6 ways CISO recruiting in the UK is broken

CISOs and security professionals looking to take the next step up in their career will face fierce competition. The sheer number of applicants, complexity that the pandemic adds to the job, and recruiters who don’t entirely understand the CISO role mean finding the right position in 2020 can be a challenge.

Adam Drabik is an experienced CISO. Having worked in cybersecurity for over 20 years, including more than 10 as a CISO. he left his position as CISO of Opel Vauxhall Finance in April 2020 before starting as CISO at CyberProof in August. During his job search, Drabik faced poor job descriptions, unrealistic expectations, and difficult experiences with recruiters. “I can talk forever about how broken the recruitment industry is,” he says. “The experience, apart from a handful of organisations, has been really bad.

1. Inadequate review of CISO applications

While many companies are recruiting CISOs for the first time, the COVID pandemic has affected many companies’ recruiting plans. An ever-growing pool of CISOs and cybersecurity professionals means an appealing opening can receive hundreds of applications within a few days.

“You end up with only very few roles being available to you, they very rarely advertise and there is huge amount of competition for them,” says Drabik. “It’s not just the people playing musical chairs, but also all the minus ones that want to make their move into the first CISO role. Who’s going to read 600 CVs? The vast majority would be irrelevant but that gets into the sift right and the sift no longer works because it’s overwhelmed and relevant applications can’t be found.”

With recruiters who don’t specialize in cybersecurity, applications might not get past filters that exclude potentially good candidates for ones that have stuffed applications with keywords such filters look for. “There’s nothing intelligent there,” says Drabik, “and it comes up with all the wrong applications, and all the right people are excluded from a process because there wasn’t an exact keyword match.”

Owanate Bestman, director at Bestman Solutions, and Scott West, managing consultant at Acumin Consulting, both agree that a lot of applicants are on the market now. “If you’re getting 200 applications within the first 48 hours, application number 199 may very well be better than number four, but if you don’t know what you’re looking for it’s very difficult to shift through those CVs and really recognise the cream of the crop,” says Bestman. “That often leads to looking at the first 50 applicants, sending eight to the hiring manager often based on a keyword search, and then leaving it as that.”

Bestman adds that qualified candidates might not apply immediately to a position. “You want to speak to your network, see their security maturity and how the C-suite values security. By doing your due diligence you’re often penalised because you’re not the first one to the party.”

Weeding through hundreds of applications places stress on the HR or recruitment person leading the search, says West. “Even if you brought it down to 20 or 30 people to speak to that’s a huge workload for those people, when that would just be one of the roles that they’re managing at any one point in time.”

2. Recruiters who don’t understand the CISO role

While Drabik says a “huge amount” of good specialist cybersecurity recruiters are in the UK, companies are using them less due to tighter budgets. This leads to recruiters lacking proper understanding of cybersecurity. “They are effectively hiring CISOs using people who generally interview people who work in the first line support and help desk,” he says. “The amount of junior people judging senior CVs is astounding. I had one where they did not know the difference between CIO and CISO. That’s fundamental, and if that’s your first filter, that’s a problem.”

The list of CISO responsibilities can be large, and to put every task the role encompasses on a CV would quickly become overwhelming for any recruiter. Yet Drabik says recruiters told him he wasn’t suitable because specific tasks weren’t included on his CV. “Some recruiters just do not believe that CISOs or heads of security have competence in ground activities,” he says. “I wasn’t put forward for a security assurance role and the agent kept telling me ‘you don’t have experience in that do you?’ It’s been in my portfolio for 20 years.”

Bestman says that many firms have preferred recruiters that do all the company’s hiring and aren’t specialized in security. “The selection process is often based on a keyword search, and often you’re not bringing the right people to the party. You’re speeding up the processes to the point where it’s detrimental and finding the right people.”

Drabik says it’s common, especially for smaller organisations, to be confused about what a CISO or head of security role actually is. “They want to effectively hire a glorified engineer,” he says. “If you’re looking for a managerial candidate, you put a managerial job description out. Not a managerial job description enriched by coding in Python and experience in operating Azure in your security stack.”

There have been occasions where Drabik has applied for roles with comprehensive job description that on paper fit a high-level managerial role, but then part of the interview process involves being asked about firewall configurations and other hands-on tasks. “It’s like asking a CIO to fix printers. I know that we have to be reasonably versatile have a reasonable degree of technical competence, but it should be technical managerial competence, not everyday engineering competence.”

Bestman agrees that some companies post unrealistic job specifications. That leads to recruiting people with the technical expertise but not the softer leadership skills required for a CISO. “It’s very easy to test technical capabilities,” he says. “The answers are quite binary. When it comes to some of the softer skills that takes a lot more investigation, and it’s not reflected in the spec at all. You can’t sell a CISO opportunity just by the title alone. I feel firms are heavily reliant on that. You still need to sell it in regards to the challenges and the rewards the CISO can expect in terms of progression.”

“When companies advertise CISO roles, some of those roles may only be CISO roles by title,” adds West. “You’ve always got to look at the level of the role and responsibilities. Maybe it’s not necessarily a CISO role but more of a senior security manager role. To attract the right person they feel a need to title it as a CISO role.”

