On any given day, there are a multitude of concerns pulling at the mind of a Chief Information Security Officer (CISO) — from cyber criminals to patch management and from Board presentations to data loss prevention, the problems are seemingly infinite. One of the most pressing issues that most CISOs deal with is their staffing strategy and succession planning.
Driving this stress and concern are two large trends in the cybersecurity job market. First is the shortage of skilled security professionals. Forget that we can’t fill the open positions that we’re posting, which stands at over 4 million positions globally and over 400,000 just in North America according to ISC2, the bigger issue for CISOs is the small number of truly skilled professionals they have on their current teams, and the fear of losing them. The goal is to avoid losing these key players, resulting in more open positions that CISOs will struggle to fill.
The second problem facing CISOs is a self-inflicted one among our ranks. The average tenure of a CISO is between 18 and 36 months by some accounts, with many leaving even sooner than that. Whether it’s for more pay, dissatisfaction with organizational budgeting or risk appetite, or the rare sacrifice as a corporate scapegoat, there is plenty of churn at the most senior information security position. And churn at the top often creates instability and opportunity down the ranks. The opportunities presented at one company become the staffing problem at another. Brain drain is a very real concern.
Given these headwinds, CISOs have to pay constant attention to their InfoSec team and fight like crazy to keep their “A Players,” make the others better, and put a structure in place to ensure the long-term success of a team that is constantly embattled with day-to-day cybersecurity issues. Here are some suggestions for keeping your talent and helping them thrive: