Finding competent, capable, and determined information security leaders is a task that most organizations grapple with constantly. The roles of the Chief Information Security Officer, Head of Information Security, and Information Security Director have evolved over time. This type of position was once held in only technologically-savvy organizations with deep information technology missions. However, banks, credit unions, manufacturers, SaaS providers, governments, and small startups are now all seeking their security "jedi". Regulations, laws, and corporate mandates are not only suggesting that organizations fill this position; they are requiring it.
The Challenges
A Younger Track: Unlike procuring a Chief Financial Officer, or Chief Operating Officer, the position of a CISO is as new as the modernization of the information security field itself. Finding another C-level candidate such as a CFO is facilitated due to the long history of education and training that has been available for such roles. The track record for CISO training is informal at best and usually includes years of grueling work as a cybersecurity analyst, consultant, and infosec leader.
Cost: CISO’s are usually seen as a “sunk cost”—but I disagree. I have seen CISOs and security professionals show ROI in giving their respective organizations a competitive edge, achieving compliance with regulations, saving costs on unnecessary tech spends, and facilitating mergers and acquisitions.
However, the position of CISO does come with a net negative on the profitability scale. Ranging from 200K to 7 figures, a CISO is not a cheap position to fill. The experience, business acumen, and technical savvy of a true CISO is a valuable commodity and they can and should command their worth in the marketplace.
Retention: Burnout is real. If you speak with any CISO or seasoned infosec leader, you will hear a common tune being whistled: long nights, stressful situations, low reward, low success visibility, and challenges with retaining personnel. All of these are true in most cases, which is why the average CISO stays with an organization for a mere 18 to 24 months (CNBC), while the average stay of a COO is 5 years (Kornferry). The job stress that comes with guarding the front gates of organizations was increased by orders of magnitude once ransomware was released on the world. With cyber-attackers going for the throat, there is no room for error, and this creates a serious retention problem.
The Future
With all of these issues seemingly coming to an intersection, organizations are seeking solutions to these issues. Qualified CISOs are hard to find, hard to keep, and seen as a cost rather than an asset. Virtual CISOs and fractional CISOs are now taking the industry by storm. At a fraction of the cost of a full time CISO, organizations now have the option to procure CISO-level talent and experience for only the amount of time and money that they need them for.
This model leads to significant cost savings, guaranteed retention or continuity, and a pool of capable professionals that enjoy working with multiple organizations. This outsourcing model is the future of the CISO position. As long as these challenges continue to present themselves to the information security leadership community, more organizations will be adapting to this model with the hopes of solving their security leadership issues with a novel approach.
Learn more about IGI's award-winning vCISO program or contact us to learn how we can customize a solution to meet your unique business needs.
References
