High CISO employment rates means shortage for security industry

The good news for qualified information security professionals at the C-suite level is that it is pretty difficult to be unemployed.

Earlier this year, the Bureau of Labor Statistics (BLS) reported that unemployment in that sector had “spiked” to 3 percent in the fourth quarter of 2012, although the rate for the entire year was all of 0.9 percent. In general, 4% is considered full employment.

[Cal Poly joins national cybersecurity education effort]

While the BLS says those numbers aren’t entirely reliable, since the sample size is too small, the comparison with a national unemployment rate of 7.3 percent is still dramatic. Infosec management is a seller’s market; those who are qualified don’t have to look too hard for work.

What is good for the individual is not good for industry, however. The downside is that it is tough for enterprises to hire qualified IT security professionals. Stroz Friedberg, an intelligence and risk management consulting firm, predicted recently that the supply of chief information security officers (CISOs) will not meet the demand in 2014.

Ed Stroz, cofounder and executive chairman of the firm said that prediction doesn’t come from a statistical survey, but from 14 years of consulting for “a diverse set of clients. The need for a CISO is often on the agenda,” he said.

The shortage extends below the C suite as well. Marc Noble, director of government Affairs for (ISC)², chairman of the Cybersecurity Credentials Collaborative (C3) and former CISO at the Federal Communications Commission (FCC), told BankInfoSecurity earlier this year that in the past his program had been hampered for almost a year, “due to the inability to find quality candidates to fill information security positions.”

In an interview, Noble said he believes the shortage is due in part to the rapid evolution of the threat landscape. “It takes time to identify and understand new technologies, the vulnerabilities they present, and how best to adapt security controls to meet evolving threats. Implementing those controls adds an additional layer of complexity,” he said.

To meet that demand requires people who are, “highly adaptable in learning and applying new skills, technologies, and procedures in order to manage a dynamic range of risks. As it stands, IT organizations simply can’t keep up. The attackers are always 10 steps ahead of us,” he said.

[SANS Technology Institute accredited for masters in security]

Besides being able to handle that dynamic range of risk, Stroz said that good CISOs have to be much more than technicians. They need to be experts in the mission and operation of a business in general, including marketing, finance and the legal environment. Most organizations, he said, “want somebody who is effective in the role but also understands the company and industry. And often they come up with description for a person that is very rare or doesn’t exist.”

That may be because, as David Shaw, CISO at Purdue University, puts it, “the CISO role is facing a bit of an identity crisis, with no clear definition for the role or where it should be placed in the organization. We constantly debate this in the field. Should it report to the CIO, the board, the CFO?

[The emerging turf battle between information and physical security pros]

“We don’t really have a standard model out there for what it takes to get the CISO job, let alone be successful,” he said, but added that those who are in the most demand, “have a demonstrated track record beyond security. It is hard to imagine that you can be an effective CISO without some level of technical understanding but you also need a level of skill that is developed in other disciplines like business, communications, leadership and law.

“There are a few areas beyond security that I think are key: relationship building, vision, and the ability to speak at all levels of the organization,” he said. “We don’t necessarily train security professionals that way.”

Stroz agreed, saying one of the most important things a good CISO has to understand is that security cannot trump convenience. “The first thing you have to know is that you can’t lock it (the enterprise) down like Ft. Knox,” he said.

Even with all that complexity, however, given the demand, one would think the shortage would resolve itself by people flocking into the field. And at one level, that creates another problem. Some are marketing themselves as qualified for the role without the requisite combination of skills and experience.

Eugene Spafford, executive director of the Purdue Center for Education and Research in Information Assurance and Security, told BankInfoSecurity that the high demand, “tends to allow those with questionable backgrounds to portray themselves as ‘expert’ in the field. Without competition or comparison, some of them are undoubtedly being employed.”

But more often, those who are qualified can be put off by what Stroz said is the tendency in some enterprises for the CISO role to become a “blame point rather than a value provider” — if sensitive data gets out, the CISO is blamed even if the cause was an employee who “jumped the security wall” and put information in an insecure place.

[Security spending continues to run a step behind the threats]

Noble said another reality is that the supply is expanding, but the demand is expanding faster. “The number of information security professionals is projected to continuously grow more than 11% annually over the next five years,” he said. “However, even with annual growth in the double digits, workforce shortages persist.”

So, what can and should be done to address that shortage? There is general agreement that security training should become more of a priority in mainstream education, and that the CISO title itself needs more exposure and promotion. “Information security is considered one of the fastest growing career fields,” Noble said, “yet we are not keeping up with the necessary training. And not enough people know about the field.”

Noble said he believes training for cyber security has to start early. “Security must become part of early education curriculum and continue throughout one’s school career,” he said.

But training is not enough, even at the graduate level, since most organizations looking for a CISO want one who can, as Shaw puts it, “hit the ground running on Day One. You don’t typically graduate from a college or university program with a lot of experience. I think this area can be addressed through programs that leverage internships where students are graduating with real world experience,” he said.

Shaw said some of that is starting to happen, in programs like those at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue. “Programs that bridge the gap between the technical and other disciplines are great preparation for those who are looking to move into the CISO role,” he said.

[Cybersecurity should be seen as an occupation, not a profession, report says]

Noble also cited a number of initiatives that, he said, “both build capacity and professionalize the growing workforce. Some of those include efforts of eSkills UK, the European Committee for Standardization (CEN), the International Organization for Standardization (ISO), the International Telecommunications Union, Telecommunication Development Sector (ITU-D), and the NICE Framework. (ISC)² is also investing its resources in a number of ways,” he said.

But for those enterprises that can’t wait until the shortage eases, Stroz said a workable alternative is outsourcing to a consultant — something his firm does.

Generally, he said, this is a conclusion the leaders of an enterprise reach when they realize the perfect candidate for a CISO in their firm may not be out there. “They learn with a recruiting effort that the profile and qualifications of what they are seeking may not be something they can evaluate,” he said.

The obvious risk, he said, is that the discussions of how to find the right candidate,” require getting into the vulnerabilities of the company. The discussion can be rather sensitive, since it can involve some very valuable intellectual property.”

And, once again, it comes down to that “highly adaptable” person with both technical and business skills. “The goal is to create a risk-management environment that is consistent with your business goals,” Stroz said.

“Without that in place, it is not going to work out well.”