Is there an oversupply of chief information security officers (CISOs) in the cybersecurity job market? According to an Indeed report, the answer is yes — but the study’s statistics don’t tell the whole story.

The economists behind the study found that employee interest in the CISO job market in the U.S. is more than double the actual demand for the position. Moreover, there is a vast pool of highly qualified but chronically underemployed security leaders in the U.S. Applicant interest in the position is driven mainly by the high salaries and prestige the position offers, Indeed said.

But economics is an imprecise science because it relies on “human behavior,” as the researchers stated in their disclosed methodology. And all the evidence I’ve seen in my experience and in countless industry articles indicate that CISOs are in very high demand, and there are few qualified candidates available. Perhaps more importantly, the job descriptions in the majority of CISO postings do not accurately reflect what the role entails.

The Ultra-Competitive CISO Job Market

The demand for CISOs has never been greater, and the main factor that drives up salaries is the law of supply and demand. A greater demand will push salaries upward and hurl employers into competition, scrambling to lure the best candidates.

It has become a seller’s market, which also drives skyrocketing salaries across the country. IT and cybersecurity recruiting firm SilverBull recently published salary figures in major metropolitan areas. The top six candidate locations by average salary are:

1. San Francisco ($249,000)
2. New York ($240,000)
3. San Jose ($240,000)
4. Washington, D.C. ($225,000)
5. Los Angeles ($223,000)
6. Chicago ($214,000)

When CISO positions are elevated into the C-suite, it will undoubtedly move the salary ranges well past the $500,000 mark. Still, executive recruiting firms and chief information officers (CIOs) who play key roles in recruiting security leaders are having difficulties finding them, despite these justifiable high salaries.

A Highly Targeted Hiring Process

It is a long road to become a qualified, well-rounded CISO. It requires years of experience developing expertise not only in the technology that surrounds the discipline, but also in governance, compliance and risk. It is equally important to acquire the business savvy and executive presence to lead. Impeccable communication skills are also critical to drive execution within the business.

Employers hiring C-level positions usually seek proven candidates through referrals within the executive ranks, often conducting retained searches to find the right combination of knowledge, experience and cultural fit. The majority of the top CISO vacancies are conducted in this manner, with employers directly targeting candidates they want. For this reason, many job seekers see only a fraction of positions advertised on the job boards.

Clarifying the CISO Job Description

When I studied most of the vacancies that were posted on job boards, I noticed that companies were not bound to accurately describe the duties of a CISO. The job descriptions often misrepresented the true meaning of a C-suite position. Some required hands-on engineering responsibilities with a blend of many other skills that are not characteristic of executive leadership positions. Some emphasized program or policy management, governance, compliance or risk, while others specified operations, architecture or engineering without mentioning true leadership abilities that affect change.

Furthermore, a number of organizations are hiring their first CISOs. For a seasoned security executive, this is a red flag to approach with extreme caution or completely avoid. Businesses hiring security leaders for the first time may not comprehend the responsibilities and expectations the job entails. Many times, when a new executive begins instituting controls, complaints emerge and escalate upward. This dynamic carries an unacceptably high risk that the executive’s tenure will be short-lived.

A Resume for Success in the CISO Job Market

A seasoned CISO’s resume must tell a compelling story of achievements backed by concrete metrics that propelled previous employers to new heights. It must exhibit C-suite characteristics, such as vision, strategic thinking, execution, technological skills, team and relationship building, communication, presentation, integrity and change management, that demonstrate leadership abilities.

During the interview process, a CISO must be prepared to answer probing questions, such as:

• How would you execute your vision of security?
• How would you influence others and gain executive buy-in for security initiatives?
• How would you sell security to leadership and the board?
• How would you identify, prioritize and mitigate risks?
• How would you ensure that the organization maintains compliance with privacy regulations?
• What are your thoughts on security convergence, IT reporting structure and organizational culture?
• What are your greatest achievements, and how did you execute them?
• What does the CISO role mean to you?
• How would you describe your leadership style?
• How would you relate to the CEO and the board of directors?
• What is your breach prevention and mitigation strategy?
• What are your thoughts on offensive security?
• What methods do you use to keep up with the latest security trends and issues?
• How would you act as the security spokesperson internally and externally?
• What value will you bring to the organization?

When it’s all said and done, employers sum up candidates based on the overall value they can deliver. The last question is the kicker, analogous to an age-old HR question: Why should the organization hire you? It’s critical to present key traits that separate you from the rest of the pack.