3. Unicorn CISO expectations

Different CISOs are suited to different roles depending on the needs of the company. According to Forrester, there are six different types of CISO, depending on whether they specialize in compliance, transformation, dealing with breaches, etc. Unfortunately, as with the companies that want a CISO to be an engineer as much as a leader, Drabik says companies have large expectations of their security leaders.

“I think companies are putting out purple unicorn job descriptions,” he says. “Even if not, they put in purple unicorn expectations. They copy or come up with a decent job description, but then you find out later is that the expectation is that plus three other jobs to be put together in one person.”

Bestman says that in the current market organisations are “trying to get more bang for their buck” and asking for everything in one profile to the point where a lot of the requirements become unrealistic. “There seems to be a disconnect with a lot of the firms in regards to what CISOs actually do,” he says. “I’m seeing more and more [organisations using] job specs as a wish list, and because there are more applicants on the market it’s a case of we can push our wish list a little bit further, but it doesn’t help them find the right individual.”

4. Glass floors for CISOs wanting a different career path

Some CISOs might not want to move directly to another CISO role, but Drabik warns that there is something of a glass floor for CISOs that makes it difficult to make a different move in their career. “You’re never going to be considered for lower level roles because the assumption from agents is you’re going to resign from the job in a matter of weeks or months and switch to your typical CISO role straightaway the moment one comes along,” he says.

Bestman and West both agree that it can be difficult for CISOs to take a different route or for interim CISOs to find a permanent staff position. They must convince hiring managers as to the reasons behind the move. “We’ve seen seasoned contractors wanting to go permanent and reservations from the hiring manager saying they only want to go permanent because the contract market is a little bit tough at the moment and as soon as it picks back up they’ll go,” says Bestman. “The reality is that many of them want benefits, they want the holidays paid, they want pension, they want medical and they want to be part of a family in which they can implement something and see through to a business-as-usual capacity.”

It’s not uncommon for people who started out as security technologists to progress into management to the point it takes them away from the technology they enjoy working with. “We have had a number of people over the years say they actually they want to take a step down and get back to doing what they really love doing, and that’s doing real security,” West says. “How you position that to any potential client is key. They can add huge amounts of value to organisations, as a consultant to come in or to lead on transformation programmes or projects.”

5. Poor CISO succession plans

Despite knowing some of the outgoing CISOs at some organisations, Drabik was disappointed that the previous incumbents are rarely involved in the choosing of their successor. “This is all linked to business continuity,” he says. “You need to make sure that you understand who you need and what happens if you’re going to lose that particular person to provide a smooth handover.”

Having a clear succession plan or strategy that involves the outgoing executive can help ensure the person with the right skills, experience, and personality for the organisation steps in. “Why wouldn’t you involve the predecessor to select the successor? That [outgoing] CISO has a vested interest because it’s protecting that CISO’s legacy and all the hard work done so far. At the end of the day, I’m just as good as my legacy.”

Bestman says that while CISOs often will be able to influence who replaces them at their outgoing organisation, succession plans can be impacted by where the CISO sits. If a CISO reports to a CIO it can be more difficult to influence who comes in. “In some situations the CISO’s hands are tied because often the decision doesn’t rest with them. This may be a bit of a hindrance if the CIO is looking for fresh blood and wants someone to shake up the organisation and embed new culture,” he says. 

6. Not enough direct recruiting

One way to avoid some of the issues that could arise from dealing with recruiters is to have more direct recruiting from within the cybersecurity community. Unfortunately, Drabik says not enough recruitment is happening between peer CISOs, CIOs and other C-level roles. “The easiest way to a job is through the network,” Drabik says. “Line managers just advertising directly through a post, not even the job section, but just ‘Hello network. I have a particular requirement in my company, are any of you looking for a role have anyone who can recommend who is?’”

He says that this can help find potential candidates that internal talent acquisition or external recruiters may not be able to locate without flooding those people with applications, as often happens with official online postings. “Those line managers can then submit those candidates’ details to HR department, and the line manager is the first filter, not a recruiter, to judges whether the person has the right competence.”

Drabik suggests that CISOs should expand their network to include more C-Level executives that may be involved in the hiring process — such as CIOs or chief risk officers — as CISOs are only likely to post jobs for CISO positions if they are directly involved in recruiting their own replacement.

Poor recruitment practices reflects badly on the organisation

While it can be frustrating for CISOs to be dealing with questionable job specifications or poor interview processes, it can also affect the business in the long term. “You see CISOs being very vocal on a lot of media platforms, particularly LinkedIn,” says Bestman, “They will not hesitate to name and shame an organisation who have an inappropriate job spec, inappropriate expectations, or have ghosted them.”

Though growing, the UK’s pool of CISOs is still small and closely linked. An organisation known for unrealistic job specifications, poor recruitment processes, ghosting, or regularly reposting for the same job after not finding the right candidate becomes known amongst the community and less attractive for seasoned CISOs. “There’s a reputational risk for the organisation. It decreases your security maturity, not to mention the expense of rehiring,” Bestman adds. “You need to do things right at the very early stages. It’s a lot easier to do it correctly at the very start, and very expensive to make amends.”