For CISOs facing a myriad of challenges in an ever-expanding threat environment, making the hiring process more realistic would bring some welcome relief. Credit: DC Studio / Shutterstock CISOs are under tremendous pressure and according to multiple surveys many are looking for a graceful exit to provide self-relief. A recent report from Proofpoint noted that “66% of global CISOs are concerned about personal, financial, and legal liability in their role.” Those who are long in the tooth realize that taking the position of “assume a breach” is a pragmatic approach — but the reality is that many cybersecurity leaders are dealing with teams that are oftentimes understaffed, underfunded, and dealing with ever more complex scenarios. Those complex scenarios (often referred to as “sophisticated attacks”, a catchall phrase for “we really didn’t understand it”) are a given these days. Our adversaries are pushing to advance technology just as hard as the defenders are gearing up to prevent attacks. The funding issue more often than not requires the infusion of soft skills, the art of persuasion, and the ability to place the benefits of spending up front and center when asking for resources. Considering the challenges, it’s no surprise many CISOs are anxious It is also worth noting that the Proofpoint report found that “72% of CISOs would think twice about joining an organization not offering director and officer insurance or similar coverage against financial liability in the event of a successful cyberattack.” So, a stressful job that assumes the certainty of an attack, might leave you personally liable (as has happened in several high-profile cases), and does not have enough of the right personnel in place to ensure success, and it’s no wonder many cybersecurity leaders are feeling less than peachy these days. The pressure on CISOs, created by personnel requirements going unfilled, can and is being addressed, yet may require some in-house adjustments between HR and cybersecurity. The number 3.5 million is often tossed around as the global number of open positions, while a cursory search on LinkedIn shows 93,000 open cybersecurity positions currently advertised on the platform. By any measure, there is work out there for those with the skills or — as is far too often the case — the required pedigree. Cybersecurity recruiters ask for too much from candidates On more than one occasion I have scratched my head wondering in what form of alternate reality the author of candidate requirements is residing when they describe a panoply of experience that would take a decade to achieve for a position a step above entry-level — and then they wonder why the position remains unfilled. Let’s talk about pedigree. With more and more applications going through automated screening, the lack of one or another facet, such as a college education, continues to reject well-qualified candidates and sends their applications to the trash. I recall my own experience from some years ago when I was engaged in the final series of interviews for a position with senior executives. Mind you, the position had to do with insider risk, an area in which I had more than 30 years of diversified experience (back then) when one of the senior executives noted that my paperwork didn’t explain where I had obtained my degrees. I responded that if they were searching for college degrees, they would come up empty, as my highest level of education was secondary school. They ended the interview and that was that — no doubt doing us both a favor, but interesting nonetheless, that how a candidate looks on paper matters more to some than what they bring to the table. This type of behavior adds to the false sense of lack of candidates when there are people available. And they are right there in front of you. The US is moving to make security jobs more widely accessible The White House’s Office of the National Cyber Director (ONCD), Harry Coker, Jr, is doing something about this pedigree issue in the United States. He recently announced the transition of the federal government, via the Office of Personnel Management, to the “2210 series,” which represents the jobs for IT workers within the federal space, approximately 100,000 current employees. He continued to note that this transition was opening the door to “skills-based” hiring. “Thanks to a lot of work across federal agencies, we’re leading by example, ensuring that more Americans will have access to cybersecurity jobs in the federal government whether they are an employee or a contractor,” Coker said. Private sector companies are also increasingly moving to expand our national cyber workforce, Coker said. “We need cybersecurity talent in every industry.” The ONCD, he said, is “facilitating a nationwide effort to skill-based hiring, demonstrating partnership, collaboration and a dedication to building the talent pipeline and open opportunities to good paying jobs in cybersecurity.” Most cybersecurity leaders believe it’s a headcount gap, not a skills gap This aligns perfectly with the findings of the “2024 SANS-GIAC Cyber Workforce Research Report” which indicates that “two-thirds of cybersecurity and HR managers believe the cybersecurity gap is a headcount gap, rather than skills-based.” We can teach people the skills they need. What we need is more individuals interested in cybersecurity. The report goes on to note that CISOs are leaning with a “strong preference for certification-based training over traditional degree-based education by a two-to-one ratio.” The impetus for skills-based hiring is to foster the creation of programs with an emphasis on skills, such as apprenticeships, rather than relying on two- or four-year college degree requirements. With such, perhaps one source of CISO pressure will be alleviated, and the focus can be turned to the operational implementation of state-of-the-art security solutions. None of this can be accomplished overnight and will require time, effort, and a good dose of patience — three ingredients that are often lacking in the dynamic between cybersecurity and operations. Grow your teams, hire for fit, teach and create experiences for the teams, protect yourself with D&O insurance or similar coverage and look inside your own organization for the new blood for your team, as that Proofpoint report noted that 65% of all cybersecurity hiring is from internal candidates. More on CISO hiring: Evaluating crisis experience in CISO hiring: What to look for and look out for Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 30 Sep 2024 6 mins Technology Industry IT Skills Events feature 12 hottest IT security certs for higher pay today According to Foote’s latest data, security professionals who earn the following IT security certifications can earn up to 11% more in pay. By Eric Frank 04 Sep 2024 14 mins Certifications IT Skills Careers feature What is OWASP? A standard bearer for better web application security The Open Web Application Security Project (OWASP) is an international nonprofit dedicated to providing free documentation, tools, videos, and forums for anyone interested in improving the security of their web applications. By Linda Rosencrance 28 Aug 2024 8 mins Internet Security IT Skills Application Security opinion CrowdStrike crisis gives CISOs opportunity to rethink key strategies CISOs should look to proactively incorporate new lessons in their incident response, disaster recovery, crisis communications, and contingency workforce playbooks — and revisit agreements with software providers. By Cynthia Brumfield 30 Jul 2024 7 mins CSO and CISO Incident Response IT Skills PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe