It was disclosed just last month that the Office of Personnel Management (OPM) was hacked and we now know the personal information of over 20 million people was jeopardized.
The New York Times reported that internal auditors knew prior to the attack that the OPM’s network security system was vulnerable. They reportedly were not adhering to “responsible cybersecurity practices” and were “so vulnerable” that the auditor recommended some of their networks be shut down.
So who was responsible for the overall security of the organization?
The role of Chief Information Security Officer (CISO) has only been around, mostly by name, for about 20 years, but its popularity is growing fast. Increasingly companies are recognizing the need and the benefit of hiring CISOs, according to recruiters, industry experts, independent studies and cyber security professionals themselves.
The hunt for the CISO is on.
There is a rise in the number of companies looking to hire a CISO, according to Veronica Mollica, information security recruiter and CEO of Indigo Partners. Mollica told Security Current that enterprises are aware of today’s dangers seeking to either build robust network security programs or enhance current programs.
And with the demand for CISOs increasing, requirements and expectations for this burgeoning position are being formulated and salaries are being negotiated. According to Mollica and other recruiting firms, the average CISO salary ranges from $200,000 and $300,000 with some skyrocketing to nearly seven figures. The salaries vary between industries, experience, education and certifications.
“A lot of organizations now realize that having a CISO and a strong security team in place is critical to their business. The challenge companies are facing is finding that well-rounded CISO who can look at security from a strategic business as well as tactical perspective,” Mollica said.
David Shearer, CEO of ISC², a global not-for-profit certification body, said the security job market has become highly competitive due to an improved economy and increased demand for highly skilled, executive security professionals.
But filling this demand is no easy task as there is a lack of qualified candidates for these C-level security roles, according to Shearer.
“When the CISO role was first established there were some generalists in the field, some business minds and some technologists,” Shearer said. “The question became ‘Do they need to be business minded or good with technology?’ And the answer is both.”
The 2015 ISC² Global Information Security Workforce Study supported anecdotal research from the field that the demand is still much greater than the supply.
The biannual study that surveyed 14,000 security professionals of which 404 self-identified as executives noted that there was a growing “workforce shortfall as organizations tried to increase their security staffing levels.”
According to respondents a key reason for the shortfall within organizations was a lack of qualified personnel. And this lack of expertise in the field appears to be supported by the OPM breach. As reported by The New York Times, Michael Esser, the agency’s assistant inspector general for audit, not only found that the OPM didn’t adhere to reasonable security practices but that “the people running the agency’s information technology had no expertise.”
Someone who knows the process of working as an information security professional firsthand is Michael Woodson, who recently joined State Street, a leading investment corporation, as information systems security director.
“Technology is not always the answer, and there is a lack of qualified individuals who have vision, are committed and have knowledge of the security issues of modern times,” Woodson said.
Woodson noted that today’s security executive must be able to do more than just protect data. CISOs and their equivalents need to have a deep understanding of the business, its objectives and how to evaluate and mitigate risk relative to these aims, he added.
Since the CISO role is relatively new, some organizations don’t yet know what makes a good CISO, according to Woodson.
“Some want a technologist, some want someone in between that and a business mind and some just plain don’t know,” Woodson said.
According to ISC²‘s Shearer, one way employers can ensure they are hiring the right CISO is by looking at the candidate’s certifications in the field.
Shearer said certifications, like the security certification CISSP and others, allow employers to know that who they are hiring has first, fulfilled the requirements to become certified and second, that they are receiving required continued professional education to maintain their skills.
He said professionals with these certifications sometimes receive a higher salary and that some executive-level jobs are starting to require the CISSP as well.
But again, it appears to be a combination of business and technical acumen. The 2015 Global Workforce Study had one resounding find with 75 percent of all respondents ranking leadership skills as a top attribute of an information executive.
Kyle Kennedy, a cybersecurity strategist at the security staffing company CyberSN which links security professionals with potential employers, agreed that the demand for security executives is rising and said that CISOs need to expand their skillsets. He noted that the role of CISO is increasingly being elevated with CISOs more often having a seat at the executive table. He said it is critical for security executives to understand the strategic business needs.
Kennedy added that being able to talk with the other executives about how security and risk play within the business is being a key criteria to for businesses seeking to fill the CISO role.
Woodson echoed Kennedy, adding that the need for understanding of strategic business objectives may be a contributing factor in the lack of qualified professionals seeking to obtain an executive role or are already in one.
”There are a lot of analysts and senior analysts who want to become CISOs but they don’t understand what information security means to the business,” Woodson said. “They understand the tools but they don’t yet have the business acumen.”
Kennedy said that depending on the nature of the business and the goals of the hiring team some CISOs are seen as strategic, some as managers and others as skilled technologists. He said an ideal CISO would be a combination that would improve the security posture across the organization.
So it is becoming less of a question of who is responsible for security but rather if the CISO is responsible will they have the right blend of business and technology expertise?
As the drumbeat of breaches continues daily the answer to that question remains to be seen.