Attracting And Retaining Top Cybersecurity Talent Amid Worker Burnout And Shortages

The chief information security officer (CISO) role is a mission-critical, fast-paced and rewarding position to hold, but it's also filled with many challenges. Burnout, stress, diversity difficulties and hurdles to advancement are issues existing CISOs face on a daily basis. This situation can be attributed to the skilled worker shortage currently experienced across the globe as well as other factors plaguing industries, such as the needed knowledge for transitioning from on-prem to the cloud.

Whether your organization is facing these circumstances or not yet, it's imperative to find ways to address the problem now before these challenges escalate.

Top Three CISO Challenges

Results of the 2022 Global CISO Survey (download required) by Heidrick & Struggles show CISOs in the United States consider their most significant personal risks to be job-related stress (60%) and burnout (53%). Both problems arise from the trifecta challenges of the global worker shortage, the increase in cloud migration and the rate of cyber threats facing organizations.

• According to Statista, as of March 2022, over 60% of corporate data is stored in the cloud. This percentage continues to grow as companies increasingly move their digital operations into cloud environments to improve security and enhance business agility.

• Statista also noted that 15 million data records were breached globally during the third quarter of 2022. This factor is boosting demand for cybersecurity talent across all industries.

• According to ISC2, the cybersecurity workforce is currently at an all-time high with approximately 4.7 million professionals, but there's still a global shortage of 3.4 million workers in this field. The U.S. has more than 400,000 unfilled cybersecurity jobs.

Although every industry is currently struggling to recruit the talent necessary to manage their workloads, cybersecurity has been particularly hit hard—and hackers know it.

The Lack Of CISO Candidates

Finding and recruiting qualified cybersecurity workers is both essential and difficult at present. There are simply not enough candidates with the skills to fill all of the positions that need them. This causes existing CISOs (and other individuals involved in cybersecurity management) to be stretched too thin to function effectively.

Here are some reasons why this situation is currently impacting our industry:

• Technology has changed in terms of architecture, and many companies have migrated everything to the cloud. This shift has enabled them to streamline processes, but managing cloud security is a different process than on-prem technology requirements.

• Many existing CISOs are highly trained in managing cybersecurity on-premise for environments such as SQL and exchange servers. However, they now need a different skill set to keep their companies and their data secure in the cloud.

• The perception exists that a CISO needs to be mature and have many years of experience. This often prevents companies from appointing younger recruits to the role, although two candidates may have similar or equal experience with cloud security due to a relatively recent change from on-prem to cloud infrastructures.

The impact of information technology on all industries and the widespread threats posed by bad actors makes it crucial to resolve these issues.

Identifying Potential Solutions

Cloud computing isn't going away anytime soon. Gartner, Inc. predicts global spending on the public cloud will grow at 20.4% per year and exceed traditional IT spending by 2025. Gartner also predicts that 51% of application software, infrastructure software, business process services and system infrastructure markets will be allocated to cloud solutions by 2025, up from 41% in 2022. Meanwhile, 65.9% of application software spending will go to cloud products in 2025, up from 57.7% in 2022. These factors represent multiple reasons to resolve this issue in advance of future growth.

Some potential solutions include:

Reducing Entry Barriers

Many younger candidates have the right skill sets but lack formal qualifications. After graduating from college, they're expected to get a costly CISO certification. That approach is counter-productive. The industry needs to rethink how it trains CISOs and make applying their skills in a business capacity more accessible.

Increasing Diversity

Improving diversity is one solution to the skilled worker shortage. Only 14% of respondents to the Heidrick & Struggles survey were individuals other than white males—even with Hispanic/Latinx representation rising from 5% to 8% over the past year. Increased candidate diversity can open the door to a broader workforce, more motivated candidates and a reduction in compensatory inflation.

Improving Career Prospects

Companies trying to attract the cream of the CISO crop need to start developing future career paths for candidates. The Heidrick & Struggles survey found that 56% of U.S. respondents revealed an ambition to serve at the board level. However, only 14% had attained that opportunity despite a desperate need for cybersecurity experience in boardrooms. Without proven advancement tracks for CISOs, companies have less chance of keeping their best employees.

Adding Communication Skills To The Mix

Identifying and appointing the right CISO is not just about technical knowledge. One of the challenges facing companies is finding individuals with the appropriate communication skills. A CISO is responsible not only for building and managing information security programs but for communicating the process to the organization's customers in a way that reassures them. In our company, we look to train and foster people and help them grow in this respect. Before any of our technical staff interact with customers, they take part in three months of intensive training.

Outsourcing The CISO Function

Given the difficulty of finding or developing an effective CISO, organizations could also outsource the function to a company specializing in cloud security. With median CISO compensation rising to $584,000 in 2022, outsourcing could clear the way for a simpler process while saving on costs over the long-term. Plus, programs like this can prevent issues such as turnover, which typically occur with full-time employees.

Having an empowered CISO in place must be a priority for all organizations that have moved their resources to the cloud or are planning to do so in the near future. Whatever method or mix of options you choose to use, it's not worth the risk to proceed without the certainty of watertight cybersecurity.