Insights

Why You Can’t Find a Good CISO for Love or Money (But We Have a Solution…)

J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics

Read More close Created with Sketch.
Home·Insights·Articles

Introduction

Are you one of those poor firms out there trying to hire some in-house cybersecurity expertise? Whomever you’re looking for – be it a senior representative, like a CISO or CTO, or an IT administrator – we bet you’re having a hard time.

Even firms like J.S. Held, where we offer cutting-edge expertise, training, and tools, as well as competitive remuneration packages, have to look really hard to find serious cybersecurity talent.

Want to know why you are having trouble landing great cybersecurity talent? It’s dry out there, folks. When it comes to cybersecurity expertise, the proverbial talent pool is critically low on reserves.

And of course, the pressure is on. More regulatory bodies are demanding that firms organize proper cybersecurity defenses and counsel, adding to the pressure to find good talent fast.

Research Findings

Research from ISACA in volume 1 of State of Cyber Security 2017 finds that many firms out there are frustrated with the search.

Among key findings highlighted in the ISACA report:

  • More than a quarter of enterprises say it takes six months to fill cybersecurity positions.
  • Around 60% of enterprises get at least five applicants per cyber security position, but most applicants are unqualified.
  • More than half of the enterprises see practical hands-on experience as most important.
  • Enterprises consider personal endorsements and formal education to be the least important cyber security candidate qualifications.
  • Close to 70 percent of enterprises require applicants to have security certifications.

This is not good. An average six-month search to land an average of five applicants, most of whom are unqualified? Depressing.

And the future is looking bleaker still. The Center for Cyber Safety and Education projected that by 2022, there would be a shortage of 1.8 million information security workers.

A Solution to the Cybersecurity Hiring Problem

OK – so we need to provide some alternatives here.

  • Outsource your cybersecurity responsibilities. Find a reputable security consultancy. When it comes to securing systems, people, and data, many companies just don’t have the proper expertise in-house. Poor implementations costs time, resources, and money, and can still leave you vulnerable to digital attacks. Even if you need IT security consulting for a specific project only, it is worth bringing in the experts.
  • Train existing staff on cybersecurity. Even if you outsource your cybersecurity responsibilities to an expert third party, we strongly recommend that someone internally start to receive cybersecurity training. As the shortage is predicted to last for decades, you’ll be in better stead than your competitors.
  • Understand your responsibilities. Even if you do not have proper cybersecurity counsel on hand, your organization and its stakeholders can be liable for not providing adequate protections. Make sure you are familiar with federal, state, and industry-specific regulations.

Using a CISO on Demand

One possible answer is to use a CISO on Demand. This solution offers organizations CISO services on an as-needed basis. A CISO on Demand team is made up of experienced, senior IT security professionals with in-depth business knowledge to scope, assess, test, communicate, manage and implement an organization’s security policy.

Services typically include:

  • Creating or updating the IT Security policy
  • Managing IT risk against business goals
  • Meeting regulatory compliance
  • Reducing overall risk posture
  • Securing sensitive data
  • Cybersecurity training
  • Implementing services such as Splunk
  • Providing regular stakeholder-ready reports

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

Strategies to Avoid Cyber Insurance Claim Challenges: Part II

In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....

Perspectives

Benefits of a Virtual Chief Information Security Officer (vCISO) in the Age of AI-Driven Cyberattacks

A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....

Perspectives

Cybercrime vs. Cybersecurity: Learning the Tactics of Criminals to Protect Your Interests

To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts