By now, everyone is well aware of the acute shortage of cyber security talent. The infamous Target breach of 2013 and the current-day widespread ransomware attacks have been a wakeup call, and major companies across all industries have embraced the need for installing a dedicated cyber security team and program.
This increased awareness has put incredible pressure on the limited existing human capital pool for this functional area. Further complicating matters, the head of cyber security role (often the Chief Information Security Officer, or CISO) has been elevated in organizations as the perceived risk of a cyber breach has become one of the top enterprise concerns. The role has evolved from what had been a lower-level tactical IT role to a more strategic enterprise risk role. Thus, the profile of a CISO has had to change to keep pace with the expanded scope of the role.
As you can imagine, the new CISO job requirements which extend to enterprise risk management have further narrowed the number of available executives capable of fulfilling the new mandate.
So, what is the market to do?
Company leaders are often shocked at the price and lack of availability of top cyber talent. Aggressive recruiting of already-placed top talent is also resulting in elevated turnover rates – in many cases, two years or less – which is impacting the success and continuity of existing security programs.
It’s reached a point where companies are now going with a ‘Plan B’ strategy and considering more flexible options to fill out cyber leadership positions. For instance, more junior step-up candidates are now in strong demand, as are existing trusted technology and business executives who are willing to do a career pivot towards cyber. This new strategy can be a great answer IF the company invests properly to support such alternative type candidates.
If you can't get it, grow it!
Harnessing Cyber Advisory Boards
One viable solution to this unusual environment is the formation of cyber advisory boards. Think of it as a more concentrated version of the information-sharing groups that have sprung up in the past several years. Building an advisory board of three top experts in the field may go a long way towards developing a “green” executive and immature cyber program to industry best practice-levels. Specifically, advisors can:
- Mentor the upcoming CISO
- Help design a strategy and build a roadmap
- Educate the board and C-level executives
- Create a dashboard to measure progress
- Offer advice if a cyber breach should occur
- Advise on regulatory and compliance issues
Other benefits of cyber advisory boards:
- Potentially satisfy regulators who are putting increasing scrutiny on company and board efforts in this area.
- Help secure cyber insurance policies and/or lower insurance premiums.
- Give top cyber talent new challenges and exposure in the market, perhaps leading to greater job satisfaction and longer commitments in their existing roles.
- Allow boards to get more exposure to top cyber talent that they may add as permanent board members over time (try before you buy).
Caldwell Partners is rolling out such a service this month with a lot of support from industry leaders. The more companies that get behind this kind of strategy the better. We need to spread the talent around and grow cyber executives as fast as we can, and this is a practical way to combat the ever-growing threat around the world. Time is of the essence, and the market needs creative solutions to solve the problem.
- by Matt Comyns, Managing Partner, Caldwell Partners