear of a breach the only thing creating a shortage of CISOs? Absolutely not. Given that most CISOs report information to the C-suite and Board of Directors, hiring managers are looking for a business savvy security executive. While many are very good a securing their environments, not enough can communicate how they are doing it effectively to the board.

In very simple terms, can you explain what you did today to someone who only understands security based upon what they read in the Wall Street Journal?

Give it a try.