Why CISO is the hardest tech role to fill


CIO | May 20, 2016

The article, "Why CISO is the hardest tech role to fill​," quoted Russell Reynolds Associates' Matt Comyns about the risk companies take when they underinvest in cyber-security. The article is excerpted below. 

Companies are under constant threat from cyberattacks and the situation is only getting worse with the rise of ransomware and whaling scams as a variant of phishing, according to recent cybersecurity reports. Yet the shortage of seasoned CISOs, inconsistent policies around compensation and a lack of proper metrics means some companies are under-investing in cybersecurity. recently spoke with several executive recruiters to get a handle on what companies are looking for in CISOs, as well as what obstacles they face hiring and retaining them.

If you've noticed a game of CISO musical chairs of late, it's because the market is rapidly evolving -- perhaps too rapidly for its own good. Unlike the CIO, who is often judged by KPIs, cost savings and other benchmarks, few metrics exist to evaluate CISO performance. Companies don't benchmark CISOs based on whether their companies haven't been breached (chances are, they have and don't know it). As a result, most companies haven't quite figured out how to fairly pay CISOs, whose salaries can range from $500,000 to $2 million.


Most companies still under-invest in cybersecurity

Companies may talk a good game about addressing cybersecurity threats but many continue to underinvest in it, citing a challenging global economy battered by political unrest and volatile oil prices, says Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.

"Companies tighten budgets and look at ways to save money," Comyns says. "They want to innovate and do all of these wonderful things, but they're trying to do more with less, which is not good for investing in cybersecurity. I see companies continue to shrug their shoulders, and say 'I care more about it, we're much more aware about it than we used to be. Our boards are talking about it, our executives are talking about it but we're going to take baby steps and inch our way to that over time. My feedbacks is, 'I'm not sure that's a good idea because the threat environment has gotten worse.' “

And there's little question of that. The number of phishing email messages that were opened hit 30 percent in this year, up from 23 percent last year, according to Verizon's 2016 breach report. Moreover, the gap between the time to compromise and the time to discovery rose from 62 percent in last year's report to 84 percent this year.

But most companies are tightening their purse strings and hedging their bets that they won't be breached. Comyns says a typical hiring search goes like this: Some executives will say they need CISO who satisfy 10 requirements. They'll ask what the market value is, and when they hear the $1 million-plus salary range, they'll say, "Don't bring in someone too high-powered, we're playing with bows and arrows not bazookas. I don't want to frustrate someone who won't be satisfied with our pace of change." When Comyns hears that, it gives him pause, "My concern is that in more difficult economic times, the progress is being stunted."

To read the full article, click here.


Sign up for our newsletter

Get the newsletter that prepares you for what's next with valuable insights across industries and geographies.
Why CISO is the hardest tech role to fill