That may be because, as David Shaw, CISO at Purdue University, puts it, "the CISO role is facing a bit of an identity crisis, with no clear definition for the role or where it should be placed in the organization. We constantly debate this in the field. Should it report to the CIO, the board, the CFO?
"We don't really have a standard model out there for what it takes to get the CISO job, let alone be successful," he said, but added that those who are in the most demand, "have a demonstrated track record beyond security. It is hard to imagine that you can be an effective CISO without some level of technical understanding but you also need a level of skill that is developed in other disciplines like business, communications, leadership and law.
"There are a few areas beyond security that I think are key: relationship building, vision, and the ability to speak at all levels of the organization," he said. "We don't necessarily train security professionals that way."
Stroz agreed, saying one of the most important things a good CISO has to understand is that security cannot trump convenience. "The first thing you have to know is that you can't lock it (the enterprise) down like Ft. Knox," he said.
Even with all that complexity, however, given the demand, one would think the shortage would resolve itself by people flocking into the field. And at one level, that creates another problem. Some are marketing themselves as qualified for the role without the requisite combination of skills and experience.
Eugene Spafford, executive director of the Purdue Center for Education and Research in Information Assurance and Security, told BankInfoSecurity that the high demand, "tends to allow those with questionable backgrounds to portray themselves as 'expert' in the field. Without competition or comparison, some of them are undoubtedly being employed."
But more often, those who are qualified can be put off by what Stroz said is the tendency in some enterprises for the CISO role to become a "blame point rather than a value provider" if sensitive data gets out, the CISO is blamed even if the cause was an employee who "jumped the security wall" and put information in an insecure place.
Noble said another reality is that the supply is expanding, but the demand is expanding faster. "The number of information security professionals is projected to continuously grow more than 11% annually over the next five years," he said. "However, even with annual growth in the double digits, workforce shortages persist."
So, what can and should be done to address that shortage? There is general agreement that security training should become more of a priority in mainstream education, and that the CISO title itself needs more exposure and promotion. "Information security is considered one of the fastest growing career fields," Noble said, "yet we are not keeping up with the necessary training. And not enough people know about the field."
Sign up for CIO Asia eNewsletters.