EC-Council recently surveyed its pool of Certified CISOs to discover what is important to information security executives in four categories: hiring their teams, current and past employment, looking for a job, and career success.
First, the survey collected basic geographic and industry demographic data, which is important to keep in mind when interpreting the results from other categories. Represented in the survey were the following regions:
- South America: 5.6%
- Europe: 16.7%
- Asia: 16.7%
- Middle East: 16.8%
- USA: 38.9%
- Africa: 5.6%
As for industries represented in the survey, there was quite a diverse range:
- Banking, finance, insurance: 33.3%
- Consultancy or business services: 11.1%
- Government, public service, military: 22.2%
- IT: 11.1%
- Manufacturing or construction: 11.1%
- Transportation, utility, telecommunication: 11.1%
The last area of demographics collected was on the CCISOs current level within their companies:
What level is your current position?
- C-Level, VP, SVP, etc.: 23.5%
- Consultant: 29.4%
- Director: 35.3%
- Manager: 11.8%
The first section of questions dealt with how CCISOs hire new employees for their teams. This section as important because it highlights challenges that managers, directors, and C-Level executives have when it comes to filling their teams. EC-Council was interested in determining where these leaders are feeling the known information security skills gap the most. The results point to some interesting conclusions. First, the leaders were asked how many job openings on their teams they are currently looking to fill. Over 57% of them reported they had between 1-5 job openings currently available. Another 31% have over 5 job opportunities with one survey respondent reporting 300 jobs needing SOC analysts!
How many information security positions are you currently looking to fill with new hires?
- Zero: 5.3%
- 1 to 3: 47.4%
- 3 to 5: 10.5%
- I don’t make hiring decisions: 5.3%
- Over 5: 31.6%
The next question asked how many jobs had already been filled in the current year, finding that most leaders had only filled between 1 and 3 jobs.
How many information security positions have you filled in the last year?
- Zero: 6.3%
- 1 to 3: 50.0%
- 3 to 5: 6.3%
- Over 5: 37.5%
When asked which jobs are the hardest to fill with qualified candidates, the CCISO reported a range of problem areas, which the most popular job being Security Analyst with 31.3% of respondents pegging it as the most difficult to fill.
What position is the most difficult to hire due to a lack of skilled candidates?
- CISO, Director of Information Security, CSO: 18.8%
- Computer Forensics Investigator or Forensic Analyst: 12.5%
- Consultant: 6.3%
- Information Security Manager: 6.3%
- Penetration Tester: 18.8%
- Security Analyst: 31.3%
- Security Architect: 6.3%
The next subsection of the survey dealt with what is most important to infosec leaders when deciding whom to hire. The results point to many different facets of a resume all being crucial to landing an information security job. The most important, however, is finding a good personality fit for the culture or the team, which 81.3% of CCISOs rating that quality as either extremely or very important. Limiting hires to people with specific personality traits can be troubling, as studies have shown managers tend to hire people with their own personality traits, leading to teams without diversity in point of view or other areas. Conversely, it’s easy to understand why looking for a good fit for a team can lead to better cohesion. As long as hiring practices are fair and openminded, hiring based on cultural fit can be a good option.
The next highest rated characteristic for a job-hopeful to have is experience that exactly matches the job, with 62.5% reporting this as either extremely or very important. Requiring experience that exactly matches the job has been flagged as problematic by industry experts over the years for the simple reason that it is difficult to gain experience in a particular role when all the jobs available for that role require previous experience exactly matching what the employee will be doing. This means that companies are trying to lure employees to make lateral moves with better salaries and benefits. No security leader has an endless budget, so it might make better fiscal sense to find new hires that show potential or whose previous roles and certifications make them good candidates to grow into new roles, for potentially smaller salaries.
However, it is easy to understand why leaders might want turnkey solutions to their problems. It takes time to train new employees, even those who have the exact experience needed for a new role. When an employee both has to learn new skills as well as a new company, independence in their work will take significantly longer. This may point to an opportunity in the industry for education providers to offer customized solutions to help teams overcome this obstacle and hire for potential rather than on specific experience.
Other top finishers for candidate qualifications were relevant certifications and years of experience, each with 56.3% of respondents finding those qualities extremely or very important.
How important is experience that exactly matches the job in hiring decisions?
- Extremely important: 43.8%
- Important: 37.5%
- Very important: 18.8%
How important is personality fit with culture/team when making hiring decisions?
- Extremely important: 50.0%
- Important: 12.5%
- Very important: 31.3%
- Somewhat important: 6.3%
How important are relevant industry certifications when making hiring decisions?
- Extremely important: 12.5%
- Important: 31.3%
- Very important: 43.8%
- Somewhat important: 12.5%
How important is years of experience when making hiring decisions?
- Extremely important: 12.5%
- Important: 18.8%
- Very Important: 43.8%
- Somewhat Important: 25.0%
The second main section of the survey dealt with the current and past employment and salaries of the leaders themselves.
When asked how long they had been in their current role, most respondents reported only 1-5 years of tenure at their current organization. This fits the common wisdom in the industry that CISOs tend to change jobs every 18 months. It was interesting, however, to see that over 23% of CCISOs have actually been in their jobs for over 10 years, showing the maturity of the information security market.
