Management, compliance & auditing

Challenges Faced By CISOs: Balancing Security versus Manpower

Ashiq JA
September 28, 2015 by
Ashiq JA


Cybersecurity is not about buying the latest security monitoring and automation tools to solve the day-to-day problems. Government and banking organizations have increased funding for managing security vulnerabilities and risks. Security tools that are available in the market may identify and solve only part of the problem. The problem can be solved only if we have the right persons with the right skills.

We are aware of fact that most companies that are willing to secure their data are in the search for hiring talented security engineers and leaders. They might also have multiple deciding factors on how many people to hire. But how does one understand that they have the right team or the right number of people in their team to do the security job? This is what we are going to discuss in this article. There are many studies that predict that there will be a major shortage of security skills in the coming years.

Infosec Staffing

Unfortunately, there is no magic formula for CISOs and CIOs when assessing the right size for the infosec team. According to a 2015 security pressure report, of the 84 percent of respondents who said they needed more staff to cope with their security challenges, 54 percent said they wanted to double the size of their teams. And 30 percent said they wanted to increase their teams by four times or more. According to the survey, 35 percent said they have already partnered with a managed security services provider, and 43 percent said they would do so in the future.

In most enterprises, the simplest way to handle a larger workload is to hire new staff members.

In a blog post from swimlane, the writer highlights that automated security solutions and the huge number of security alerts are among the major reasons behind the increase in security staff requirements. As organizations implemented threat detection solutions such as security operation centers (SOCs) designed to notify their security teams of potential attacks, they saw a rapid rise in the number of alerts they were forced to review each day. So, in an attempt to keep pace with that growth, many of these companies continued to grow their teams by hiring additional information security professionals.

Now who are the IT security staffs of an organization? The security team of an organization comprises many individuals with multiple roles and responsibilities. They can be part of a governance and compliance team, risk management team, incident response team, infrastructure and device management team, security awareness and others.

This rapidly growing field has multiple career choices such as security architect, security engineers, malware expert, cyber forensics expert, cryptography officers, security directors, and others.

Security Skill Shortage

Many articles and news reports have predicted a shortage of talented infosec employees in the future. According to a recent survey, entry-level security jobs takes about three months to fill. However, the talent shortage comes at the higher experience levels: Those that start after about 10 years. Chief information security officers and senior security level practitioners typically have approximately 25 years of work experience with 15 years in the field of security. The survey also found that respondents have changed jobs on average more than six times over the course of their careers. In another recently published report by IDC, higher level jobs with more than 10 years of experience take longer to fill; 21 percent take a year or more.

And when it comes to jobs that require 20 or more years of experience, nearly half take more than a year to fill. In a post published by Computerworld, Ira Winkler writes about the myth of security skill shortage by highlighting that security professionals are developed over time. I personally agree with him on majority of the points. Most of the security professionals enter the industry without a cybersecurity degree. Cybersecurity as a degree is still in its infancy stages. Though professional certifications give an individual better opportunities in landing a job, it does not necessarily validate one's expertise in the field. Many organizations and banks implement strong security programs focusing on identifying people with the appropriate aptitude and skills, then give them the formal and on-the-job training to competently fill security-related roles.

Data Breaches Are Company's Worst Nightmare

Some say that cybersecurity faces major problems due to a small talent pool and an inflated wage bubble. But the increase in high-profile breaches, such as the Ashley Madison breach, has triggered an alarming increase in security jobs. The Ashley Madison hack leads to few unconfirmed suicide links, which shows the psychological impacts of data exposure.

Several of the firms compromised during 2014 didn't have a functioning chief information security officer (CISO) at the time of hack. It's no guarantee you won't become the next breach headline, but having a full-time cybersecurity specialist role reporting directly in to the board has become essential for any major organization that takes security seriously.

Sony only hired its first CISO in 2011 after a devastating attack which breached sensitive personal information on over 70 million PlayStation Network accounts. JPMorgan Chase lacked a full-time CISO when hackers managed to access its systems, potentially exposing sensitive information from more than 76 million households and seven million small businesses.

Payscale for Security Professionals

Cybersecurity job postings grew 74% from 2007 to 2013, which is more than twice the growth rate of all IT jobs. Rashesh Jethi, a director in the services group at Cisco, says, "It's probably 10 to 12 times harder to find cybersecurity professionals than it is to find general IT professionals."

Recently Tripwire published two article series by David Bisson after researching the highest paying jobs in information security. They gathered the top 10 jobs based on pay grade. The highest paying job is CISO, with a pay as much as $240,000 a year. CISOs make a median salary of $131,322, according to PayScale's 2015 estimates. Security engineers can earn as much as $128,000 a year.

Maxim Weinstein, a security advisor at Sophos, says the security industry has been growing and evolving too quickly for educational institutions and training programs to keep up, he says, "Naturally, when organizations don't have enough security professionals, they don't have the necessary focus on security, Perhaps the organization knows that it should be auditing its logs regularly, but it doesn't have someone qualified to do the auditing. Or a new network firewall implementation gets delayed for several months until the understaffed group gets around to it."

IT Security staffing depends on several factors, including the number of locations, the hardware and software used, the proficiency of users, and the hours of direct support. It's difficult to pinpoint an exact number; perhaps because the "right" number of information security staff is highly sensitive to the nature of the business and the regulatory environment.

References and Further Reading

Ashiq JA
Ashiq JA

Ashiq JA is a Cyber Security Researcher and Writer passionate about Web Application Security, Security research using Machine Learning and Big Data, Deep web, technologies and Threat Analysis. He is currently working as a Security Consultant. He believes in knowledge sharing as the best source for information security awareness. Follow Ashiq JA on Twitter @AshiqJA to get the latest updates on infosec.