Recent visits and prospective customer engagments have raised a few alarm bells in terms of the actual state of Information Security (Cybersecurity) across industry within South Africa. While conducting CSC 20 Controls reviews the conversation invariably turns to what has been done to date and why things taking so long? What needs to be done to fix the identified gaps? This engagement is often a massively enlightening experience for all parties, with the cordial handshakes and nodding of heads in varying degrees of common reference.
Where the wheels tend to come off is when the rubber starts to meet the road, this is where the troubles start. All engagements without exception agrees that something has to be done and it needs to be prioritised, usually according to a set of controls, and then sometime down the line don’t understand why there is no management support and still not enough resources to support the agreed initiatives.
Security is so much more than just a control framework, with a set of best practices and activities to address gaps, that need to be plugged, security is so much more than compliance or an endless tick and bash exercise. Of course, an organizations Information Security (Cybersecurity) success is a direct result of the CISO (Chief Information Security Officer). An effective CISO can mean the difference between valuable business function and a state of perpetual firefighting.
Every organization today has to be prepared for the threat of cybersecurity attacks and their crippling effects and destruction from both the inside out and the outside in. Just look at the news stories that regularly arise from the most current breach or the loss of operations due to a breach and service disruption, like shadow IT, poor IT hygiene, account take over, end user negligence, password reuse and ransomware, or malware attack. As a result, organizations are sharing more of their operational budgets on cybersecurity in extremely reactive ways to fight these growing incidents. Many organizations face these challenges in developing their cybersecurity program: establishing a full security program is expensive and the talent to execute the program is hard to find and retain.
Unfortunately, many CISOs, myself included, have a relatively short shelf life and based on recent Industry research, the average CISO organizational lifespan is anything from 24 to 48 months, with many, not myself included, leaving much sooner. This begs the question: Why are CISO out always on the look-out for new opportunities so often? Let’s explore this in this week’s blog; and with this in mind, enjoy our roundup of stories for this week…
Why do CISOs job hop?
Aside from earning more money, CISOs pursue other opportunities when current employers minimize cybersecurity commitments and efforts.
ESG and the Information Systems Security Association (ISSA) sought to answer this question in a recent survey of 343 cybersecurity professionals and ISSA members.
Top 4 reasons why CISOs change jobs frequently
- 38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations. No surprise here, as CISOs are in high demand while the cybersecurity skills shortage has led to continuous salary inflation. Many CISOs are willing to jump ship when presented with an offer they can’t refuse.
- 36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity. Given the job market for CISOs, don’t expect cybersecurity leaders to simply go through the motions if the corporation isn’t committed to the cause.
- 34% of respondents say CISOs change jobs when the they are not active participants with executive management and the board of directors. CISOs are business managers who oversee a technology discipline. The data indicates that they will quickly fly the coop when they are treated as glorified system administrators.
- 31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry. As hard as it is to believe in 2018, there are still plenty of organizations willing to nickel and dime the CISO and settle for “good enough” security. This isn’t a strategy for long-term CISO retention or strong cybersecurity for that matter.
Why do CISOs change jobs so frequently? | Jon Oltsik
Cybersecurity Has a Serious Talent Shortage. How to Fix It
Businesses tend to look for people with traditional technology credentials — degrees in tech fields, for example. Security is truly everyone’s issue; with every aspect of personal and professional data at risk all the time. So why limit security positions to people with BTech and four-year computer science degrees, when we desperately need varied skills across so many different industries? Businesses should open up to applicants whose non-traditional backgrounds mean they could bring new ideas to the position and the challenge of improving cybersecurity.
Cybersecurity Has a Serious Talent Shortage. | Marc van Zadelhoff
4 places to find cybersecurity talent in your own organization
Organizations are missing opportunities to cultivate inside talent who may lack experience but already know the business and have the fundamental skills to succeed in cybersecurity.
Companies are scrambling to fill cybersecurity positions. Some 41 percent of CIOs surveyed by recruiting firm Robert Half Technology say that cybersecurity skills are in the greatest demand in their organizations. The non-profit organization (ISC)2, which provides information security education and certifications, predicts a worldwide shortfall of 1.8 million cybersecurity workers by 2022, 20 percent more than was predicted in 2015.
- First, lower expectations
Organizations have become overly ambitious in their job descriptions that profile the ideal candidate, Companies must open up their demands and engage the HR department and unplug some of the more strict requirements, such as [requiring] a degree in computer science or x number of years of information security experience, and tend to overlook people in the process of achieving qualifications.
- Mid- and late- career employees
Research firm Forrester sees a trend where large organizations are creating their own contingent labour pools using alumna or company retirees. Nike, for instance, has already adopted a self-sourcing model for temporary IT workers.
Women represent only 11 percent of the global information security workforce today, according to a global study by (ISC)2, and they represent a large and talented labour pool for cybersecurity positions. Women in cybersecurity today enter the profession with higher education levels than men. Half of women in the profession have master’s degree or higher, compared to 45 percent of men. Globally, 42 percent of the women have undergraduate degrees in computer and information sciences compared to 48 percent of men. Among Millennials, 52 percent of women younger than 29 have computer science undergraduate degrees. The study recommends that more professional support, sponsorships and mentorships are needed for women in security and risk management.
- IT internships
Most companies offer IT internships for soon-to-be university or college graduates, but interns with an interest in or aptitude for cybersecurity skills should be sought out early and courted. If a year down the road they’re not happy, you’re going to lose them.
4 places to find cybersecurity talent in your own organization | Stacy Collett
Why you need to focus on Cybersecurity Now!
Cyber security is the technologies and processes designed to protect networks, computers, programmes and data from attack, theft or damage. Personal information, intellectual property, big data and mergers & acquisitions information are common targets for cyber criminals.
Companies are strengthening their cyber security teams to enhance their capability to respond to the General Data Protection Regulations (GDPR). Companies are liable for any security breaches. Fines through the new regulation can be up to 4% of their annual turnover, if a company is found to not have sufficient active information security risk and contingency plans in place to protect the personal data with which they have been entrusted.
Cyber security a big focus for companies | Robert Walters\
Or you could outsource – Talk to us!