How important is years of experience when making hiring decisions?
- Less than one year: 11.8%
- 1 – 5 years: 41.2%
- Over 5 years: 23.5%
- Over 10 years: 23.5%
The next question dealt with salaries. All salaries have been converted to US dollars for the sake of comparison. Very few CCISOs earn less than $75,000 per year, with most making between $150,001 – $200,000. EC-Council expects salaries to grow for security leaders every year that they continue this survey.
In what range is your current salary in USD?
- Less than $75,000: 6.3%
- $75,001 – $100,000: 6.3%
- $100,001 – $150,000: 31.3%
- $150,001 – $200,000: 37.5%
- Over $200,000: 18.8%
The third section of the survey dealt with how CCISOs go about finding new jobs. Asking about a number of aspects of a new job, the survey found the CCISOs value the culture of an organization and the compensation package on offer, with 82.4% of respondents rating these things as extremely or very important. In second place was having an alignment in the vision for the security program with the organization, with 76.5% of CCISOs finding this extremely or very important. Coming in just behind alignment of security vision was the work to life balance offered by the organization with 75% of the survey participants rating it as extremely or very important. The rest of the results can be found below:
When looking for a new job, how important is an adequate budget for security program?
- Important: 29.4%
- Very important: 41.2%
- Extremely important: 29.4%
When looking for a new job, how important is alignment in vision for security?
- Important: 23.5%
- Very important: 29.4%
- Extremely important: 47.1%
When looking for a new job, how important is Culture of organization?
- Important: 17.6%
- Very important: 35.3%
- Extremely important: 47.1%
When looking for a new job, how important is the number of direct reports you will have?
- Not at all important: 5.9%
- Somewhat important: 23.5%
- Important: 52.9%
- Very important: 5.9%
- Extremely important: 11.8%
When looking for a new job, how important is the prestige of company/organization?
- Not at all important: 6.3%
- Somewhat important: 18.8%
- Important: 25.0%
- Very important: 18.8%
- Extremely important: 31.3%
When looking for a new job, how important is compensation including salary, signing bonus, stock options, etc.?
- Important: 17.6%
- Very important: 17.6%
- Extremely important: 64.7%
When looking for a new job, how important is the title?
- Somewhat important: 20.0%
- Important: 20.0%
- Very important: 46.7%
- Extremely important: 13.3%
When looking for a new job, how important is to whom you will report (CIO, CEO, CFO, etc.)?
- Somewhat important: 5.9%
- Important: 23.5%
- Very important: 35.3%
- Extremely important: 35.3%
When looking for a new job, how important is work/life balance?
- Somewhat important: 6.3%
- Important: 18.8%
- Very important: 43.8%
- Extremely important: 31.3%
When looking for a new job, how important is the opportunity for advancement?
- Not at all important: 10.5%
- Somewhat important: 5.3%
- Important: 26.3%
- Very important: 31.6%
- Extremely important: 26.3%
The final section of the survey asked CCISOs about the factors that contributed the most to their success. The overwhelming winner for this category was networking. 83.3% of respondents said that networking was very or extremely important to the success of their careers. It’s easy to understand why there are so many information security conferences around the world with results like these. Cultivating relationships, sharing information, and increasing their spheres of influence are all things that can be done at conferences. The second key to CCISOs’ success is education, with 58.8% of respondents saying their college or university educations have been extremely or very important to their success. The rest of the categories can be found below:
How important has earning industry certifications been to the success of your career?
- Not at all important: 27.8%
- Somewhat important: 5.6%
- Important: 27.8%
- Very important: 27.8%
- Extremely important: 11.1%
How important has college/university education been to the success of your career?
- Not at all important: 17.6%
- Somewhat important: 5.9%
- Important: 17.6%
- Very important: 35.3%
- Extremely important: 23.5%
How important has effective networking been to the success of your career?
- Not at all important: 5.6%
- Important: 11.1%
- Very important: 50.0%
- Extremely important: 33.3%
How important have executive recruiting services been to the success of your career?
- Not at all important: 23.5%
- Somewhat important: 35.3%
- Important: 23.5%
- Very important: 11.8%
- Extremely important: 5.9%
How important have executive recruiting services been to the success of your career?
- Not at all important: 23.5%
- Somewhat important: 17.6%
- Important: 64.7%
- Very important: 11.8%
- Extremely important: 5.9%
How important has mentorship been to the success of your career?
- Not at all important: 5.6%
- Somewhat important: 22.2%
- Important: 22.2%
- Very important: 33.3%
- Extremely important: 16.7%
Conclusion
The skill gap in the cybersecurity industry spans all levels, from CISOs to security analysts. It appears that the shortage of skilled professionals is not a problem that will be solved in the conceivable future. Most CISOs have several job openings yet to be filled and CISOs and the others involved in the recruiting process are looking for prospects with relevant certifications and experience. A major hurdle in the recruitment process is finding the right fit both with culture, personality, and experience that matches the job.
Another key finding was that most infosec professionals were holding onto their seats for years, with several CCISOs serving the same position for almost a decade. The reasons cited for this were work culture, pay scale, the organization’s approach towards security, and worklife balance. For most infosec experts, networking is one of the key components of their success. Several respondents also felt mentorship and earning industry certifications were crucial for success.
