The CISO Job Market in 2016: Time to Jump Ship?

“With demand for cybersecurity talent high, supply low, and companies urgently seeking to fill a myriad of positions, compensation is skyrocketing.”Executive Search Review Newsletter

“Every company is a security company.” — “Mitigating the Cybersecurity Skills Shortage

The CISO Job Market in 2016: Red Hot

For CISOs that are even remotely considering switching jobs, the sky appears to be the limit. A quick search of job offers for CISOs returns thousands of results, and there should only be more to come as organizations realize the importance of having a security leader firmly ensconced in the enterprise.

This demand is partly due to organizations globally realizing that cybersecurity risks are now a business issue, and having the right person in the organization is paramount for managing those risks. Naturally, the unprecedented demand for CISOs is also fueling a rapid rise in salaries.

On Jan. 9, 2016, a Forbes article noted that cybersecurity salaries topped $380,000. Just two months later, another article stated that the number had risen to $420,000. Other outlets reported more modest average salaries but acknowledged that CISO salaries did see some of the largest increases of all senior IT staff. As reported by Computerworld’s 2016 IT Salary Survey, they were up 5 percent from 2015 to 2016 to get within $5,000 of the CIO salary averages.

But Who’s Chasing Who?

CISOs may think they’ve been chasing a new job, but perhaps it’s the other way around. Data reported by CSO Online confirmed what those in the field have experienced: Even though only about 50 percent of security pros are thinking about a new job — whether actively pursuing it or passively being open to the idea — nearly 75 percent have been approached by a recruiter or recruiting organization.

Regardless of who was chasing whom, the next step is to determine if you’re ready for the role.

Are You Qualified for Your New Role?

For those looking to become CISOs for the first time — or those currently in a CISO role but considering a switch — it wouldn’t hurt to have a reality check about:

  • The value that you have brought your current employer;
  • The sum of your knowledge and experience and how that makes you unique — and presumably better than the rest of the CISO candidates. In other words, you should be ready to address how you’ve prepared for your new role as a security executive or a cyber risk executive; and
  • The value that you can bring your prospective new employer — which implies that you’re also doing some good research about each new employer prior to agreeing to be interviewed.

A SilverBull article about CISO jobs and salaries provided a good list of soft skills that those looking into the CISO job market should be able to demonstrate. The top skills were:

  • Critical thinking and problem-solving;
  • Excellent written and verbal communication skills;
  • Proven ability to influence and direct others;
  • Excellent leadership abilities; and
  • Integrity and confidentiality when handling customer and employee data.

Since the CISO job is becoming one that frequently interacts with the rest of the C-suite as well as boards of directors, applicants should also be ready for the questions the top leadership might ask of them. Cisco’s “Mitigating the Cybersecurity Skills Shortage” report agreed, stating, “CISOs must be able to frame the discussion in a strategic way that clearly communicates the potential impact of a data breach on stock price, customer loyalty, customer acquisition and the brand.”

Making the Leap

Before connecting with recruiters in search of your next professional opportunity, you may want to reflect on whether you are ready to be a risk leader and whether you’ve been making regular investments in the professional development of your leadership qualities. Ultimately, the CISOs that are most likely to command premium salaries are those that have spent years or even decades establishing a reputation that transcends their current employer.

Where does that leave the rest of us? While you may not consider yourself a thought leader just yet, it is not too late to start investing in yourself, your professional development and the professional development of your subordinates. Whether you jump ship now or later, investing in yourself and others will pay off both in the short term and over your career.

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...