The rise of the cheap information security officer

Almost two years ago, I wrote in “Prospective security employees see too many low-ball offers” that much of so-called shortage of information security professionals was due to the fact that firms were not paying market rates. Firms that complain the most that they can’t fill their information security spots are the very same ones that are unreasonable when it comes to salaries.

An email I got last week woefully shows that little has changed. As you can see from the sanitized email below, a large hospital in New Jersey is looking for a CISO on a part-time basis.

As detailed in the job requirement, this is a serious position, as they want the candidate to provide vision and leadership for developing and supporting information security initiatives. This includes the planning and implementation of enterprise IT systems, business operations, and facility defenses against security breaches and vulnerability issues. This CISO would also be responsible for auditing existing systems, while directing the administration of security policies, activities, and standards.

Perhaps in response to the Equifax hack, they want someone with a degree not in music, but in computer science, engineering, or business administration. They would also prefer the candidate have a master’s degree or Ph.D.

A part-time CSO for $90 per hour?

This is a high-ranking spot as a member of the senior management team. Yet for all that, the hospital is paying only $90 per hour. While that may seem to some like a hefty rate, consider that the Big 4 bill their most junior security associates at $250 per hour.

Also, this candidate is responsible for regulatory and legal issues such as HIPAA, PCI, and HITECH. A minor mistake in these areas can be quite costly. HIPAA violations have a way of haunting hospitals for years once the Office for Civil Rights of the Department of Health and Human Services starts poking around. For those issues alone, it pays to find someone competent.

As to the physical efforts requirements, do you really want a CISO to do equipment installation and maintenance? And if so, even the most high-end UTM appliance doesn’t weigh more than 20 pounds. Requiring the CISO to be able to lift up to 50 pounds may also be seen as discriminatory.

Finally, it’s not just the lowball rate the hospital is offering; it’s that they are using lowball recruitment firms that don’t know how to recruit information security professionals. I received emails from  three different recruiters for this spot, all IT generalists. Just as one should use a specialist physician when the need calls for it, so too should a recruiter that specializes in information security be used when hiring for such a critical position.

The underlying problem is that this hospital and others like it are looking for a CISO being a cheap information security officer. This is an information security perfect storm of low-ball rate and a part-time role, which will result in a disastrously mishandled situation.

I have no doubt the hospital will find someone at that foolishly low rate. I also know they will be in triage mode in a year or so when they will urgently need a real CISO to clean up the mess in the wake of that cheap information security officer.