Solving the CISO Shortage

Category: Data Security
Author: NXTsoft
According to Salary.com, the average salary for a Chief Information Security Officer is $220K. However, CISO positions are beginning to experience high turnover rates. A recent report found that less than a third of all CISOs are in their job for more than three years.  

The demand for IT and security professionals continues to grow with the ever-increasing threats of ransomware, spywareand other malicious cyberattacks. Companies cannot afford to neglect implementingstrong security plans and budgets. The problem no longer lies in the lack of recruitment for CISOs, but instead, the lack of retainment for a CISO that is putting many businesses at serious risk. 

This presents the question, “Why does the revolving door of CISOs exist?” 

There are many factors that play a role in this dilemma. One of largest factors is the growing urgency and stress of overseeing all security efforts of a company. A report from the Ponemon Institute found that 65% of IT and security professionals consider quitting due to burnout. The report also states that there are nearly 3 million unfilled cybersecurity positions at companies across the world. This leaves companies, employees, and customers all vulnerable in numerous ways.






The short job tenure of many CISOs illuminates the tremendous pressure that they face every day. During the hiring process, companies must be extremely tactical with bringing in a CISO or other security professionals. A strong CISO candidate will concentrate on creating and executing a high-level security strategy and will hire and retain security professionals that will help create a working culture of security and continuity. 

One important quality of a strong CISO candidate (that is often overlooked) is the ability to motivate others. This will ensure that other security and IT professionals in the company are being challenged in a positive manner that strengthens employee-based cybersecurity. Companies should ask questions during the interview that uncover a candidate’s problem-solving ability and communication skills. Building a strong cybersecurity team starts with hiring a CISO that is committed to creating a strong cybersecurity environment. 

CISOs must also be prepared to confidently communicate with their board of directors. Too many CISOs are leaving out valuable security metrics to their corporate boards because they believe the members are not necessary to developing and executing the company’s security strategy. According to Gartner, by 2022, only five percent of CISOs will report security metrics that are useful to their senior business executives. Board members need to be informed beyond basic software updates or system patches. CISOs should clearly communicate security assessments and threats that put the business at financial risk. 

Asking the right questions and hiring the right candidate can go along way in determining the tenure of a CISO. Creating a culture that is dedicated to cybersecurity can help alleviate the stress put on security professionals. Communication within a company’s cybersecurity team is key in providing the best strategy for breach protection. However, with so many unfilled security positions, hiring the right candidates can be tricky. But, hiring a $220K executive and a team of IT pros is not the only answer in creating a strong cybersecurity culture. 

Hiring a vCISO 

An alternative method to hiring a CISO is outsourcing information security management to a virtual CISO solution. NXTsoft’svCISOSolution provides a team of security experts that can help create and implement a security plan for companies who are looking for a cost-efficient way to protect their business and reduce their overall risk posture. The vCISO team will communicate with board members and the C-suite to provide unbiased security analysis by helping companies make difficult security decisions. Virtual CISO can handle allmanagement of security components such as compliance, governance, assurance services, policies, and procedures.  

The vCISO solution might be a viable option when looking at the landscape of the cybersecurity industry. As more CISOs walk away more vulnerabilities will be exposed. No matter who manages security, it is vital for companies to close any gaps that arise due to vacancies. 

November 10, 2019
Back