Guest blog by Raef Meeuwisse, passionate about cyber, AI, keynote speaker, CISO consultancy and author of numerous cybersecurity publications, including the highly successful title ‘Cybersecurity for Beginners ’.
In this blog, I want to provide some valuable insights into the reasons that some firms struggle to obtain the cybersecurity skills they need , where others seem to have no challenge drawing in the right expertise.
As far as cybersecurity goes, there are 3 distinct types of enterprises out there right now:
- Organizations with a robust security position.
- Organizations trying to reach a robust security position but struggling to fill their roles.
- Organizations that are still not yet focussed on their security.
It is accurate that the market is not awash with skilled cybersecurity professionals. In fact, although it can be easy to fill a role with a person , it is substantially harder to find the right  person.
So what are the behaviours that help organizations to attract in the right people ?
Based on reviewing the security practices at over 50 different organizations over the past ten years, these were some of the main characteristics that companies attracting the right personnel had in common. I have also listed them into a priority order of what is often most important to a candidate:
- 2. Do you have a competent CISO who is good to work for?
- 3. Is the role appealing, will it allow me to expand my skills through continuous learning?
- 4. Does the role contain any unreachable or unreasonable expectations?
- 5. What are the hours like and how much does it pay?
Were you surprised by anything on that list, or by the order of items? I was, until I took the time to understand the implications of each one.
Is your CISO reporting to the main board?
In a market competing for resources, it makes sense that the good resources will go to the organizations that look most appealing to work for.
Security staff are not like normal people. We are not interested in your sector, turnover or profit. What we are interested in is whether your organization has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, Is your CISO reporting into the main board ?
If not, then any security-savvy candidate will know that the reporting line is wrong and will already exclude themselves. After all, if you still have security reporting in at some lower level, security risks will be buried in politics and from the perspective of a cyber professional, the chances of a megabreach or an organization-wide attack will be high. What professional wants to be on board a company for that experience?
Do you have a competent CISO who is good to work for?
In a world where technology and digital transformation are fundamental to success, acquiring a good CISO is as important to any enterprise as acquiring a good CEO.
The cybersecurity world is surprisingly small. Staff talk to staff from other companies. We generally know how the working environment and security posture is in each major company.
I have been working with Metin Mitchell to help develop the list of ideal CISO characteristics. My own opinion is as follows:
- A skilled communicator and team builder with a strong contacts network.
- Comfortable at the board level and skilled at controlled delegation.
- Understand what needs to be achieved (have business and technical competence)
- Are up to date on the latest major cyber threat and defence techniques
- Understand how to manage risk – and not just how to push it down the road
- Know how and when to leverage outsourcing for specialist security services
The few companies that have CISOs that match the list above have no issue with finding the staff they need. People want to work for them and with them – but they are currently a rare find and in high demand. Headhunting for CISOs is definitely an area Metin Mitchell can help with. 
People often ask me what is the most important component in enterprise cybersecurity. Every company I know that has a suitable CISO (meeting the criteria above) reporting to the main board, also has a robust security culture.
To put it another way, if you look at any organization that has suffered a major attack or megabreach, you would find that they were missing many of the skills from the list above.
Is the role appealing, will it allow me to expand my skills through continuous learning?
Imagine you have some specialist cybersecurity skills that are in high demand. Perhaps you are a digital forensics specialist or a penetration tester. If so, keeping your skills up to date is fundamental to your value.
If you join a team of strong people with equivalent skills who invest in continuous learning, your value will be sustained. However, if you agree to go to an environment that simply wants you to work without peers or time to sustain your skills, you will quickly be deskilled and devalued.
This is a reason that many enterprises and CISOs choose to outsource certain specialist security services.
Does the role contain any unreachable or unreasonable expectations?
The scarcity and price tag for effective cybersecurity personnel often results in the creation of role descriptions that may seek to combine skills in an unreasonable way – for example, to expect someone to function as both a penetration tester and an incident responder.
Cybersecurity is a discipline. It only functions when each skill has the time and resources they need to accomplish their tasks.
Role descriptions that are put together optimistically and without the right understanding will once again lead many good potential candidates to exclude themselves from applying. After all, if an enterprise could not even get the role description to appear reasonable, then it is nearly certain that the role will have unreasonable and unachievable expectations.
What are the hours like and how much does it pay?
Although money is a factor, the expectation for working hours is often even more important to a candidate.
Most people expect to work a full week. Some people are also willing to be on call outside of working hours. However, if there are no limits on working into evenings and weekends then the role will not appeal to resources that are in high demand. They will have lots of options on the table.
Non-monetary items will often be more important to attracting in a candidate than just trying to increase the salary offer.
So – Is there a cybersecurity skills shortage?
However, the good news is that you can overcome the shortage and it does not require you to pay the most, you just need to be the most attractive place for a cybersecurity professional to want to work.