Scrambling for Cybersecurity Leaders is Big Business for Recruiters


Executive Search Review | March 2, 2016

Executive Search Review spoke with Russell Reynolds Associates' Matt Comyns for their article, "Scrambling for Cybersecurity Leaders is Big Business for Recruiters," about the high demand for cybersecutiry leaders and the challenges companies face in securing the right executive for the role. In this issue, Matt Comyns was also recognized as the Top Cyber Recruiting Specialist. The article is excerpted below. 

In the mid-1990s, when Joyce Brocaglia took on her first assignment to help build an information security operation for Citibank, it was a very different world. No one knew how much the Internet would grow and ultimately transform society. Technology was more primitive. Data was less accessible. And the massive connectivity we now taken for granted was a distant dream. Yet that initial call from the banking giant, sparked by the audacious theft of $10.7 million by a Russian hacker and his accomplices in 1994, would be one of the seeds that ultimately grew into cybersecurity’s rise as one of today’s hottest sectors in executive search.

In the early 2000s, a major change in the types of attacks began to emerge. Nation state attacks were coming with more sophistication and frequency. “The market’s been coping with this level of sophistication for the last 15 years,” says Matt Comyns, who heads the global cybersecurity recruiting practice for Russell Reynolds Associates. “However, if you talk to veterans of this field they will also tell you that the last three to five years in particular have seen tremendous scale of attacks – their volume and complexity has increased dramatically.” Therefore, he says, “the awareness at companies around the world has increased significantly, highlighted by the consequences of the attacks on Target and Sony, in particular.”


High demand and limited talent supply lines are leading to bidding wars throughout the security sector, says Mr. Comyns, as cybersecurity transforms from an independent, functional focus to a fullfledged integrated business sector. With the shift, talent demands have come to exceed the available supply by a widening margin.


Finding good cybersecurity talent can be a challenge. Too few people specialize in this area, and the market has moved rapidly in just a short period. There’s simply more demand than the market has been prepared to handle, for senior roles as well as junior positions. “To further exacerbate the pressures on the human capital pool, companies are requiring these people to do a lot more than they did previously,” says Russell Reynolds’ Matt Comyns. “Their roles have expanded tremendously. So not only do we not have enough people doing it, but now we’re asking incoming leaders to do more. So to get people who can handle the new role and responsibilities and do that at scale to keep up with demand is very challenging.”

Pay is Inconsequential

Given the new and evolving nature of top cybersecurity roles, recruiters oftentimes tap candidates from related and tangential fields to fill these positions. Many have IT backgrounds, including management experience in security. Some come out of internal audit positions. Others have government and military histories in places like the Department of Defense, the U.S. Cyber Command, the NSA, or organizations like the FBI.

With demand for cybersecurity talent high, supply low, and companies urgently seeking to fill a myriad of positions, compensation is skyrocketing. “I watched one person go from making $200,000 a year to $650,000 in three years,” says Mr. Comyns.

Information security leaders at major companies typically earn upwards of $500,000 to $600,000 a year, including base salary, bonus, and long-term incentives, Mr. Comyns says. And while many companies are still struggling with the reality that an annual range of $250,000 to $400,000 for a top-fight cyber executive might be, in fact, no longer enough, Mr. Comyns says that 10 percent of the market will pay a good deal more than $600,000 a year to lure the right executive. Perhaps they’ve come to realize that some top banks and Fortune 50 companies have already settled on a new reality: you have to pay up for the best. Mr. Coymns says stand-out cyber security leaders can make $1.5 to $2 million a year.

Mr. Comyns recently recruited chief information security officers for a Fortune 100 company, one of the largest global retailers, a leading global automotive supplier, and one of the largest online / offline brokerages as well as a chief technology officer for a global multi-channel media company.


Continued Gap in Cyber Talent Expected

In other words, companies must be prepared to pay for more than just a top cybersecurity leader. Teams of people are often needed to handle the expanding tasks at hand. The price tag may be high, but it’s impossible to get around the necessity. “This is a total re-think for companies around the cost of doing business securely,” says Mr. Comyns. “It’s an ocean change. It’s a new way of doing business. I don’t know how else to say it. Unfortunately, it’s a significant cost added to your business. It’s the cost of doing business in today’s world. And the sooner companies embrace that the better off they’re going to be.”


Recruiters in this sector, almost across the board, speak of the satisfaction of helping companies find talent and solve their cybersecurity challenges. Most consultants in cybersecurity seem to feel they are truly making a difference. “I’ve combed the world to try to understand how people are approaching this, how people are thinking about it, and it is a full-time job to stay on top of it and then help companies think through it,” says Mr. Comyns. “I’ve done other types of recruiting, where I’ve walked in the door and they’re always happy to see you and partner with you. But in this functional area it’s a whole different ballgame. Many of my clients lean forward across the table to hear what I have to say.”

For recruiters focused on this sector, the business of finding cybersecurity leaders and teams of cyber professional talent to back them up has been exceptionally strong in the U.S. Increasingly, companies around the world are following suit. No one believes demand will ebb anytime soon.

“Starting last year we began to see the market pick up in Europe and now we’re seeing the market pick up in Asia,” says Mr. Comyns. “I’m probably going to be spending some time in Latin America and places like the Middle East. This is a global phenomenon.” He says the U.S. is clearly more advanced in its investment against the challenge but it still has a long way to go. “We’re years away from a mature market here in the U.S. And the rest of the world is many years behind us.” Demand for human capital in the space will continue unabated, he says, for at least five to 10 years, but probably much longer than that.

To read the full article, click here.

Sign up for our newsletter

Get the newsletter that prepares you for what's next with valuable insights across industries and geographies.
Scrambling for Cybersecurity Leaders is Big Business for Recruiters