Cyber Security: Professionals and How to Negotiate and Retain Staff

TF7 Guest Says CISO job is a double-edged sword and Security is Everyone’s Responsibility

Esther Shein

One of the most pressing issues today is the threat of cyberattacks. A major challenge in the cybersecurity field is the lack of skilled professionals and how to find them. This was the topic of Monday’s Task Force 7 Radio episode 51, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

Rettas’ guest was Matt Comyns, a managing partner at Caldwell Partners, an executive cybersecurity recruiting firm. Comyns focuses on recruiting chief information security officers and other information security leaders for large global corporations. To be a successful cybersecurity recruiter, you have to live in that world for a while, he said.

“I've found more and more of my clients, especially in a category like this, are looking for specialization. And the only way you can really get that is to live in it for a while,’’ Comyns said. “There's an extra hop in my step every day when I do my job knowing that it's doing some good overall for the market.”

Demand for Cyber Professionals Remains Strong

The good news is because cybersecurity is so hot, and professionals are so in demand, there is room for more cybersecurity recruiters in the marketplace, he said.

“I encourage people to get into [the field] because it's really needed,’’ Comyns said. He cited the Target retail data breach almost five years ago as the catalyst for the spike in demand for chief security officers (CSOs) and heads of information security.

He recalled how he just talked to a client in the consumer space who has a team of 30 security professionals globally and just got approval to increase that number to 200. “I can count case study after case study of situations like that, so there's clearly a need for partners on the recruiting side to work with companies to fill those gaps.”

Recruiters, of course, must know the subject matter and find out what a company’s issues and concerns are, and if they have just launched a cybersecurity program in their organization – or if they have suffered a breach. In many cases, firms are “up-leveling,” he said.

Comyns didn’t hesitate when Rettas asked if there is a cybersecurity talent crisis right now. There is, and it is putting “incredible pressure on the human capital pool,” he said. Comyns said he is seeing people transitioning into the field from elsewhere in IT or risk management or even somewhere completely different. But even with more candidates and universities offering more programs, “it can't keep pace with the current demand.”

Better Educated Firms

Rettas asked Comyns how the cybersecurity market has evolved since he’s been a recruiter in the last few years. Comyns replied that the biggest difference he’s seen is that clients and their boards of directors are a little better educated now.

By now, many companies have had one or two chief information security officers (CISOs). “Frankly, the candidate pool is better educated, too.”

A great risk manager is the most highly sought-after cybersecurity role in companies today, Comyns. Rettas also asked about some of the things that go wrong in these searches.

The high demand for talent puts pressure on the hiring process, Comyns said. Companies sometimes don’t know what they want or understand what it means to have a top security executive and how to budget properly for it. Other considerations are whether the candidates they want are willing to relocate. It can take as long as a year for a company to find the right information security candidate, he said.

Rettas pointed out how some companies will start an executive search process without knowing exactly what they want in a candidate and then spend time revising the job description. Comyns said this happens when they aren't as mature in their recruitment process or their information security program and often will “feel their way” through.

“I do my darnedest to educate companies who are less mature on the front end,’’ he said. I say ‘Here's the market, here's what's going on, here's what you're likely going to see. I can help you shortcut the process by bringing you the people I think you need.’"

Rettas asked how compensation for cybersecurity professionals has changed over this time, and not surprisingly, Comyns said there has been a big spike. This is because these positions were previously mispriced, he noted, because a lot of companies perceived cybersecurity as “a lower-level position in IT; it was more tactical, less strategic, and now it's been repositioned entirely to be a very senior risk manager C-level executive.”

Today, it is a requirement in a Fortune 500 company to have at least one employee with a cybersecurity background sit on an executive board, he said. He said he advises clients that if they are going to add a cybersecurity professional to their board, to make sure they get the best person they can find and not compromise.

That gets back to the talent issue again, Rettas pointed out, saying, “How many board-level qualified people do we know that are cybersecurity experts?”

Playing the Blame Game

The two also discussed whether CISOs are made the scapegoats when a cyber data breach occurs. Comyns pointed out that Sony, for example, went through “one of the worst experiences with a cyber breach a company could go through,” but instead of “throwing their CISO under the bus,” he said, all company executives took responsibility and the company invested the time and energy to fix the issue.

“That's the right way to approach it. If a company has a breach, it's everybody's issue,” Comyns said.

