What Does the ‘Brain Drain’ Mean for Cybersecurity?

Senior cybersecurity professionals are like gold dust, and the industry needs more gold dust, finds Jamal Elmellas

Contrary to perception, the bulk of skills shortages in cybersecurity are not for entry-level positions but for experienced personnel.

The State of Cybersecurity 2023 report by ISACA, published in October 2023, found non-entry level positions outnumber those at entry-level by two to one. Around two-thirds of respondents (67%) said it takes at least three months to recruit for experienced roles. The positions hardest to fill require three to five years of experience, according to the Cyber security skills in the UK labour market 2023 government report. This is reflected in the job postings, where 59% request two to six years of experience.

The upshot is that despite a flurry of recruitment drives to funnel in new blood, we can expect to see a severe shortage of skilled personnel in management positions. According to the government report, it’s a situation worsened by the exodus of experienced personnel, with 4,700 leaving the profession every year. But these aren’t just retirees. Gartner recently predicted that nearly half of cybersecurity leaders will change jobs, and a quarter will leave the profession by 2025 due to the stress they endure.

Since regulators now hold senior personnel accountable for negligent cybersecurity practices and non-compliance, stress will also likely intensify. We’ve already seen this play out with the CISO of SolarWinds, Timothy Brown, being charged by the SEC in the US, while the new NIS2 regulations coming into force in 2024 will also see management bodies held directly and personally liable. So, although only 10% of CISOs are concerned about criminal liability as a result of a breach, according to The Global CISO Survey 2023, that’s likely to change rapidly.

Only 59% CISOs report directly to the Board

At the same time, senior professionals’ workloads are increasing. Threats are becoming more sophisticated, technology is advancing rapidly with Generative AI escalating attack/response, the compliance burden is growing, and yet CIO/CISOs must maintain strategic oversight and focus on security planning, without which cyber maturity will not advance. It’s also more complex than ever for management to gain visibility over the information estate, with no single pane of glass due to a burgeoning cybersecurity stack of solutions.

Three-quarters of CISOs are considering moving companies in the next three years, but the trajectory in terms of a career path can be limited. The Global CISO Survey 2023 found most aspire to become a CSO (41%), and the overwhelming majority want to attain the lofty heights of a position on a company board. But, in reality, only 30% of CISOs sit on a corporate board, and the UK trails in this regard. The Board Monitor US 2023 report finds that only 3% of board-level seats in the UK are filled by people with cybersecurity expertise.

So, how do we stop this brain drain? One alternative model is the virtual CISO (vCISO) offered by MSPs and MSSPs. This effectively provides an on-tap resource (either a team or freelance CISO) that fulfils a similar function as an in-house CISO. The development of an information security programme and performance of risk assessment and management, for example. However, there can be disadvantages, such as lack of accountability, difficulty responding to breaches across multiple clients, and potential lock-in to a monetised service.

67% say it takes at least three months to recruit for experienced roles

CISOs can use AI to leverage technology to take much of the pain out of reporting. That would certainly help alleviate workload pressure. But what is clear is that we need to do more (and do it quickly) to retain our top talent. The industry must focus on reducing stress, recognising efforts and providing a more rewarding career path.

Progress is being made in this regard with the UK Cyber Security Council’s Chartership Standard scheme, which can award three professional titles: Associate, Principal and Chartered. Over 100 applicants have now passed the grade in the two areas of ‘Cyber Security Governance and Risk Management’ and ‘Secure System Architecture and Design’, with other specialisms set to follow, starting with ‘Security Testing’ and ‘Audit and Assurance’.

These titles elevate the cybersecurity profession, accrediting individuals with the same status as in other sectors such as law and accounting. That recognition not only delivers job satisfaction but also provides assurance to those hiring, so it should help advertise and fill senior vacancies.

But we also need to see more support in the workplace. That means elevating the profile of the CISO and having them report directly to the board (currently, only 59% do, and 9% do not present to the board at all, according to the CISO survey) and giving them credit where it is due rather than only putting them under the spotlight when things go wrong. And, of course, supporting them in their professional development so they choose to stay.