Is there an oversupply of chief information security officers (CISOs) in the cybersecurity job market? According to an Indeed report, the answer is yes — but the study’s statistics don’t tell the whole story.

The economists behind the study found that employee interest in the CISO job market in the U.S. is more than double the actual demand for the position. Moreover, there is a vast pool of highly qualified but chronically underemployed security leaders in the U.S. Applicant interest in the position is driven mainly by the high salaries and prestige the position offers, Indeed said.

But economics is an imprecise science because it relies on “human behavior,” as the researchers stated in their disclosed methodology. And all the evidence I’ve seen in my experience and in countless industry articles indicate that CISOs are in very high demand, and there are few qualified candidates available. Perhaps more importantly, the job descriptions in the majority of CISO postings do not accurately reflect what the role entails.

The Ultra-Competitive CISO Job Market

The demand for CISOs has never been greater, and the main factor that drives up salaries is the law of supply and demand. A greater demand will push salaries upward and hurl employers into competition, scrambling to lure the best candidates.

It has become a seller’s market, which also drives skyrocketing salaries across the country. IT and cybersecurity recruiting firm SilverBull recently published salary figures in major metropolitan areas. The top six candidate locations by average salary are:

  1. San Francisco ($249,000)
  2. New York ($240,000)
  3. San Jose ($240,000)
  4. Washington, D.C. ($225,000)
  5. Los Angeles ($223,000)
  6. Chicago ($214,000)

When CISO positions are elevated into the C-suite, it will undoubtedly move the salary ranges well past the $500,000 mark. Still, executive recruiting firms and chief information officers (CIOs) who play key roles in recruiting security leaders are having difficulties finding them, despite these justifiable high salaries.

A Highly Targeted Hiring Process

It is a long road to become a qualified, well-rounded CISO. It requires years of experience developing expertise not only in the technology that surrounds the discipline, but also in governance, compliance and risk. It is equally important to acquire the business savvy and executive presence to lead. Impeccable communication skills are also critical to drive execution within the business.

Employers hiring C-level positions usually seek proven candidates through referrals within the executive ranks, often conducting retained searches to find the right combination of knowledge, experience and cultural fit. The majority of the top CISO vacancies are conducted in this manner, with employers directly targeting candidates they want. For this reason, many job seekers see only a fraction of positions advertised on the job boards.

Clarifying the CISO Job Description

When I studied most of the vacancies that were posted on job boards, I noticed that companies were not bound to accurately describe the duties of a CISO. The job descriptions often misrepresented the true meaning of a C-suite position. Some required hands-on engineering responsibilities with a blend of many other skills that are not characteristic of executive leadership positions. Some emphasized program or policy management, governance, compliance or risk, while others specified operations, architecture or engineering without mentioning true leadership abilities that affect change.

Furthermore, a number of organizations are hiring their first CISOs. For a seasoned security executive, this is a red flag to approach with extreme caution or completely avoid. Businesses hiring security leaders for the first time may not comprehend the responsibilities and expectations the job entails. Many times, when a new executive begins instituting controls, complaints emerge and escalate upward. This dynamic carries an unacceptably high risk that the executive’s tenure will be short-lived.

A Resume for Success in the CISO Job Market

A seasoned CISO’s resume must tell a compelling story of achievements backed by concrete metrics that propelled previous employers to new heights. It must exhibit C-suite characteristics, such as vision, strategic thinking, execution, technological skills, team and relationship building, communication, presentation, integrity and change management, that demonstrate leadership abilities.

During the interview process, a CISO must be prepared to answer probing questions, such as:

  • How would you execute your vision of security?
  • How would you influence others and gain executive buy-in for security initiatives?
  • How would you sell security to leadership and the board?
  • How would you identify, prioritize and mitigate risks?
  • How would you ensure that the organization maintains compliance with privacy regulations?
  • What are your thoughts on security convergence, IT reporting structure and organizational culture?
  • What are your greatest achievements, and how did you execute them?
  • What does the CISO role mean to you?
  • How would you describe your leadership style?
  • How would you relate to the CEO and the board of directors?
  • What is your breach prevention and mitigation strategy?
  • What are your thoughts on offensive security?
  • What methods do you use to keep up with the latest security trends and issues?
  • How would you act as the security spokesperson internally and externally?
  • What value will you bring to the organization?

When it’s all said and done, employers sum up candidates based on the overall value they can deliver. The last question is the kicker, analogous to an age-old HR question: Why should the organization hire you? It’s critical to present key traits that separate you from the rest of the pack.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…