The role of Chief Information Security Officer (CISO) is undeniably one of the most stressful in the corporate world. Faced with an ever-expanding threat landscape, CISOs are tasked with protecting their organizations from increasingly sophisticated cyberattacks. Yet, many CISOs are working with teams that are understaffed, underfunded, and overwhelmed by the complexity of the threats they face. According to a recent Proofpoint report, 66% of global CISOs are concerned about personal, financial, and legal liability in their roles. This pressure has led many to consider leaving their positions in search of relief. One way to alleviate some of this pressure is by addressing the hiring process, making it more realistic and accessible.

The Reality of CISO Pressure

CISOs are acutely aware that it’s not a matter of if but when a cyberattack will occur. This pragmatic approach, often referred to as “assuming a breach,” is necessary given the current threat environment. However, dealing with constant attacks is made more challenging when teams are understaffed and lack the necessary resources. Proofpoint’s report also highlighted that 72% of CISOs would hesitate to join an organization that does not offer director and officer (D&O) insurance or similar coverage against financial liability in the event of a successful cyberattack.

These findings underscore the intense pressure on CISOs, who must navigate the complexities of cybersecurity with inadequate support. The job’s inherent stress, combined with personal liability risks and insufficient staffing, creates a perfect storm that leaves many cybersecurity leaders feeling overwhelmed and anxious.

The Cybersecurity Hiring Gap

One of the primary issues contributing to this pressure is the cybersecurity hiring gap. The oft-cited figure of 3.5 million unfilled cybersecurity positions globally paints a grim picture. A quick search on LinkedIn reveals approximately 93,000 open cybersecurity positions currently advertised on the platform. These numbers suggest a significant shortfall in qualified candidates, but the reality is more nuanced.

Cybersecurity recruiters frequently ask for an unrealistic combination of skills and experience for positions that are only a step above entry-level. This practice creates a false sense of a candidate shortage when, in fact, there are qualified individuals available. The problem is exacerbated by automated screening processes that reject candidates lacking specific credentials, such as a college degree, even when they possess the necessary skills and experience.

The Pedigree Problem

The emphasis on pedigree, particularly formal education credentials, is a significant barrier in the hiring process. Many qualified candidates are overlooked because they do not meet arbitrary educational requirements. This reliance on traditional qualifications rather than practical experience and skills creates a bottleneck in the hiring pipeline.

For example, consider the experience of a cybersecurity professional with over 30 years of experience in insider risk. Despite their extensive background, they were dismissed from consideration for a senior position because they lacked a college degree. This type of hiring practice contributes to the perception of a talent shortage when, in reality, it is a failure to recognize and value diverse paths to expertise.

Addressing the Pedigree Issue

Recognizing this problem, the White House’s Office of the National Cyber Director (ONCD) is taking steps to make cybersecurity jobs more accessible. Harry Coker, Jr., the ONCD, announced a transition to “skills-based” hiring within the federal government. This initiative, involving the Office of Personnel Management’s “2210 series” for IT workers, aims to open cybersecurity jobs to more Americans based on skills rather than formal education credentials.

Private sector companies are also beginning to embrace skills-based hiring. The shift towards emphasizing practical skills and certifications over traditional degrees aligns with findings from the “2024 SANS-GIAC Cyber Workforce Research Report,” which indicates that two-thirds of cybersecurity and HR managers view the hiring gap as a headcount issue rather than a skills gap. This shift could alleviate some of the pressure on CISOs by expanding the pool of qualified candidates.

The Benefits of Certification-Based Training

CISOs are increasingly favoring certification-based training over traditional degree-based education. Certifications provide a more targeted and practical approach to developing cybersecurity skills, making them a preferred option for many cybersecurity leaders. This preference is reflected in the growing number of certification programs and the emphasis on continuous professional development within the cybersecurity community.

Certification-based training offers several advantages:

1. Practical Skills: Certifications focus on practical, hands-on skills that are directly applicable to real-world cybersecurity challenges.
2. Up-to-Date Knowledge: Certification programs are often updated more frequently than traditional degree programs, ensuring that professionals are equipped with the latest knowledge and techniques.
3. Accessibility: Certification programs are generally more accessible and affordable than traditional degree programs, making them an attractive option for individuals looking to enter or advance in the cybersecurity field.

The Role of Apprenticeships and On-the-Job Training

In addition to certifications, apprenticeships and on-the-job training programs are essential for developing cybersecurity talent. These programs provide practical experience and mentorship, allowing individuals to learn while working. By creating pathways that emphasize skills and practical experience, organizations can address the hiring gap more effectively.

The emphasis on apprenticeships and on-the-job training aligns with the broader push towards skills-based hiring. These programs can help bridge the gap between education and employment, providing individuals with the experience and skills needed to succeed in cybersecurity roles.

Reducing CISO Pressure Through Realistic Hiring Practices

To reduce the pressure on CISOs, it is essential to address the root causes of the hiring gap. By adopting more realistic hiring practices that value skills and practical experience over formal education credentials, organizations can expand their talent pool and build stronger, more effective cybersecurity teams.

Several strategies can help achieve this goal:

1. Revise Job Descriptions: Job descriptions should focus on essential skills and practical experience rather than an exhaustive list of qualifications. This approach will attract a broader range of candidates.
2. Implement Skills-Based Hiring: Emphasize skills and certifications over traditional degrees. Use practical assessments to evaluate candidates’ abilities.
3. Promote Apprenticeships and Internships: Develop apprenticeship and internship programs to provide hands-on experience and mentorship to aspiring cybersecurity professionals.
4. Enhance Internal Training: Invest in continuous professional development for existing employees. Provide opportunities for upskilling and reskilling to keep pace with the evolving threat landscape.
5. Foster a Culture of Inclusion: Create an inclusive hiring process that values diverse paths to expertise. Recognize the potential of candidates with non-traditional backgrounds and provide opportunities for growth.

Conclusion

The pressure on CISOs is real, driven by the complexities of the threat environment and the challenges of building and maintaining effective cybersecurity teams. By addressing the hiring process and adopting more realistic and inclusive practices, organizations can alleviate some of this pressure and ensure they have the talent needed to defend against sophisticated cyberattacks.

The shift towards skills-based hiring, certification-based training, and practical experience is a positive step in the right direction. By valuing practical skills and diverse paths to expertise, organizations can build resilient cybersecurity teams capable of navigating the ever-evolving threat landscape.

CISOs play a critical role in safeguarding organizations, and it is essential to support them by providing the resources and talent they need. By fixing the hiring process, we can help CISOs focus on their core mission of protecting their organizations from cyber threats, ultimately contributing to a more secure digital world.