Selecting the right executive talent can help you prepare for future challenges
Given the rise of online activity after the pandemic, with e-commerce, deliveries, and more social encounters happening on the internet, businesses must be more vigilant than ever to head off cyber threats and opportunities for cybercrimes. With the acceleration of digitalisation across businesses and industries, cybersecurity risks emerge exponentially; while companies pursue data-driven aims, information security may be overlooked by business functions outside IT departments.
‘The CISO (chief information security officer) has many other opportunities to impact the organisation without needing facetime with executive management,’ says Marc Avery, CISO and Managing Partner at Cyber Chain Alliance.
‘CISOs need to consider and communicate the right message, with the right business focus, to the right stakeholders, at the right time.’
He recommends that ‘executive management should pay attention to these challenges and support the CISO in this quest’, while effective CISOs and security risk managers (SRMs) must leverage their influence beyond their department to tackle those challenges.
However, this is not always an easy task – especially given the strain CISOs are frequently under.
Many CISOs considering a change of role
A report from Gartner earlier this year revealed that almost half of the cybersecurity leaders surveyed would change jobs by 2025, with 25% looking to pursue completely different roles. Their level of stress is ‘unsustainable’, notes Gartner Director Analyst Deepti Gopal:
‘CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.’
With cyberattacks on the rise, CISOs’ high stress levels are certainly understandable.
Rapid digital transformation
COVID saw many businesses moving, or increasing, their activity online, which posed a heightened security risk as large numbers of staff began to work – and, in many cases, continue to do so – from home. With distributed or hybrid workforces, the use of personal networks, shared workspaces and large-scale cloud migrations cause significant changes to the security perimeters of an organisation. What used to be contained within the corporate space, now also takes place at home, while travelling and on personal devices. This only adds to the disconnect between what CISOs do and how they might be seen by other departments.
‘Of course, in the moment of breach they are everyone’s go to person, but 99% of the time they are seen as an internal adversary,’ notes former JetBlue CISO, Tim Rohrbaugh. 
‘They are not and if they operate in their role correctly, they will seek to cause as little tension as necessary to equitably protect the company from real threats.’
Furthermore, as millions of employees left their jobs in the Great Resignation – and with an existing shortage of cybersecurity skills among staff – many CISOs were left having to cover more ground with fewer resources to do so. When you consider that high turnover also presents an additional danger of data breaches, it’s little wonder that CISOs are reporting burnout in numbers.
Rise of AI
Another trend cybersecurity officers are monitoring closely is the continuing development of AI, and its potential for cyberattacks. The rise of generative AI technology like ChatGPT has grabbed headlines in recent months, with Apple even launching a dedicated ChatGPT app recently. McKinsey has highlighted hackers’ use of AI and machine learning in ‘increasingly sophisticated attacks’, warning that attackers will soon be able to expedite ‘the end-to-end attack life cycle, from reconnaissance through exploitation.’ Indeed, cybersecurity is not keeping up with the pace with which AI is developing; the shortfall in ‘cybersecurity talent, knowledge and expertise’ is a major trend that must be countered. In this rapidly changing IT landscape, identifying and retaining excellent CISOs is more important than ever – and this isn’t going to change any time soon.
Retaining cybersecurity staff
So, what can companies do to hold on to cybersecurity talent? One answer could be to invest generously in this area. Ensuring your cybersecurity staff have the necessary setup, such as zero-trust architecture or even harnessing AI to counter security risks, are potential avenues to explore for businesses looking to improve their digital safety. However, investment doesn’t just stop at infrastructure: developing your business functions, and providing cybersecurity training, is key. In a 2019 report from ESG and ISSA 93% of respondents believed that ‘cybersecurity professionals must keep up with their skills or else the organizations they work for will be at a significant disadvantage against cyber attackers’. By contrast, two-thirds claimed that ‘cybersecurity job demands’ meant they did not have time to develop their skills sufficiently. Giving cybersecurity talent clear progression paths, both in the short- and long-term, is also key to easing the strain on CISOs.
Finally, having a CISO with the leadership skills to handle the pressure that the role can bring – as well as the ability to manage their work-life balance to avoid burning out – is crucial. An excellent knowledge of stakeholder management is key here – but so too is company culture. ‘The stress of not having support of their peers, board, executive team can be extremely challenging for those that look to help and do but don’t receive the benefits that many peers do,’ notes Tim Rohrbaugh. Ideally, information security leaders should be able to operate across executive functions, liaising with the CEO and CFO as necessary to ensure that cybersecurity is not siloed, but rather approached from a more organisational mindset.
‘More focus is required on the expected outcomes of the CISO role,’ Marc Avery notes.
‘This will enable candidates to be selected based on their unique qualities, help to ensure wider senior management support and alignment with business objectives. Ultimately, this allows a common focus and will result in longer tenures as well as improved and proportionate security control to be applied.’
We are more than happy to advise companies on tech talent solutions. If you would like advice on identifying and retaining the best cybersecurity talent, please reach out.