Companies are under constant threat from cyberattacks and the situation is only getting worse with the rise of ransomware and whaling scams as a variant of phishing, according to recent cybersecurity reports. Yet the shortage of seasoned CISOs, inconsistent policies around compensation and a lack of proper metrics means some companies are under-investing in cybersecurity.
CIO.com recently spoke with several executive recruiters to get a handle on what companies are looking for in CISOs, as well as what obstacles they face hiring and retaining them.
If you've noticed a game of CISO musical chairs of late, it's because the market is rapidly evolving -- perhaps too rapidly for its own good. Unlike the CIO, who is often judged by KPIs, cost savings and other benchmarks, few metrics exist to evaluate CISO performance. Companies don't benchmark CISOs based on whether their companies haven't been breached (chances are, they have and don't know it). As a result, most companies haven't quite figured out how to fairly pay CISOs, whose salaries can range from $500,000 to $2 million.
Matt Aiello, partner at Heidrick & Struggles.
Heidrick & Struggles partner Matt Aiello says some CISOs working for large enterprises who wield a great deal of responsibility are earning less than CISOs with less responsibility at smaller companies. Some of those CISOs leave because they get a better deal elsewhere.
Aiello says the best CISOs are devising strategies to embed cybersecurity defenses into the foundation of new initiatives, such as digital transformations. That means they'll have to partner with CIOs to make sure that innovation progresses, but with the proper security procedures in place. "The most progressive security officer searches that we see are not just friendly to the business, they are advancing business needs and they're helping them win in the marketplace," Aiello says.
However, he says this isn't happening just yet. "We're still locking things down and we're still in a primarily defensive posture."
Most companies still under-invest in cybersecurity
Companies may talk a good game about addressing cybersecurity threats but many continue to underinvest in it, citing a challenging global economy battered by political unrest and volatile oil prices, says Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.
Matt Comyns, global cybersecurity practice leader of Russell Reynolds Associates.
"Companies tighten budgets and look at ways to save money," Comyns says. "They want to innovate and do all of these wonderful things, but they're trying to do more with less, which is not good for investing in cybersecurity. I see companies continue to shrug their shoulders, and say 'I care more about it, we're much more aware about it than we used to be. Our boards are talking about it, our executives are talking about it but we're going to take baby steps and inch our way to that over time. My feedbacks is, 'I'm not sure that's a good idea because the threat environment has gotten worse.' “
Sign up for CIO Asia eNewsletters.