Cybersecurity jobs are in demand. C-level IT executives needed!
Retaining information technology officers is becoming harder than ever. Due to an acute shortage of IT talent and an unprecedented wave of cyberattacks, pay rates for C-level execs in IT have skyrocketed.
A chief information officer (CIO), chief technology officer (CTO) or chief information security officer (CISO) can command an average of $170,000, according to Payscale. As there aren’t many candidates available, rates are surging even higher.
The impact of the cybersecurity talent shortage
How bad is the talent shortage? The Infosec IT and Security Pipeline survey discovered that 92% of respondents believe it is difficult to fill open cybersecurity positions. Out of all C-level IT executive positions, the CISO is the hardest to fill. With a 500% rise in cybercrime over the last two years, cybersecurity hiring often becomes a bidding war. And those with the deepest pockets win.
In some states, regulatory factors have raised the pay rates of CISOs even higher. In New York, for instance, firms in regulated markets must fill the CISO position. Result: CISO salaries in greater New York City have soared well above $250,000.
Why everyone should have a chief information security officer
Cybersecurity has tended to suffer from a lack of executive guidance. Some companies throw money and technology at the problem and wonder why they remain vulnerable. Others implement draconian measures that make it more difficult for employees to be productive.
It is the CISO that guides the cybersecurity ship and balances the needs of security with the necessities and goals of the business. He or she determines strategy that is used to guide the procurement of security tools. The CISO constantly assesses risk and develops or adjusts plans to minimize it. A CISO sets security policy and enforces compliance.
How to attract top-level CISOs and IT executives
1. Pay top dollar
If the need is severe, competing on pay and benefits is one way to go. But be prepared as you are going up against some in financial services and other industries that actively sweeten their offers. Moving costs, house down payments and other benefits are often thrown in to make an offer more attractive.
2. Lower your qualification requirements
If 200 companies all want a CISO and demand X years of C-level experience, Y years of cybersecurity training, an MBA, a degree in cybersecurity and a series of advanced certifications, perhaps 20 people will fit the bill. That means only 20 will win (but will also demand high rates). The other 180 will continue without a CISO.
Make the bar realistic to provide some hope that HR can successfully recruit someone. Perhaps an MBA or advanced cybersecurity certifications can be earned on the job. Maybe the years of experience can be halved. Find a way to increase the prospective hiring pool.
3. Promote from within
It might take a while for a new CISO to learn the business and understand the nuances of the existing environment. But many within IT have already gained that knowledge and have a head start. Perhaps there are one or two candidates already working for you that can be promoted to CISO and can be given extra training to get their qualifications in order. It might even be wise to have them study half the day and work the rest to give them a chance to finish an MBA or earn much-needed qualifications.
4. Cope for now and plan ahead
In some cases, the only option will be to make an existing C-level exec or IT manager cope with CISO-type duties. At the same time, you train an internal person or a new hire to eventually take over the position. An internal certification program could be instituted that provides time and subsidizes training to encourage security and IT staff to complete certification programs such as:
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
Each is on the list of top-paying cybersecurity certifications. Within a year or so, the organization may have developed several people with the potential to be a competent CISO.
5. Go virtual
A solution that is growing in popularity is to hire a virtual CISO (vCISO). Cybersecurity executive management firms and managed service providers (MSPs) offer such services. They grant access to highly skilled and experienced teams of security consultants. This wealth of talent is at the disposal of anyone willing to pay a fee to acquire a virtual IT security head. They are not cheap, but they are considerably less expensive than a full-time CISO — if you can find one.
In the second part of this series, we cover how to go about finding, onboarding and getting the most out of a vCISO.
- Average CIO Salary, Payscale
- The Endpoint Ecosystem 2022 National Study, mobile mentor