While a CISO needs to be a great influencer for an organization, they can only do so much, he added. “I had a recent CISO that I placed in the last two years take a very big job, and before they signed on, they said, ‘Look, I did my analysis of what's going on here. It's going to take me two or three years to get you to best practices and where you need to be ... If a major breach happens in the next two to three years, I'm not the fall guy.’”

The CISO would not accept the job until upper management agreed they had his/her back, Comyns said.

Rettas asked if the CISO position is a “dead-end job” due to the finger-pointing and scrutiny and pressure they are under. Citing the massive Equifax breach, and how the company’s CISO “became the scapegoat for the entire industry,’’ Comyns said the position can be a “burnout job.

“I talk to lots of CISOs who are faced with mission impossible, wherever they are right now, and they've been a CISO who would absolutely be a candidate for me to place them again in another Fortune 500 type company. But they're coming to me, and many of them are saying ‘I've had it, I'm done. I don't want another CISO job.’"

Whereas the average length of time a CISO spent in a company used to be three to five years, now it is more like two to three years, he said.

When to Look Around

Cyber security is a moving target with new malware and ransomware being discovered and new technology and new regulations hitting, such as GDPR. Cyber security professionals should look at trends in the market and consider doing a “deep dive” in a particular area, such as privacy, Comyns said. They may decide to take a year to a year and a half to get certified in something.

“All things being equal, I want an extra bullet that I can use to differentiate myself on my resume and say, ‘Yes, I'm a cyber security expert. Yes, I've built a program before. I understand how to do this … I understand some of the new areas like privacy more deeply and better than my colleagues or peers.”"

Rettas asked how much time executives should spend searching for a new opportunity externally versus internally, and Comyns said that once you no longer feel challenged in your job, it's time to look outside the company.

“If you're in a good situation, [the position is] growing, you're growing, they're rotating you, maybe into different areas of expertise or putting more underneath you, you feel like you're being fairly well compensated, there's no reason to really leave,’’ he said.

Recently, Comyns got a candidate hired as vice president of Technology Risk and Compliance underneath the CISO, and that person went from making roughly $250,000 to over $400,000. “Those are the types of opportunities that are available to executives in this space. That person had been with the company six or seven years.”

He pointed out that even if the company had been good to that employee and promoted him/her and gave them raises, “there's only so much a company and an HR group can do without breaking the system.” Someone who has been at a company as a top security executive for six or seven years, is likely to be making less than the going market rates, he observed. “At some point, you owe it to yourself to test the market.”

Comyns said he sympathizes with his clients who are trying to figure out the right compensation. One example that “nearly drove me to drink,” was with an executive at a bank who was making a good amount of money. He negotiated to get the person a 55% increase in their compensation and thought that was going to seal the deal. Then the executive’s company counter offered with a 100% increase.

“A lot of companies don't know what [a person is] worth until [they’re] walking out the door, literally. It shouldn't come to that. We shouldn't have to play chicken with our employers … but that's what kind of market we're in.”

Some of the biggest compensation packages Comyns has seen are coming from companies on the West Coast.

Rettas asked how executives can create more opportunities for themselves, to which Comyns replied that “The first thing is, do a good job. If you do a great job in this market and you get known to be a very valuable part of an information security program, or you ran a great program, your reputation's going to follow you. You're going to create lots of opportunities for yourself.”

Another significant way to create more opportunity is to be open to relocating, he said.

In Closing

In the show’s final segment, Rettas and Comyns discussed the fact that security professionals typically report to the CIO. Comyns said he rarely sees CISOs reporting to the CEO.

“I've only worked on a handful of situations where the CISO reported to the CEO, and it was when they were in deep trouble; they had a major breach or violation, and the company had to prove to regulators, ‘No, we mean so much business that it's going to report directly to the CEO.’"

The two also talked about the importance of staying current on new technologies. Comyns noted that CISOs are getting inundated by vendors to check out shiny new products. They need to find a way to balance vendor relationships with the “chaos … clogging up your inbox and calling you constantly, to get an audience” so they don’t get distracted, he said.

Staying in the loop and maintaining vendor relationships makes you a better executive, he added. “You've got to walk the line there and find the right balance, because that new technology may be worth implementing. [Vendors are] also talking to a lot of the market, and they're going to share a lot of information with you along the way. They're going to make you better and smarter.”

It has never been more important to practice solid recruiting and retention strategies to build an effective employee program, Comyns said. Companies need to get creative and be willing to provide training for staff -- and be flexible.

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.